Hello! Thanks for your help and monitoring. Yes, I get the same error, I also throws the same when tested with the files you sent me. I think there must be something I missed or did wrong in the installation. Which version did you use for this package: openssl mod_tsa Apache mod_ssl mysql ts-patch_XXXX
Another thing, to generate the certificate for the extension tsa with Time Stamping, which. cnf did you use? The openssl.cnf or one created for you? Very grateful! Thanks 2011/2/22 Mounir IDRASSI <mounir.idra...@idrix.net> > Hi, > > Are you sure you have the same error description > (lib(47):func(131):reason(117):ts_rsp_sign.c:206:)? I have tested here with > a certificate containing "Digital Signature, Non Repudiation" key usage and > OpenSSL doesn't complain. > I'm attaching the timestamp certificate (with its key and its CA > certificate) that I used. Can you see if it is working for you? > > > Cheers, > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > On 2/22/2011 3:11 PM, Yessica De Ascencao wrote: > >> Hi Mounir IDRASSI! >> I generated the certificate with ONLY Digital Signature, Non Repudiation >> but I still have the same problem. >> >> Thanks! >> >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: >> d8:e6:a3:f6:22:c7:a4:0c >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz, >> CN=ac/emailAddress=a...@suscerte.gob.ve <mailto:a...@suscerte.gob.ve> >> >> Validity >> Not Before: Feb 22 14:08:20 2011 GMT >> Not After : Feb 22 14:08:20 2012 GMT >> Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte, >> CN=tsscompany/emailAddress=t...@company.com <mailto:t...@company.com> >> >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> RSA Public Key: (2048 bit) >> Modulus (2048 bit): >> 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7: >> 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd: >> 56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37: >> 6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7: >> 6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40: >> b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac: >> 1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b: >> 36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e: >> 51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71: >> 27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc: >> f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb: >> 2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b: >> 3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c: >> 87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c: >> 8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19: >> 7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8: >> 6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7: >> 7a:4b >> Exponent: 65537 (0x10001) >> X509v3 extensions: >> X509v3 Basic Constraints: >> CA:FALSE >> X509v3 Key Usage: >> Digital Signature, Non Repudiation >> Netscape Comment: >> OpenSSL Generated Certificate >> X509v3 Subject Key Identifier: >> FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17 >> X509v3 Authority Key Identifier: >> >> keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76 >> >> X509v3 Subject Alternative Name: >> email:t...@company.com <mailto:email%3a...@company.com> >> >> X509v3 Extended Key Usage: critical >> Time Stamping >> Signature Algorithm: sha1WithRSAEncryption >> 3d:d4:76:9a:d7:2d:6a:93:62:d7:2c:29:87:cc:9c:72:97:19: >> 1a:2d:59:b8:fc:6c:86:22:ad:9c:ba:74:de:89:cb:55:c0:f8: >> 50:02:5d:7d:58:92:cb:0d:c9:9a:30:a9:2a:32:7e:2c:c6:a1: >> 19:eb:09:30:55:85:c8:30:d4:f1:51:9a:ca:77:58:8e:f8:a6: >> b8:d9:92:63:10:fa:ad:06:79:aa:d9:5a:09:9c:5b:91:8b:7a: >> 04:66:f5:24:0b:25:25:69:a5:66:30:c1:4a:b8:cf:c7:51:e1: >> 5a:a0:a6:51:cf:b0:26:05:8d:c4:66:cd:3b:c6:08:a5:de:57: >> 81:af >> >> >> 2011/2/22 Mounir IDRASSI <mounir.idra...@idrix.net <mailto: >> mounir.idra...@idrix.net>> >> >> >> Hi, >> >> I don't agree : from the error description >> (lib(47):func(131):reason(117):ts_rsp_sign.c:206) it is clear that >> OpenSSL loaded the certificate but the X509_check_purpose(signer, >> X509_PURPOSE_TIMESTAMP_SIGN, 0) call in ts_rsp_sign failed. >> >> Actaully, reading the certificate dump shows that the problem is >> coming from the certificate Key Usage : it MUST NOT contain Key >> Encipherment. >> So, to resolve your problem, set the Key Usage to ONLY Digital >> Signature, Non Repudiation. >> >> I hope this will help. >> Cheers, >> -- >> Mounir IDRASSI >> IDRIX >> http://www.idrix.fr >> >> >> On 2/22/2011 2:40 PM, Patrick Patterson wrote: >> >> Hi Yessica: >> >> That error is fairly straightforward - it's can't load the >> cert (meaning, it can't even load the file). >> >> Have you made sure that the permissions are correct? Are you >> absolutely sure that you have the right cert in the right >> location? >> >> Have fun. >> >> Patrick. >> >> On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote: >> >> Hi! >> This is the new certificate: >> >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: >> d8:e6:a3:f6:22:c7:a4:0b >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=ve, ST=distrito capital, O=suscerte, >> OU=acraiz, CN=ac/emailAddress=a...@suscerte.gob.ve >> <mailto:a...@suscerte.gob.ve> >> >> Validity >> Not Before: Feb 21 20:15:08 2011 GMT >> Not After : Feb 21 20:15:08 2012 GMT >> Subject: C=ve, ST=distritocapital, L=caracas, >> O=tss, OU=suscerte, >> CN=tsscompany/emailAddress=t...@company.com >> <mailto:t...@company.com> >> >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> RSA Public Key: (2048 bit) >> Modulus (2048 bit): >> >> 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7: >> >> 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd: >> >> 56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37: >> >> 6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7: >> >> 6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40: >> >> b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac: >> >> 1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b: >> >> 36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e: >> >> 51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71: >> >> 27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc: >> >> f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb: >> >> 2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b: >> >> 3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c: >> >> 87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c: >> >> 8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19: >> >> 7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8: >> >> 6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7: >> 7a:4b >> Exponent: 65537 (0x10001) >> X509v3 extensions: >> X509v3 Basic Constraints: >> CA:FALSE >> X509v3 Key Usage: >> Digital Signature, Non Repudiation, Key >> Encipherment >> Netscape Comment: >> OpenSSL Generated Certificate >> X509v3 Subject Key Identifier: >> >> FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17 >> X509v3 Authority Key Identifier: >> >> keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76 >> >> X509v3 Subject Alternative Name: >> email:t...@company.com <mailto:email%3a...@company.com> >> >> X509v3 Extended Key Usage: critical >> Time Stamping >> Signature Algorithm: sha1WithRSAEncryption >> 02:d1:fd:44:de:1e:9f:e0:29:66:35:8f:43:da:e6:b5:20:43: >> 52:90:b0:dc:8a:0f:09:92:9e:c2:6b:dc:14:ab:2c:9f:1b:8e: >> 02:76:9a:17:08:77:ca:26:06:13:25:9e:4a:e2:bf:bb:2b:4d: >> cf:67:41:c0:2b:3a:1a:d0:ae:a8:88:3c:13:e2:0d:f6:9c:1e: >> e7:ba:ef:22:c6:b8:18:3b:a8:5e:f9:0e:43:b8:de:82:b1:e0: >> be:00:d2:57:9c:f3:d9:48:72:28:70:5d:06:d7:73:84:bc:f7: >> 5e:65:27:86:0d:e8:28:b4:dd:72:4d:8e:59:02:cc:39:0f:8d: >> 47:87 >> >> And this is the error: >> [Mon Feb 21 20:15:37 2011] [error] mod_tsa:could not load >> X.509 certificate: /usr/local/ssl/misc/demoCA/tss.pem >> [Mon Feb 21 20:15:37 2011] [error] >> >> >> mod_tsa:17262:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206: >> [Mon Feb 21 20:15:37 2011] [emerg] exiting, fatal error >> during mod_tsa initialisation. >> >> Thanks!!! >> >> 2011/2/21 Jaroslav Imrich<jaroslav.imr...@gmail.com >> <mailto:jaroslav.imr...@gmail.com>> >> >> Hello Yessica, >> >> please post new certificate and exact error you're getting. >> >> -- >> Kind Regards / S pozdravom >> >> Jaroslav Imrich >> http://www.jariq.sk >> >> >> >> On Mon, Feb 21, 2011 at 4:41 PM, Yessica De >> Ascencao<yessima...@gmail.com >> <mailto:yessima...@gmail.com>> wrote: >> >> hello!!! >> Thanks for the response! >> >> Yes I needed the extension to Time Stamping, however when >> I load the sample certificate in the OpenTSA page, >> continues to show me the same error. I created a >> certificate with the correct extension and likewise gives >> me error. >> >> I really do not know what may be happening. >> >> Thank you very much! >> >> >> >> 2011/2/18 Jaroslav Imrich<jaroslav.imr...@gmail.com >> <mailto:jaroslav.imr...@gmail.com>> >> >> Hello Yessica, >> >> >> this line in your logs tells you where the error occured: >> >> >> [Thu Feb 17 19:23:09 2011] [error] >> >> mod_tsa:1510:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206: >> >> When you look into source code of openssl ts module - >> >> http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2 >> < >> http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2 >> > >> - you can see that line 206 contains following code: >> >> if (X509_check_purpose(signer, >> X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1) >> { >> TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT, >> >> TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE); >> return 0; >> } >> >> That means loading of TSA certificate failed because of >> incorrect extensions. >> >> Certificate you posted has critical mark on "X509v3 >> Subject Alternative Name" which is completely wrong in >> this case. It is "Time Stamping" that has to be marked as >> critical. >> >> >> -- Kind Regards / S pozdravom >> >> Jaroslav Imrich >> http://www.jariq.sk >> >> >> >> -- Saludos! >> Yessica De Ascencao >> 0426-7142582 >> >> >> >> -- Saludos! >> Yessica De Ascencao >> 0426-7142582 >> >> --- >> Patrick Patterson >> Chief PKI Architect >> Carillon Information Security Inc. >> http://www.carillon.ca >> >> >> >> >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> <mailto:openssl-users@openssl.org> >> >> Automated List Manager majord...@openssl.org >> <mailto:majord...@openssl.org> >> >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> <mailto:openssl-users@openssl.org> >> >> Automated List Manager majord...@openssl.org >> <mailto:majord...@openssl.org> >> >> >> >> >> >> -- >> Saludos! >> Yessica De Ascencao >> 0426-7142582 >> > > -- Saludos! Yessica De Ascencao 0426-7142582
