[Help-gnutls] Re: Creating self-signed certicates using the GnuTLS APi

[Simon Josefsson]

Alex Hudson <home at alexhudson.com> writes:

> Hey.
>
> I'm having trouble creating a self-signed certificate.
>
> I've created the private key fine, and then attempt to do something
> like:
>
> 	gnutls_x509_crt_init(&certificate);
> 	gnutls_x509_crt_set_activation_time(certificate, time(NULL));
> 	gnutls_x509_crt_set_expiration_time(certificate, time(NULL) + (700 * 24
> * 60 * 60));
> 	gnutls_x509_crt_set_key(certificate, key);
> 	gnutls_x509_crt_set_version(certificate, 1);
> 	gnutls_x509_crt_set_serial(certificate, &cert_version, sizeof(int));
>
> ... but with more error-checking. I then use
> gnutls_x509_crt_set_dn_by_oid() to set some more data on the
> certificate, and gnutls_x509_crt_set_key_usage(), but when I come to use
> gnutls_x509_crt_export() I get:
>
> 	ASN1 parser: Value was not found.

That error is typically returned when some non-optional fields in the
certificate have not yet been set.

> It seems I'm doing something pretty basically wrong. I've tried
> following what certtool does, but to be honest I got lost :D 
>
> Am I doing something clearly wrong? Are there any plain examples I could
> look at?

Did you sign the certificate using gnutls_x509_crt_sign2 or similar?
The signature field is not optional in a certificate.

Generally, I think certtool.c is the best example available, even though
it is a rather large program.  But, if my hint helps, please consider to
submit a stripped-down example program to create a self-signed
certificate so that others may learn from it.

/Simon