Trust between 2 Certificate Authorities [closed]

Question

Closed. This question needs details or clarity. It is not currently accepting answers.

---

Want to improve this question? Add details and clarify the problem by editing this post.

Closed 9 years ago.

Improve this question

I have created 2 certificate authorities

req -new -x509 -keyout privACAkey.pem -out ACAcert.pem -days 1024 -config openssl.cfg

req -new -x509 -keyout privBCAkey.pem -out BCAcert.pem -days 1024 -config openssl.cfg

and I want the CA of the organisation B to send a request for a certificate of the same self-signed certificate in CA A. How to do this cross-sign certification ?

Answer 1

From PKI - CA Cross-Certify Certificate with OpenSSL?:

First, use 'openssl x509 -x509toreq' to create a CSR from the certificate you want to cross-certify, then use 'openssl ca' to sign it, and use a specific extension section in the configuration file (use the -extensions option). Alternatively, the CA you want to cross-certify with could send you the CSR they used to create their CA certificate, and you could send them yours.

Cross-certification is really not that magic. You do need to keep track of policies, how you map policies, path lengths and things like that, which is why I suggest you have a specific configuration section for this purpose. Of course, you might just not care, and in that case, the extension v3_ca should be good enough.