On Fri, May 24, 2002 at 12:07:48PM -0700, Curt Smith wrote:
While we are on the subject of issuing your own X.509 certificates:
1. How do you create a X.509 signing hierarchy?
Do a web search on "openssl certificate authority".
2. Can you add additional algorithms (ie. Twofish)?
Yes, if the libraries you use support them. Note that twofish, being a symetric algorithm, would not be used in certificates. Public key and hashes only.
3. Is a relavent developer reference is available for X.509?
X.509 is an ITU/T standard, which means, among other things, that they charge money for copies. You can find copies on the net though. Being ITU/T also means that the standard is written in a format and style that is designed to be incomprehensible as possible. This keeps the professional meeting-goers who write these things from having to search for honest work. The documents get progressively less understandable over time, so its best to start with the 1988 version. PKCS#6 explains X.509 as well and is easier to understand. Peter Gutman's X.509 Style Guide is quite comprehsnsible and also pretty funny after you have spent time trying to decipher X.509 or any other X.whatever standard. Peter also has a neat utility called dumpasn.1 which you will want if you start diddling X.509 certs. Openssl is probably the most common library for doing cert stuff these days. Unfortunately the docs for Openssl are pretty much non-existent and the ASN.1 code is particularly difficult to understand. Eric