On 03/01/15 19:43, Dr. Stephen Henson wrote:
> On Sun, Mar 01, 2015, dE wrote:
>
>> Hi!
>>
>> I'm trying to create a certificate using openssl library. Here is
>> the code --
>>
>> void main () {
>> SSL_library_init();
>> SSL_load_error_strings();
>> OpenSSL_add_all_algorithms();
>> char err[1000];
>> RSA* keypair = RSA_new();
>> BIGNUM *e = BN_new();
>> X509 *certificate = X509_new();
>> EVP_PKEY *certkeypair = EVP_PKEY_new();
>>
>> BN_set_word(e, 65537);
>> if (!RSA_generate_key_ex(keypair, 1024, e, NULL))
>> printf ("key generation failed");
>> BN_free(e);
>> e = NULL;
>>
>> EVP_PKEY_assign_RSA(certkeypair,keypair);
>>
>> X509_set_version (certificate , 3);
>> ASN1_INTEGER_set(X509_get_serialNumber(certificate), 1);
>>
>> X509_NAME * certnames;
>> certnames = X509_get_subject_name(certificate);
>> X509_NAME_add_entry_by_txt(certnames, "C", MBSTRING_ASC,
>> (unsigned char *)"global", -1, -1, 0);
>> X509_NAME_add_entry_by_txt(certnames, "O", MBSTRING_ASC,
>> (unsigned char *)"BIGcoin", -1, -1, 0);
>> X509_NAME_add_entry_by_txt(certnames, "CN", MBSTRING_ASC,
>> (unsigned char *)"My IP", -1, -1, 0);
>>
>> X509_set_issuer_name(certificate,certnames);
>>
>> X509_gmtime_adj(X509_get_notBefore(certificate), -(24*60*60));
>> X509_gmtime_adj(X509_get_notAfter(certificate), (366*24*60*60));
>>
>> X509_sign(certificate, certkeypair, EVP_sha512());
>>
>> const SSL_METHOD* meth;
>> meth = TLSv1_method();
>> SSL_CTX* ctx;
>> ctx = SSL_CTX_new(meth);
>>
>> SSL_CTX_use_certificate (ctx, certificate);
>> SSL_CTX_use_PrivateKey (ctx, certkeypair);
>>
>> if (!SSL_CTX_check_private_key (ctx))
>> printf ("Signature could not be verified\n");
>>
>> ERR_error_string(ERR_peek_last_error(), err);
>> printf ("Error is %s\n", err);
>> }
>>
>> I cant get the created certificate to be verified. It always results in --
>>
>> error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate
>> assigned
> You're missing a call to X509_set_pubkey. Since the certificate doesn't
> contain a public key it is not valid and the TLS code can't check a public key
> which doesn't exist. In fact it wont even get there: if there is no key on a
> certificate OpenSSL will refuse to add it as a certificate in the first place
> (which is why you get the "no certificate" error).
>
> If you checked some of your other functions for errors you'd see what was
> happening: there are probably many more errors in the whole queue but you're
> only seeing the last one.
>
> Check out demos/x509/mkcert.c for an example of how to create a certificate.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Thank you!
