[openssl-users] Converting Bin format to X509 format

Erwann Abalea erwann.abalea at opentrust.com
Wed Jul 22 10:24:49 UTC 2015


Long response short, yes, you can.
Prepare and fill in your X509 object, perform the signature with your EVP_PKEY private key, format the resulting signature into a BIT STRING, place this BIT STRING into your previous X509 object, complete it with the AlgorithmIdentifier you choose when signing (it should already have been set in the TBSCertificate structure, just copy it from there).
The resulting X.509 certificate can be used for anything and is not limited for a SSL client verification usage.

In the previous paragraph, I assume your smart card contains the CA private key, and you want to sign certificates (either subCA or subscriber, it doesn’t matter). That’s how I understood your question.

If you want to do all this using only openssl CLI, that’s doable with a specially crafted config file declaring your engine and its parameters.

Cordialement,
Erwann Abalea



> Le 22 juil. 2015 à 11:57, Anirudh Raghunath <anirudhraghunath at rocketmail.com> a écrit :
> 
> Thanks for the quick response. I am currently working with smart cards and am using the engine provided by openSC to access the private key in the smart card. Long story short I have the EVP_PKEY object with me. Can I use this to sign a certificate or some file which can be used for SSL client verification. 
> 
> Merci
> 
> 
> 
> On Wednesday, 22 July 2015 11:52 AM, Erwann Abalea <erwann.abalea at opentrust.com> wrote:
> 
> 
> Bonjour,
> 
> An X.509 certificate is:
> 
> Certificate  ::=  SEQUENCE  {
>         tbsCertificate       TBSCertificate,
>         signatureAlgorithm   AlgorithmIdentifier,
>         signatureValue       BIT STRING  }
> 
> What you produced with « openssl rsautl -sign » is the content of the « signatureValue » element (not its BIT STRING structure, only the inner content).
> What is missing is all the rest, and it can’t be produced by the sole « openssl x509 … » command.
> 
> Please refine your question.
> 
> Cordialement,
> Erwann Abalea
> 
> 
> 
>> Le 22 juil. 2015 à 11:17, Anirudh Raghunath <anirudhraghunath at rocketmail.com <mailto:anirudhraghunath at rocketmail.com>> a écrit :
>> 
>> Hello,
>> 
>> I have used rsault -sign option to sign a text file which gives me a binary file. I would like to convert this to X509 so that I can use it in a ssl handshake. I understand the command:
>> 
>> openssl x509 -inform <format> -in <certfile> -out <cert.pem> 
>> 
>> is used. I want to know what the parameters would be for a binary input file.
>> 
>> Thanks in advance. 
>> _______________________________________________
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users <https://mta.openssl.org/mailman/listinfo/openssl-users>
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150722/33d42470/attachment-0001.html>


More information about the openssl-users mailing list