[gnutls-help] Generating multi-layer certificates

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Oct 18 01:30:02 CEST 2013


On 10/16/2013 05:49 PM, Juan Miscaro wrote:
> On 16 October 2013 16:25, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> 
>> On 10/16/2013 03:05 PM, Juan Miscaro wrote:
>>
>>
>>> Thank you sir but I don't see the --pubkey-info option in the certtool
>> man
>>> page.
>>
>> what version of gnutls are you using?  you can find the answer with
>> "certtool --version"
>>
>> the above examples were tested with 3.2.4.
>>
>>
> My Debian research system has but only 2.12.14.  I have access to a more
> modern chassis but it still has only 2.12.23 .

if you're using a version from the 2.12 branch, then you'll want to
create certificate requests for the intermediate ca and the end entity
instead of explicitly extracting their public keys.   you can do this
with (for example, you can sort out the other options:

 certtool --load-privkey intermediate-ca.key \
   --generate-request > intermediate-ca.crq

and answer the various questions.

then, when doing the --generate-certificate command to make the
intermediate CA's cert, instead of:

 --load-pubkey intermediate-ca.pubkey

you should use:

 --load-request intermediate-ca.crq

follow the same pattern for the end entity.

make sense?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131017/2e6e2915/attachment.sig>


More information about the Gnutls-help mailing list