views:

3387

answers:

2

I have a C/C++ application and I need to create a X509 pem certificate containing both a public and private key. The certificate can be self signed, or unsigned, doesn't matter.

I want to do this inside an app, not from command line.

What OpenSSL functions will do this for me? Any sample code is a bonus!

+1  A: 

Any chance of doing this via a system call from within your app? Several good reasons for doing this:

  • Licensing: Calling the openssl executable arguably separates it from your application and may provide certain advantages. Disclaimer: consult a lawyer on this.

  • Documentation: OpenSSL comes with phenomenal command-line documentation that greatly simplifies a potentially complicated tool.

  • Testability: you can exercise OpenSSL from the command line until you understand exactly how to create your certs. There are a lot of options; expect to spend about a day on this until you get all the details right. After that, it's trivial to incorporate the command into your app.

If you choose to use the API, check the openssl-dev developers' list on www.openssl.org.

Good luck!

Adam Liss
OpenSSL is not under the GPLhttp://www.openssl.org/source/license.html
Zoredache
OpenSSL is license under an apache style license, it can be used in commercial apps just like any other non-copyleft license. People still might want to consult a lawyer to make sure everything they do is okay, but it does not have GPL related issues
Louis Gerbarg
Noted and updated -- thank you. Separation of open-source from closed-source code is generally a good idea, and unless efficiency is of critical importance, the other reasons make a good case for using the stand-alone openssl utility.
Adam Liss
I would rather not use a system call to do this. Your point about documentation is very valid - the docs for the SSL side of OpenSSL don't help much.
+6  A: 

I think you'll need to familiarize yourself with the terminology and mechanisms first. An X.509 certificate, by definition, does not include a private key. Instead, it is a CA-signed version of the public key (along with any attributes the CA puts into the signature). The PEM format really only supports separate storage of the key and the certificate - although you can then concatenate the two.

In any case, you'll need to invoke 20+ different functions of the OpenSSL API to create a key and a self-signed certificate. An example is in the OpenSSL source itself, in demos/x509/mkcert.c

Martin v. Löwis
Yes - I do need to familiarize myself more with ssl concepts. I will check out the example, thanks for the link (the link has a problem though, but I will figure it out.)I have also used Crypto++ for some stuff, it might be eaiser to use than OpenSSL in this case.
Thanks! Selected this answer because of the provided link.
I just fixed the link.
Martin v. Löwis