Hi Javier, *,
Javier Mosqueda wrote:
>
> Exchange2007 Server expects a file *.cer. To get this I should somehow get
> a *.txt file to convert that into a *.cer. Am I right? What do I have to
> do to get a *.txt file to be able to convert that into a *.cer?
> Niels
>
Hi Niels:
Mail systems require a pkcs12 form of your own cert for signing the things
you send. It also requires the pem or der certs of all your counterparts
for encryption and signature verification. Also the CA's of everyone's
certs to be able to follow the chain of CA's to the root or to one known CA
authority. This is my summary of operations from private key to text output
including the pkcs12 for your mail system to sign your signed mails.
1.- openssl genrsa -des3 -out key.pem 1024 # PRIVATE KEY of any client
2.- openssl req -new -key key.pem -out req.pem #CSR to be sent to the CA to
sign a cert for any client
3.- openssl x509 -req -in req.pem -extfile /etc/ssl/openssl.cnf -extensions
v3_req -CA cacert.pem -CAkey ca_key.pem -CAcreateserial -out cert.pem -days
1095 # SIGNING THE CSR TO PRODUCE CERT
4,. openssl pkcs12 -in cert.pem -export -inkey key.pem -out cert.p12 #PKCS12
5.- openssl x509 -text -in cert.pem # TEXT OUTPUT
The step 3 has several important elements: -extfile is about the source to
get the -extensions from, you might find an openssl.cnf template to see
details on this I include one portion below. Whatever you say after
-extensions point the X509 signing process to that section of the .cnf, to
prepare the client's cert with such options or extensions
That's another good reason to have many openssl.cnf, because you can put
special extensions on every cert depending what's the purpose of the cert
(to sign a sub-CA's cert, for any client to sign mail, for browser, etc).
Hope this helps better
Greetings
Javier
Inside openssl.cnf wrote:
>
> ...
> ...
> [ usr_cert ]
>
> # These extensions are added when 'ca' signs a request.
>
> # This goes against PKIX guidelines but some CAs do it and some software
> # requires this to avoid interpreting an end user certificate as a CA.
>
> basicConstraints=CA:FALSE
>
> # Here are some examples of the usage of nsCertType. If it is omitted
> # the certificate can be used for anything *except* object signing.
>
> # This is OK for an SSL server.
> # nsCertType = server
>
> # For an object signing certificate this would be used.
> # nsCertType = objsign
>
> # For normal client use this is typical
> # nsCertType = client, email
>
> # and for everything including object signing:
> nsCertType = server, client, email, objsign
>
> # This is typical in keyUsage for a client certificate.
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
> # This will be displayed in Netscape's comment listbox.
> nsComment = "ENERGIA SH Certificate w/OpenSSL"
>
> # PKIX recommendations harmless if included in all certificates.
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer:always
>
> # This stuff is for subjectAltName and issuerAltname.
> # Import the email address.
> subjectAltName=email:copy
> # An alternative to produce certificates that aren't
> # deprecated according to PKIX.
> # subjectAltName=email:move
>
> # Copy subject details
> # issuerAltName=issuer:copy
>
> nsCaRevocationUrl = http://www.energiash.com/ca-crl.pem
> #nsBaseUrl
> #nsRevocationUrl
> #nsRenewalUrl
> #nsCaPolicyUrl
> #nsSslServerName
>
> [ v3_req ]
>
> # Extensions to add to a certificate request
>
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
> [ v3_ca ]
>
>
> # Extensions for a typical CA
>
>
> # PKIX recommendation.
>
> subjectKeyIdentifier=hash
>
> authorityKeyIdentifier=keyid:always,issuer:always
>
> # This is what PKIX recommends but some broken software chokes on critical
> # extensions.
> #basicConstraints = critical,CA:true
> # So we do this instead.
> basicConstraints = CA:true
>
> # Key usage: this is typical for a CA certificate. However since it will
> # prevent it being used as an test self-signed certificate it is best
> # left out by default.
> keyUsage = cRLSign, keyCertSign
>
> # Some might want this also
> nsCertType = sslCA, emailCA
>
> # Include email address in subject alt name: another PKIX recommendation
> # subjectAltName=email:copy
> # Copy issuer details
> # issuerAltName=issuer:copy
>
> # DER hex encoding of an extension: beware experts only!
> # obj=DER:02:03
> # Where 'obj' is a standard or added object
> # You can even override a supported extension:
> # basicConstraints= critical, DER:30:03:01:01:FF
>
> [ crl_ext ]
>
> # CRL extensions.
> # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
>
> # issuerAltName=issuer:copy
> authorityKeyIdentifier=keyid:always,issuer:always
>
>
--
View this message in context:
http://www.nabble.com/cannot-create-openssl-master-certificate-on-my-Exchange2007-Server%21Help-needed%21-tp24583342p24608790.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
