Re: Self sign certificate creation
Re: Self sign certificate creation
- Subject: Re: Self sign certificate creation
- From: "Quinn \"The Eskimo!\"" <email@hidden>
- Date: Wed, 14 Jul 2010 10:31:33 +0100
On 14 Jul 2010, at 01:16, Apparao Mulpuri wrote:
> I just wondering why Apple haven't provided such APIs for certificate creation though possible with KeyChain Access?
While I can't speak for Apple's data security team, I suspect that this has more to do with resource constraints rather than any lack of desire.
On 14 Jul 2010, at 06:08, Pavel Hlavnicka wrote:
> I believe you can always use openssl library directly - what I'd guess is what cert. assistant is doing.
Certificate Assistant is based on Apple's Security framework APIs; it does not use anything from OpenSSL.
Generating a self-signed cert using <x-man-page://1ssl/openssl> is complex, but not /too/ complex. Here's a snippet of code that I used to do it:
if (success) {
openSSLTask = [[[NSTask alloc] init] autorelease];
success = (openSSLTask != nil);
}
if (success) {
[openSSLTask setStandardOutput:[NSFileHandle fileHandleWithNullDevice]];
[openSSLTask setStandardError:[NSFileHandle fileHandleWithNullDevice]];
[openSSLTask setLaunchPath:@"/usr/bin/openssl"];
[openSSLTask setArguments:[NSArray arrayWithObjects:
@"req",
@"-utf8",
@"-x509",
@"-new",
@"-newkey", @"rsa:2048",
@"-nodes",
@"-config", configFilePath,
@"-days", @"365",
@"-keyout", keyFilePath,
@"-out", certificateFilePath,
nil
]];
[openSSLTask launch];
[openSSLTask waitUntilExit];
success = ([openSSLTask terminationStatus] == 0);
}
This requires that you put an config file at configFilePath. You get back a key in the file at keyFilePath and a certificate in the file at certificateFilePath.
Setting up the config file is a little tricky. Here's the template that I use:
---------------------------------------------------------------------------
[ req ]
distinguished_name = req_distinguished_name_section
x509_extensions = req_key_usage_section
prompt = no
keyUsage = nonRepudiation, digitalSignature
default_md = sha1
[ req_distinguished_name_section ]
%@
[ req_key_usage_section ]
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, %@
---------------------------------------------------------------------------
where the fire %@ is replaced by a list of options describing the subject of the certificate (see <x-man-page://1ssl/req> for details) and the second %@ is either "serverAuth" or "clientAuth".
S+E
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden