Re: Self sign certificate creation
Re: Self sign certificate creation
- Subject: Re: Self sign certificate creation
- From: Apparao Mulpuri <email@hidden>
- Date: Thu, 15 Jul 2010 15:22:07 -0700
Thanks for the reply. You have created little hope on the certificate
creation by sharing the NSTask stuff. I have created a certificate using your code.
But the certificate is failing in following code
SecIdentityRef identity = nil;
ortn = SecIdentitySearchCopyNext(srchRef, &identity);
if(ortn) {
printf("SecIdentitySearchCopyNext returned %d.\n", (int)ortn);
printf("Cannot find signing key in keychain at %s. Aborting.\n",
kcPath);
return nil;
}
And my app is closed with the following log:
SecIdentitySearchCopyNext returned -25300.
Cannot find signing key in keychain at ~/Certificates/xyz.cert. Aborting.
Do I need to include self sign key externally to this certificate.
Thanks,
Apparao
On Wed, Jul 14, 2010 at 2:31 AM, Quinn "The Eskimo!"
<email@hidden> wrote:
On 14 Jul 2010, at 01:16, Apparao Mulpuri wrote:
> I just wondering why Apple haven't provided such APIs for certificate creation though possible with KeyChain Access?
While I can't speak for Apple's data security team, I suspect that this has more to do with resource constraints rather than any lack of desire.
On 14 Jul 2010, at 06:08, Pavel Hlavnicka wrote:
> I believe you can always use openssl library directly - what I'd guess is what cert. assistant is doing.
Certificate Assistant is based on Apple's Security framework APIs; it does not use anything from OpenSSL.
Generating a self-signed cert using <x-man-page://1ssl/openssl> is complex, but not /too/ complex. Here's a snippet of code that I used to do it:
if (success) {
openSSLTask = [[[NSTask alloc] init] autorelease];
success = (openSSLTask != nil);
}
if (success) {
[openSSLTask setStandardOutput:[NSFileHandle fileHandleWithNullDevice]];
[openSSLTask setStandardError:[NSFileHandle fileHandleWithNullDevice]];
[openSSLTask setLaunchPath:@"/usr/bin/openssl"];
[openSSLTask setArguments:[NSArray arrayWithObjects:
@"req",
@"-utf8",
@"-x509",
@"-new",
@"-newkey", @"rsa:2048",
@"-nodes",
@"-config", configFilePath,
@"-days", @"365",
@"-keyout", keyFilePath,
@"-out", certificateFilePath,
nil
]];
[openSSLTask launch];
[openSSLTask waitUntilExit];
success = ([openSSLTask terminationStatus] == 0);
}
This requires that you put an config file at configFilePath. You get back a key in the file at keyFilePath and a certificate in the file at certificateFilePath.
Setting up the config file is a little tricky. Here's the template that I use:
---------------------------------------------------------------------------
[ req ]
distinguished_name = req_distinguished_name_section
x509_extensions = req_key_usage_section
prompt = no
keyUsage = nonRepudiation, digitalSignature
default_md = sha1
[ req_distinguished_name_section ]
%@
[ req_key_usage_section ]
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, %@
---------------------------------------------------------------------------
where the fire %@ is replaced by a list of options describing the subject of the certificate (see <x-man-page://1ssl/req> for details) and the second %@ is either "serverAuth" or "clientAuth".
S+E
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (
email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden