On Thu, 23 Jan 2003 10:59:31 +0100, Nils Larsch <[EMAIL PROTECTED]> wrote :
--- SNIP ---
>
> Is it possible to show us both certificates ? Which version of OpenSSL
> are you using ? OS ?
k, first all the os and version info, currently using Debian Linux 3.0 (aka
woody - is up to date with all the security updates), the openssl library
is version 0.9.6 (according to the official version 0.9.6c but that would
miss quite a few security updates ...). But it seems that is the case:
$ openssl version
OpenSSL 0.9.6c 21 dec 2001
k, I'll look into forcing the use of the newest 0.9.6 version, h?
k, first I generate the private key using the command "openssl genrsa -out
key.pem 1024":
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDzDyooSB3fPsBPoE/Wf38uxDVepvUKSDf8KaQnwYABe3/f3AXB
yauL9A2dPsOaLFCJJ13RklDaEal2/qwfp8lNYxYeNPHu4XTUeiHKbmHXYHhIUwRb
ZLEppYDyCbzbFGVy1AQOU/btMryHl29+w/jkEZJy/z/TAcdtqVBrwfLORwIDAQAB
AoGAT5yV+F+2uRq6rtoZjG5yYAUQXhJdjKKfA88333W30cR72/0bPaAqukqT8v9N
3j/JmUL1reE47lR+p2U/R5cTjcwJuPF8ONUghxLleAE4lbqKEuHxvTT4BJGSRZDh
ROYKXbZcAr2iFOibXvYqlzL7mr6UxdS2n1V76P3fajZQZOECQQD9x2XFktoSoRU7
PpEnQX8N4oyxhnVhn8v/3L7hkOkhu4e4P7StXO65PsdBEAJ0CofFCLGQgg5K5AP5
LlOcjLJvAkEA9S+/0I2Wl7arYlMgAryP6E3f7s++Yss5Ov2VFAHNRbM/Ue/8Us0B
nWJ4W8rrzM8SBczAAfLKRUSaTOGrgUStqQJBALaaJwyGogsNhO1gE6mfYwBmpr2F
9igMhwjPmTlMv7LZ8MoObL7hQ5RfK5gRIPLGMPMBUmKcchRJBOLjBp56TlkCQBAQ
jtrVTBaoq1YH6EMFo9AuugtlpS3H7voEf24OKCr28aEmvjuWnxJ2zzgEdaq3rpCe
t73o8IPVWN7MsnYHz/ECQQCY21CMnXNgPq7U64OKG3RuEm5Vx2OLckgp1KECigkl
b22fuSFnYhmol/Ggj/mr1o42UA98O1omDv9S1oPRVBKb
-----END RSA PRIVATE KEY-----
Here is the certificates, as generated using the openssl program (The
correct one):
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, ST=Gauteng, L=Pretoria, O=InterExcel,
OU=BackupServer, [EMAIL PROTECTED]
Validity
Not Before: Jan 23 11:16:17 2003 GMT
Not After : Feb 22 11:16:17 2003 GMT
Subject: [EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:f3:0f:2a:28:48:1d:df:3e:c0:4f:a0:4f:d6:7f:
7f:2e:c4:35:5e:a6:f5:0a:48:37:fc:29:a4:27:c1:
80:01:7b:7f:df:dc:05:c1:c9:ab:8b:f4:0d:9d:3e:
c3:9a:2c:50:89:27:5d:d1:92:50:da:11:a9:76:fe:
ac:1f:a7:c9:4d:63:16:1e:34:f1:ee:e1:74:d4:7a:
21:ca:6e:61:d7:60:78:48:53:04:5b:64:b1:29:a5:
80:f2:09:bc:db:14:65:72:d4:04:0e:53:f6:ed:32:
bc:87:97:6f:7e:c3:f8:e4:11:92:72:ff:3f:d3:01:
c7:6d:a9:50:6b:c1:f2:ce:47
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
2a:e3:34:83:db:b7:89:0a:de:d4:76:c4:60:dc:1c:89:fa:95:
11:4b:ce:31:85:28:88:c9:2b:77:c0:23:68:37:51:f3:93:f2:
8a:c4:b4:71:84:18:5c:bb:00:65:7f:60:b7:16:8c:3d:cd:9f:
a3:9e:88:52:2a:5d:03:e8:03:84:a5:89:3a:28:97:ab:53:f7:
ba:36:5e:80:f1:58:4e:f2:c4:05:51:4b:73:56:08:3d:d7:cb:
8f:aa:b8:f9:51:ca:c6:3d:08:83:53:42:38:2b:bc:6f:8a:d2:
63:14:02:8a:c2:e3:88:27:2a:b5:cb:60:68:5e:59:cf:43:12:
6c:9d
-----BEGIN CERTIFICATE-----
MIICUTCCAboCAQAwDQYJKoZIhvcNAQEFBQAwgZ8xCzAJBgNVBAYTAlpBMRAwDgYD
VQQIEwdHYXV0ZW5nMREwDwYDVQQHEwhQcmV0b3JpYTETMBEGA1UEChMKSW50ZXJF
eGNlbDEVMBMGA1UECxMMQmFja3VwU2VydmVyMREwDwYDVQQDEwhDbGllbnRDQTEs
MCoGCSqGSIb3DQEJARYdYmFja3Vwc2VydmVyQGludGVyZXhjZWwuY28uemEwHhcN
MDMwMTIzMTExNjE3WhcNMDMwMjIyMTExNjE3WjBCMRkwFwYDVQQDExBlNzUxODE0
YTNhOWQ0ODJjMSUwIwYJKoZIhvcNAQkBFhZqYWNvQHdlYmZvdW50YWluLmNvLnph
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzDyooSB3fPsBPoE/Wf38uxDVe
pvUKSDf8KaQnwYABe3/f3AXByauL9A2dPsOaLFCJJ13RklDaEal2/qwfp8lNYxYe
NPHu4XTUeiHKbmHXYHhIUwRbZLEppYDyCbzbFGVy1AQOU/btMryHl29+w/jkEZJy
/z/TAcdtqVBrwfLORwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACrjNIPbt4kK3tR2
xGDcHIn6lRFLzjGFKIjJK3fAI2g3UfOT8orEtHGEGFy7AGV/YLcWjD3Nn6OeiFIq
XQPoA4SliTool6tT97o2XoDxWE7yxAVRS3NWCD3Xy4+quPlRysY9CINTQjgrvG+K
0mMUAorC44gnKrXLYGheWc9DEmyd
-----END CERTIFICATE-----
The commands used to generate this was (the start date and end date is
based on what is generated by my program):
openssl req -config ./openssl.conf -key key.pem -new -out request.pem
openssl ca -config ./openssl.conf -name clientCA -in request.pem -startdate
030123111617Z -enddate 030222111617Z -md sha1 -out signed.pem -outdir . -
batch
afaik you need to edit the serial file to read "00" :).
And the certificate generated by my program (The one that fails):
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, ST=Gauteng, L=Pretoria, O=InterExcel,
OU=BackupServer, [EMAIL PROTECTED]
Validity
Not Before: Jan 23 11:16:17 2003 GMT
Not After : Feb 22 11:16:17 2003 GMT
Subject: [EMAIL PROTECTED], CN=e751814a3a9d482c
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:f3:0f:2a:28:48:1d:df:3e:c0:4f:a0:4f:d6:7f:
7f:2e:c4:35:5e:a6:f5:0a:48:37:fc:29:a4:27:c1:
80:01:7b:7f:df:dc:05:c1:c9:ab:8b:f4:0d:9d:3e:
c3:9a:2c:50:89:27:5d:d1:92:50:da:11:a9:76:fe:
ac:1f:a7:c9:4d:63:16:1e:34:f1:ee:e1:74:d4:7a:
21:ca:6e:61:d7:60:78:48:53:04:5b:64:b1:29:a5:
80:f2:09:bc:db:14:65:72:d4:04:0e:53:f6:ed:32:
bc:87:97:6f:7e:c3:f8:e4:11:92:72:ff:3f:d3:01:
c7:6d:a9:50:6b:c1:f2:ce:47
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
4c:33:8d:16:20:bf:bc:cc:9a:bd:d0:c7:57:6f:96:f5:fe:d9:
59:c0:61:0d:8a:a8:c7:21:77:33:4a:9a:af:57:15:d1:ed:5e:
34:5d:d2:2a:44:27:e7:49:25:f0:e8:43:de:75:a6:d8:81:ff:
8d:2e:47:73:25:bf:19:89:2c:3f:4b:40:d5:36:34:63:95:88:
5a:58:73:7b:24:9d:0f:dd:04:a5:28:f3:86:ee:a8:91:bb:41:
fc:5f:af:1f:55:32:db:c3:c3:ba:c4:9c:a0:45:55:3d:a4:f1:
cf:83:db:7a:82:bd:d2:b3:41:41:be:ba:14:74:86:75:f2:47:
69:02
-----BEGIN CERTIFICATE-----
MIICVjCCAb+gAwIBAAIBADANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMCWkEx
EDAOBgNVBAgTB0dhdXRlbmcxETAPBgNVBAcTCFByZXRvcmlhMRMwEQYDVQQKEwpJ
bnRlckV4Y2VsMRUwEwYDVQQLEwxCYWNrdXBTZXJ2ZXIxETAPBgNVBAMTCENsaWVu
dENBMSwwKgYJKoZIhvcNAQkBFh1iYWNrdXBzZXJ2ZXJAaW50ZXJleGNlbC5jby56
YTAeFw0wMzAxMjMxMTE2MTdaFw0wMzAyMjIxMTE2MTdaMEIxJTAjBgkqhkiG9w0B
CQEWFmphY29Ad2ViZm91bnRhaW4uY28uemExGTAXBgNVBAMTEGU3NTE4MTRhM2E5
ZDQ4MmMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPMPKihIHd8+wE+gT9Z/
fy7ENV6m9QpIN/wppCfBgAF7f9/cBcHJq4v0DZ0+w5osUIknXdGSUNoRqXb+rB+n
yU1jFh408e7hdNR6IcpuYddgeEhTBFtksSmlgPIJvNsUZXLUBA5T9u0yvIeXb37D
+OQRknL/P9MBx22pUGvB8s5HAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEATDONFiC/
vMyavdDHV2+W9f7ZWcBhDYqoxyF3M0qar1cV0e1eNF3SKkQn50kl8OhD3nWm2IH/
jS5HcyW/GYksP0tA1TY0Y5WIWlhzeySdD90EpSjzhu6okbtB/F+vH1Uy28PDusSc
oEVVPaTxz4PbeoK90rNBQb66FHSGdfJHaQI=
-----END CERTIFICATE-----
I thought you might also want my openssl.conf file, so here it is (minus a
few sections that is not used):
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
[ new_oids ]
-- snip comments --
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
-- snip unused --
[ serverCA ]
-- snip unused --
[ clientCA ]
dir = ./clientCA
certs = $dir
crl_dir = $dir
database = $dir/index.txt
net_certs_dir = .
certificate = $dir/cacert.pem
serial = $dir/serial
private_key = $dir/key.pem
#x509_extensions = usr_cert
default_days = 365
default_crl_days= 30
default_md = sha1
preserve = no
policy = policy_minimal
# For the CA policy
[ policy_match ]
-- snip unused --
[ policy_minimal ]
commonName = supplied
emailAddress = supplied
[ policy_anything ]
-- snip unused --
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
#attributes = req_attributes
#x509_extensions = v3_ca # The extentions to add to the self signed
cert
-- snip comments --
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
-- snip commented data that can go in here --
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 60
# SET-ex3 = SET extension number 3
[ req_attributes ]
-- snip commented out stuff, unused --
[ usr_cert ]
-- snip unused --
[ crl_ext ]
-- snip unused --
--------eof----------
I believe that is it, waiting for your reply. I'll try a version upgrade
on OpenSSL and let you know anyhow - but somehow I don't think it's going
to help :).
Jaco
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
