This is a netizen who is intended to exchange OpenSSL's mail records, hoping to be useful for friends who have just contacted OpenSSL.
Q1: I was accidentally seen your article in Tsinghua's BBS, about CA certification. very interested. Are you using OpenSSL, you can send me a little about the OpenSSL API?
A1: OpenSSL itself provides the API data very limited, of course, the basic function description document is still some, mainly in the DOC directory. In addition, OpenSSL's official website can also find some of the materials discussed, but very limited. As for the Chinese information of OpenSSL, it is very few, as if there are some netizens of the water, you can take a look. To have an in-depth understanding of OpenSSL, studying its source code is a must-have, as a start, you can start from its App program. OpenSSL also provides several simple routines, or see.
Q2: I am now going to build a small CA. with a browser-server mode, the user generates a request in the front-end request, and the server generates a key and certificate. I want the background with php, openssl is a command line, I found some PHP calls OpenSSL function, but these are PHP new features, only given definitions. I don't know what to do now. Do you have any other JSP, you can call OpenSSL.
A2: I didn't use OpenSSL under Linux, I used it under Windows. OpenSSL is fully capable like the features you are saying. OpenSSL is written in the standard C language, so as long as the standard function format in the C language is called. OpenSSL's command line Direct calls I personally feel that it is not convenient, you can modify the source program corresponding to each command to become a function of the function you need, so it is more convenient. Moreover, these procedures are not very long, not particularly difficult.
Q3: I have tried those functions these days, there are some small gains, and my mood is much more. When you work, the certificate and CRL are used for the key. I want to use libraries to store certificates. That time when I have a certificate, should I delete this certificate from the certificate library? In addition, if I use the file to store CRLs, when it is new to generate a CRL, you can delete the previous CRL, that is, only a nearest CRL file.
A3: When I did, the certificate, CRL, and key were put in stock, but it can also be imported into the file or IC card. In fact, this storage form is not important. When you do a certificate, you can delete your certificate from the certificate library, or you can build a certificate of revocation, specially stored the revocated certificate, as the basis for future verification. It must be noted that when deleting a certificate, OpenSSL is to update a text file index (like this name), because the last OpenSSL generates CRL is based on this file. CRL is theory is the list of the latest revocation certificate, so after you generate new CRLs, older can of course be deleted.
Q4: I use a php of an OpenSSL_CSR_SIGN () function, but can only generate a self-signed certificate and cannot sign other certificates. It seems that I can only watch the OpenSSL source program. I just want to see this segment corresponding to the command line OpenSSL CA ... Which file is it in? I am under Linux, I don't know if I can execute this command in the command line mode under Windows, it implements the use of root certificates to sign the certificate.
A4: OpenSSL CA The source program is app / ca.c, and there is also a command line method under Windows, which should be the same as Linux.
Q5: I use OpenSS to generate a self-signed root certificate in Linux, the suffix is .CRT, open under Windows. After the root certificate is signed with a user certificate (the extension is .crt), but in Windows When it is open, it shows "invalid security certificate file", why?
A5: The certificate format under Windows is not exactly the same as the certificate format generated by OpenSSL. It is mainly OpenSSL certificates to add some text header information. This is a very strange question, because OpenSSL generated self-signed names did not take this header information, and must be written by the brother who wrote this code. So, just open the generated certificate with a writepiece, then put it out to the previous information.
