AW: openssl can don' t handle 20 Octes long Serial Numbers RFC 32 80
Michael, OpenSSL ist working correct because "9a 38 74 00 00 00 00 25 be" is a negative integer. If you preceedyour serial number with "00" everything will work fine... even the presentation of your number withOpenSSL. Best regards Thomas Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bohn, MichaelGesendet: Mittwoch, 11. Januar 2006 07:20An: openssl-users@openssl.orgBetreff: openssl can don' t handle 20 Octes long Serial Numbers RFC 3280 Hi all, sorry that I send the same e-mail again but I did't find any answer to my last one. We have the case that openssl can not handle long serial numbers. Inower case we have this Serail Nr. 9a 38 74 00 00 00 00 25 be but OpenSSL 0.9.7e 25 Oct 2004print this: openssl x509 -infile -noout -textCertificate: Data: Version: 3 (0x2) Serial Number: (Negative)65:c7:8b:ff:ff:ff:ff:da:42 windowscisco and mozilla can handle this SN without any problems. RFC 3280 RFC 3280 Internet X.509 Public Key Infrastructure April 2002 Given the uniqueness requirements above, serial numbers can be expected to contain long integers. Certificate users MUST be able to handle serialNumber values up to 20 octets. Conformant CAs MUST NOT use serialNumber values longer than 20 octets. ### best regards Michael
AW: openssl can don' t handle 20 Octes long Serial Numbers RFC 32 80
Kyle it's not required by the RFC but it's required by x.209 (BER, Encoding of integer-values) Regards Thomas -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Kyle Hamilton Gesendet: Mittwoch, 11. Januar 2006 15:22 An: openssl-users@openssl.org Betreff: Re: openssl can don' t handle 20 Octes long Serial Numbers RFC 32 80 My belief is that the presentation should be as an octet string, as opposed to a string representation of an integer. Furthermore, serial numbers are unsigned, not signed, and generally increment. The problem is that the CA did not embed 00 before the serial number of the certificate it signed -- and, by RFC, it is not required to. The serial number should be presented to the user as an opaque string of hex bytes, not (as current) a translation into an integer. -Kyle H On 1/11/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Michael, OpenSSL ist working correct because 9a 38 74 00 00 00 00 25 be is a negative integer. If you preceedyour serial number with 00 everything will work fine... even the presentation of your number with OpenSSL. Best regards Thomas Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bohn, Michael Gesendet: Mittwoch, 11. Januar 2006 07:20 An: openssl-users@openssl.org Betreff: openssl can don' t handle 20 Octes long Serial Numbers RFC 3280 Hi all, sorry that I send the same e-mail again but I did't find any answer to my last one. We have the case that openssl can not handle long serial numbers. In ower case we have this Serail Nr. 9a 38 74 00 00 00 00 25 be but OpenSSL 0.9.7e 25 Oct 2004 print this: openssl x509 -in file -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: (Negative)65:c7:8b:ff:ff:ff:ff:da:42 windows cisco and mozilla can handle this SN without any problems. RFC 3280 RFC 3280Internet X.509 Public Key Infrastructure April 2002 Given the uniqueness requirements above, serial numbers can be expected to contain long integers. Certificate users MUST be able to handle serialNumber values up to 20 octets. Conformant CAs MUST NOT use serialNumber values longer than 20 octets. ### best regards Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: openssl can don' t handle 20 Octes long Serial Numbers RFC 32 80
Because it IS a negative number according to x.209... and other papers defining the bit representation of INTEGER. -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bohn, Michael Gesendet: Mittwoch, 11. Januar 2006 16:00 An: openssl-users@openssl.org Betreff: AW: openssl can don' t handle 20 Octes long Serial Numbers RFC 32 80 Okay I see if it's not requird to embed the 00 before the SN why does openssl prints that the number is negative ? Michael Bohn -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Kyle Hamilton Gesendet: Mittwoch, 11. Januar 2006 15:22 An: openssl-users@openssl.org Betreff: Re: openssl can don' t handle 20 Octes long Serial Numbers RFC 32 80 My belief is that the presentation should be as an octet string, as opposed to a string representation of an integer. Furthermore, serial numbers are unsigned, not signed, and generally increment. The problem is that the CA did not embed 00 before the serial number of the certificate it signed -- and, by RFC, it is not required to. The serial number should be presented to the user as an opaque string of hex bytes, not (as current) a translation into an integer. -Kyle H On 1/11/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Michael, OpenSSL ist working correct because 9a 38 74 00 00 00 00 25 be is a negative integer. If you preceedyour serial number with 00 everything will work fine... even the presentation of your number with OpenSSL. Best regards Thomas Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bohn, Michael Gesendet: Mittwoch, 11. Januar 2006 07:20 An: openssl-users@openssl.org Betreff: openssl can don' t handle 20 Octes long Serial Numbers RFC 3280 Hi all, sorry that I send the same e-mail again but I did't find any answer to my last one. We have the case that openssl can not handle long serial numbers. In ower case we have this Serail Nr. 9a 38 74 00 00 00 00 25 be but OpenSSL 0.9.7e 25 Oct 2004 print this: openssl x509 -in file -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: (Negative)65:c7:8b:ff:ff:ff:ff:da:42 windows cisco and mozilla can handle this SN without any problems. RFC 3280 RFC 3280Internet X.509 Public Key Infrastructure April 2002 Given the uniqueness requirements above, serial numbers can be expected to contain long integers. Certificate users MUST be able to handle serialNumber values up to 20 octets. Conformant CAs MUST NOT use serialNumber values longer than 20 octets. ### best regards Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: openssl can don' t handle 20 Octes long Serial Numbers RFC 32 80
Michael, just for my curiousity... who ist the issuer of the certificate? Best regards Thomas Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bohn, MichaelGesendet: Mittwoch, 11. Januar 2006 07:20An: openssl-users@openssl.orgBetreff: openssl can don' t handle 20 Octes long Serial Numbers RFC 3280 Hi all, sorry that I send the same e-mail again but I did't find any answer to my last one. We have the case that openssl can not handle long serial numbers. Inower case we have this Serail Nr. 9a 38 74 00 00 00 00 25 be but OpenSSL 0.9.7e 25 Oct 2004print this: openssl x509 -infile -noout -textCertificate: Data: Version: 3 (0x2) Serial Number: (Negative)65:c7:8b:ff:ff:ff:ff:da:42 windowscisco and mozilla can handle this SN without any problems. RFC 3280 RFC 3280 Internet X.509 Public Key Infrastructure April 2002 Given the uniqueness requirements above, serial numbers can be expected to contain long integers. Certificate users MUST be able to handle serialNumber values up to 20 octets. Conformant CAs MUST NOT use serialNumber values longer than 20 octets. ### best regards Michael
AW: certificate version
Andrea, You have to add the lines x509_extensions = name_of_section and [name_of_section] to your config file. If you want to get an x.509v3 certificate without extensions, you can leave the section empty. Otherwise you can specify your extensions to be used here. Regards Thomas -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Tassi Andrea Gesendet: Montag, 14. November 2005 10:19 An: openssl-users@openssl.org Betreff: certificate version Hi all, someone could help me? I'm using openssl to generate certificates. My steps are: 1) I generate a self signed certificate that I use as a CA commands: a)genrsa -out cakey.pem 1024 b)req -new -nodes -x509 -key cakey.pem -out ca.pem -days 1095 This certificate is V3. 2)I genarate the user certificate by the commands: a)genrsa -out ckey.pem 1024 b)req -new -nodes -key ckey.pem -out rccert.pem -sha1 -verify c)x509 -req -in rccert.pem -CA ca.pem -CAkey cakey.pem -out ccert.pem The result is a V1 certificate. The question is this: is it possible to generate a V3 user certificate? I'm using OpenSSL_0.9.7e for Windows. I looked for this problem on documentation but I was not able to find answers, so I would appreciate your help ThanksRegards Andrea __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: problems making Certificate Request
In the C-Field of the DN only two characters are allowed. So C=ZA Par is invalid. Regards Thomas -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Brendon Schafer Gesendet: Donnerstag, 25. August 2005 12:47 An: openssl-users@openssl.org Betreff: Re: problems making Certificate Request Dmitry Belyavsky wrote: Hello! On Thu, 25 Aug 2005, Brendon Schafer wrote: I got this error message while creating a server certificate: Suse:~ # openssl req -new -subj '/CN=OfficeRunner.local Par - keyout OR-key.pem -out OR-req.pem -days 3650' Whether right quote is at place expected or it shoul be before keyout? Not sure if I understood you correctly, but I tried this which is an earlier variation of the command. I did, however move the quote (') to where I understood that you said it should have gone. Suse:/etc/postfix # openssl req -new -nodes -subj '/CN=OfficeRunner.local/O=OfficeRunner/C=ZA Par' -keyout OR-key.pem -out OR-req.pem -days 3650 Generating a 1024 bit RSA private key ..++ ++ writing new private key to 'OR-key.pem' - problems making Certificate Request 6481:error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string too long:a_mbstr.c:154:maxsize=2 Thanks again Brendon __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: RSA key sizes
The main reason why we take 512, 768, 1024, 2048, 4096,... bit is, that these numbers are multiples of 8 ans though can be fractioned into bytes (1024 bit = 128 byte). Withe the increase of calculation power the key size was increased, in the end by doubling the number of bits. To answer our second question: A real 1024-bit-key must have at least 1017 bit, so it consits of 128 byte (= 1024 bit) with 7 leading zeros. Regards Thomas Beckmann -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Tan Eng Ten Gesendet: Mittwoch, 17. August 2005 08:22 An: openssl-users@openssl.org Betreff: RSA key sizes Hi all, This is a general crypto question and I hope someone could help me out. Often we use RSA of 512, 1024, 2048, 4096, etc. bit lengths. Are other sizes such as 520/1045 bit valid? Mathematically, it should work, but are there reasons why odd sizes are not to be used? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: AW: RSA key sizes
see below -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Tan Eng Ten Gesendet: Mittwoch, 17. August 2005 11:28 An: openssl-users@openssl.org Betreff: Re: AW: RSA key sizes Cool.. but the key below has 128 bytes in total, but reported as being 1023-bit Because it only consits of 1023 bit and a leading zero... which is not counted. - Modulus (1023 bit): 5d:10:63:d3:d8:00:2a:50:ab:65:8a:f0:92:83:b0: 6a:39:e3:0c:38:aa:f5:32:23:71:25:8e:4a:8d:50: fd:80:a3:95:59:33:27:92:88:d0:1d:28:dd:05:7c: b6:a0:5e:68:9e:b4:70:c9:bd:28:8a:fb:6d:95:0a: 38:83:f9:8d:15:b1:3a:33:bf:d7:ab:1c:5e:1b:d3: d6:c1:1a:f8:05:7f:ef:22:23:48:ef:48:a2:8d:99: 90:10:81:8a:54:dd:16:9e:7f:d0:88:a8:b7:34:68: be:4d:8f:dc:4b:5d:d9:72:c5:a4:88:a6:40:fa:f2: f7:16:79:a8:35:3d:f2:ad Exponent: 3 (0x3) - I notice that for 1024-bit RSA key generated by openssl, the modulus has 129 bytes but having the first byte = 0. Why is this?, for example: This is correct because in BER a leading 1 tells you, that this is a negativ integer. But while we are working with positve integer we have to add at least one leading 0... so we have to add one byte. - Modulus (1024 bit): 00:d8:6e:77:67:5e:29:bb:4e:83:52:fe:fa:fc:58: 04:d8:07:3e:43:11:92:10:45:dc:f2:f7:7a:77:49: 91:cf:cc:0d:5e:ec:d9:44:15:2d:61:19:cd:9d:79: 9e:27:80:61:6c:a3:db:34:21:cf:87:60:7a:e4:d9: a5:02:59:57:fb:4e:8c:e4:32:fb:5e:cb:1a:99:7b: 76:b2:79:ae:2f:1f:62:1d:f6:fc:9e:32:e5:bd:46: 8f:c7:05:63:aa:10:2c:be:60:46:4a:44:c5:63:94: b1:ab:d5:c5:33:cd:d7:69:f0:2b:36:54:dd:82:92: 66:6c:0d:50:81:a1:23:79:67 Exponent: 65537 (0x10001) - [EMAIL PROTECTED] wrote: The main reason why we take 512, 768, 1024, 2048, 4096,... bit is, that these numbers are multiples of 8 ans though can be fractioned into bytes (1024 bit = 128 byte). Withe the increase of calculation power the key size was increased, in the end by doubling the number of bits. To answer our second question: A real 1024-bit-key must have at least 1017 bit, so it consits of 128 byte (= 1024 bit) with 7 leading zeros. Regards Thomas Beckmann -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Tan Eng Ten Gesendet: Mittwoch, 17. August 2005 08:22 An: openssl-users@openssl.org Betreff: RSA key sizes Hi all, This is a general crypto question and I hope someone could help me out. Often we use RSA of 512, 1024, 2048, 4096, etc. bit lengths. Are other sizes such as 520/1045 bit valid? Mathematically, it should work, but are there reasons why odd sizes are not to be used? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: Setup Help
Are you sure this is the right community to ask? -Ursprüngliche Nachricht-Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Im Auftrag von Paull DodemaideGesendet: Mittwoch, 17. August 2005 13:38An: openssl-users@openssl.orgBetreff: Setup Help Hi All, I am having no end of trouble trying to get this OpenVpn to work. Here is what I have done so far. I am all out of ideas. I am trying to create a bridged connection (for gaming with a few mates). I have setup the server side exactly as per instructions however it just does not want to work. I have created a bridge, between the Onboard Ethernet Card and the Tap-bridge connection. Set its IP to 10.8.0.4/255.255.255.0. as per the instructions. I start up the server, and get my friends to connect, however they never get an IP address from me. What I dont understand is, in the setup you need to forward packets from 1194 to the IP of the server, however on my router thats set to 192.168.0.5, so how do the packets ever get to 10.8.0.4 ?? very very confused, hope someone can spare 5 minutes to give me a hand. I sure would appreciate it. thanks Paull
AW: RSA key sizes
Who will mandate ECC by 2010??? -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Uri Gesendet: Mittwoch, 17. August 2005 14:54 An: openssl-users@openssl.org Betreff: Re: RSA key sizes Please note that the importance of RSA is going to decline in favor of Elliptic Curve Crypto over GF(p). In particular, by 2010 ECC will be mandated. I suspect there are cryptographic reasons for it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
The breaking of SHA1
Hello everybody, I am not quite sure which list to address so I chose both. Regarding the news around the breaking of SHA1, I wonder if it is planned or already in work to implement other hash algorithms like SHA256 into OpenSSL. Best Regards Thomas Beckmann __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: X509 certificate with S/MIME
Aparna, you can put an email address either in the EMAIL attribute of the DN or in the subjectAltName extension. As far as I know it is recommended to put the email address in either the one or the other place for S/MIME messages but it is not mandatory. Regards Thomas -Ursprüngliche Nachricht-Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Im Auftrag von Aparna NandyalGesendet: Mittwoch, 2. Februar 2005 13:20An: openssl-users@openssl.orgBetreff: X509 certificate with S/MIME Hi Is it mandatory that an X509 certificate should have an email address in it for creating a signed email. Which field in X509 certificate will have the sender's email address? How is the email address different from DN? Regards, Aparna Confidentiality Notice The information contained in this electronic message and any attachments to this message are intendedfor the exclusive use of the addressee(s) and may contain confidential or privileged information. Ifyou are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediatelyand destroy all copies of this message and any attachments.
AW: DER public key file structure
Andrus, as Stephen explains the key is represented in an ASN.1 structure called SubjectPublicKeyInfo and is coded in DER (Distinguished Encoding Rules). The structure consits of an ObjectIdentifier ([06 09] 2A...01 01 01) and the parameter NULL ([05 00]) followed by the public modulus of your key. The footer ([02 01] 03) is your public exponent (in ASN.1, BER coded) Regards Thomas -Ursprüngliche Nachricht- Von: Andrus [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 14. Dezember 2004 22:29 An: [EMAIL PROTECTED] Betreff: Re: DER public key file structure Charles, thank you for reply. I studied those documents carefully bot havent found yet a solution. rfc3280.txt appendix C does not describe public key format. PKCS #1 v2.1: RSA Cryptography Standard does not not describe data storage exact format. The hex dump of my public.der file looks like: 00: 30 81 9D 30 0D 06 09 2A ¦ 86 48 86 F7 0D 01 01 01 0üØ0. *åHå... 10: 05 00 03 81 8B 00 30 81 ¦ 87 02 81 81 00 B0 6D 8D ür 0ücüü _mZ 20: 8D 76 FB DA B6 91 A2 EA ¦ 11 DB 8A C2 92 AC 50 59 Zv¹-CæóL-R-ƼPY 30: 83 30 39 87 F7 51 5C 1B ¦ F5 1B 5C 4D 83 5C 71 A4 a09cQ\§\Ma\qz 40: 5D 19 B2 1F 24 2E 0B 7F ¦ 5E C1 CF E9 93 3D F3 7B ]_$. ^-Zko=¾{ 50: 1B 1F 60 74 B5 68 93 83 ¦ F4 C8 55 18 3E BB 97 73 `tAhoa¶+U+Ss 60: BC 8C 27 8E 70 7C 89 13 ¦ 26 B0 13 55 57 67 F7 3E +i'Äp|e_UWg 70: 6B 07 FA C9 58 57 36 0E ¦ D7 9D 5A 24 A3 4A F5 8A k·+XW6uØZ$ZJ§R 80: D5 A3 62 A1 C2 18 12 90 ¦ 35 85 F7 34 18 BD 1D F1 sZbI-É5g4I± 90: 37 5C 0D 29 48 E2 C7 FC ¦ 6A AD 55 D2 EB 02 01 03 7\)HOU³jLUel The 1024 bit modulus starts at bytes 00 B0 6D and ends with 55 D2 EB After that It seems that 02 01 03 is constant suffix at the end of .der file. What is the meaning of the file header bytes ? Where the modulus length is stored ? Where is the publix exponent (03) stored ? Can you point me any documentation of the openssl source code file where I can find information about this format ? Thanks, Andrus. - Original Message - From: Charles B Cranston [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 10:35 PM Subject: Re: DER public key file structure DER is short for ASN.1 Distinguished Encoding Rules. The actual format of certificates and things are standardized by X.500 but these documents are expensive, so the Internet RFC people have reprinted the information in a series of documents. Take a look at ftp://www.ietf.org/rfc/rfc3280.txt particularly the examples in Appendix C for the DER formats for certificates. As for keys, I think the standards document are the PKCS documents which can be found at http://www.rsasecurity.com/rsalabs look on the left for PKCS and get PKCS #1 RSA Cryptography Standard. Look in chapter 11 ASN.1 syntax 11.1 Key representations 11.1.1 Public-key syntax I think this is right -- good luck! Andrus wrote: I need to decrypt RSA signature using RSA public key. Thanks to Nils Larsch reply I discovered that the following command can be used for this: openssl rsautl -verify -in sig.bin -inkey public.der -pubin -keyform DER -out signout.bin I have a RSA 1024 bits modulus and exponent 3 I need to create a public.der file (160 bytes) from this data to be passed to openssl using not a C language. I looked into openssl sources but havent yet found DER file structure description. Where I can found the DER public file structure description which this command accepts ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: doubt regd X509 Certificate
Sravan, the AlgorithmIdentifier in the Certificate definition tells you which algorithms have been used to produce and to verifify the certificate signature. The AlgorithmIdentifier in the TBSCertificate tells you which algorithms to use applying the key included. regards Thomas -Ursprungliche Nachricht- Von: Sravan [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 17. November 2004 12:33 An: [EMAIL PROTECTED] Betreff: doubt regd X509 Certificate Hello all, I have a doubt regd. the format of X509 Certificate. I know that this doubt is not at all related to OpenSSL but I can't find any other place where in I can get good replies for the doubt. So, here is it... The syntax of an X509Certificate is as follows : Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } And 'TBSCertificate' is defined as TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, serialNumber CertificateSerialNumber, signatureAlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 extensions [3] EXPLICIT Extensions OPTIONAL -- If present, version MUST be v3 } My doubt is, why the signatureAlgorithmIdentifier appears twice(both in TBSCertificate as 'signature' Certificate as 'signatureAlgorithm') Sravan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: AW: CSR signing
Ah, now I know where the concatenation idea comes from ;-) -Ursprüngliche Nachricht- Von: Dr. Stephen Henson [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 27. Oktober 2004 17:43 An: [EMAIL PROTECTED] Betreff: Re: AW: CSR signing On Wed, Oct 27, 2004, Ronan wrote: I'd suggest you use the CA.pl script instead. That should make things much easier. i have a csr (in pem format(by default)) and a key I want to sign the csr with my domains root CA Where is this root CA and key? If it has been created by OpenSSL you can concatenate the key and certificate into a PEM file and supply that new when you call CA.pl -newca. If the root CA and key are from some other source and managed by (for example) some Windows CA you are best sending the CSR to that and getting it to sign the result. I want then to change it to pkcs12 format CA.pl -pkcs12 will do that. Finally i want to install it onto an Active Directory (win 2000 advanced) machine so i can ssl to the AD Now I can't help with AD.. using the CA.pl and my current key and csr copy mycsr.csr to newreq.pem and run # /home/local/ssl/misc/CA.pl -sign Signed certificate is in newcert.pem its not there is no newcert.pem is this what im after? Did it come up with any other error message before that? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: CSR signing
Why did you concatenate the server.key and the server.csr? Why don't you use the csr to produce the certificate??? -Ursprüngliche Nachricht- Von: Ronan [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 27. Oktober 2004 12:28 An: [EMAIL PROTECTED] Betreff: CSR signing ok so ive generated a CSR and key using... [EMAIL PROTECTED]:~$ openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus ..++ ..++ e is 65537 (0x10001) [EMAIL PROTECTED]:~$ openssl req -new -key server.key -out server.csr [...] then i did cat server.key server.csr rtest.pem is this right?? then... /usr/local/ssl/bin/openssl x509 -req -in ./rtest.pem -CA ./cacert.pem -CAkey ./private/cakey.pem -CAserial ./serial -out ./ronanscert.pem to sign the pem with my own CA root Cert now when i cat ronanscert.pem -BEGIN CERTIFICATE- [snip] -END CERTIFICATE- this so far looks good right now i need the cert for a windows box so i need to pkcs12 it what is the private key i need to put in the file ronanscert.pem?? is it the one i geretaed for the server or is it the CA root key??? im a bit confused... i know this is gonna be very simple for some of you but im still pickin this up... any help is much appreciated! -- Regards Ronan McGlue == Analyst/Programmer Information Services Queens University Belfast BT7 1NN __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: AW: CSR signing
As far as I understood, using openssl req... the produced format is PEM, independant what file extension you use. So normally this should work. Sorry for this kind of vague information but I didn't use openssl for a while. Thomas -Ursprüngliche Nachricht- Von: Ronan [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 27. Oktober 2004 12:57 An: [EMAIL PROTECTED] Betreff: Re: AW: CSR signing [EMAIL PROTECTED] wrote: Why did you concatenate the server.key and the server.csr? Why don't you use the csr to produce the certificate??? because all the examples in the http://www.openssl.org/docs/apps/x509.html# use .pem files im just following the tutorials i can find on the web and the man pages... if ive read them wrong its cause im not 100% sure of what im doing so in place of the pem file counld i just use... /usr/local/ssl/bin/openssl x509 -req -in ./server.csr -CA ./cacert.pem -CAkey ./private/cakey.pem -CAserial ./serial -out ./ronanscert.pem would this give me what i need??? ronan -Ursprüngliche Nachricht- Von: Ronan [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 27. Oktober 2004 12:28 An: [EMAIL PROTECTED] Betreff: CSR signing ok so ive generated a CSR and key using... [EMAIL PROTECTED]:~$ openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus ..++ ..++ e is 65537 (0x10001) [EMAIL PROTECTED]:~$ openssl req -new -key server.key -out server.csr [...] then i did cat server.key server.csr rtest.pem is this right?? then... /usr/local/ssl/bin/openssl x509 -req -in ./rtest.pem -CA ./cacert.pem -CAkey ./private/cakey.pem -CAserial ./serial -out ./ronanscert.pem to sign the pem with my own CA root Cert now when i cat ronanscert.pem -BEGIN CERTIFICATE- [snip] -END CERTIFICATE- this so far looks good right now i need the cert for a windows box so i need to pkcs12 it what is the private key i need to put in the file ronanscert.pem?? is it the one i geretaed for the server or is it the CA root key??? im a bit confused... i know this is gonna be very simple for some of you but im still pickin this up... any help is much appreciated! -- Regards Ronan McGlue == Analyst/Programmer Information Services Queens University Belfast BT7 1NN __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Regards Ronan McGlue == Analyst/Programmer Information Services Queens University Belfast BT7 1NN __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: Generating Test Certificates
You have to specify a config file using the -config parameter of openssl. Even as ca req needs a configuration file to get specific information like keylength or the distinguishedName structure. My experience is that openssl does not find the default config file so you have to set either the environment variable (don't know the correct name) or you have to take the parameter -config filenpath and name. Regards -Ursprüngliche Nachricht- Von: Richard M. Hartman [mailto:[EMAIL PROTECTED] Gesendet: Montag, 16. August 2004 22:27 An: [EMAIL PROTECTED] Betreff: Generating Test Certificates The HOWTO\certificates.txt says to generate the self-signed cert with: openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 I tried with both an RSA key and a DSA key. They each fail in slightly different ways, but both seem to be trying to get something from the environment. C:\work\3rdparty\OpenSSL\openssl-0.9.7dout32\openssl req -new -x509 -key myrsakey.pem -out myrsacert.pem -days 1095 Unable to load config info unable to find 'distinguished_name' in config problems making Certificate Request 2660:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:.\crypto\conf\conf_lib.c:325: C:\work\3rdparty\OpenSSL\openssl-0.9.7dout32\openssl req -new -x509 -key mydsakey.pem -out mydsasert.pem -days 1095 Unable to load config info Loading 'screen' into random state - done unable to find 'distinguished_name' in config problems making Certificate Request 1996:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:.\crypto\conf\conf_lib.c:325: I had no problems generating the keys with the command in HOWTO\keys.txt. What is it that is missing from the environment? As long as I'm at it ... what do I do with the certificates once I have them? I am trying to enable SSL communications on a Windows 2000 machine. -- -Richard M. Hartman [EMAIL PROTECTED] 186,000 mi/sec: not just a good idea, it's the LAW! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: question about certificate creation
Hzhijun, maybe this part from the openssl FAQs (at www.openssl.org) may help you: -- 1. Why do I get a "PRNG not seeded" error message? Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide a "randomness device" (/dev/urandom or /dev/random) that serves this purpose. All OpenSSL versions try to use /dev/urandom by default; starting with version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not available. On other systems, applications have to call the RAND_add() or RAND_seed() function with appropriate data before generating keys or performing public key encryption. (These functions initialize the pseudo-random number generator, PRNG.) Some broken applications do not do this. As of version 0.9.5, the OpenSSL functions that need randomness report an error if the random number generator has not been seeded with at least 128 bits of randomness. If this error occurs and is not discussed in the documentation of the application you are using, please contact the author of that application; it is likely that it never worked correctly. OpenSSL 0.9.5 and later make the error visible by refusing to perform potentially insecure encryption. If you are using Solaris 8, you can add /dev/urandom and /dev/random devices by installing patch 112438 (Sparc) or 112439 (x86), which are available via the Patchfinder at http://sunsolve.sun.com (Solaris 9 includes these devices by default). For /dev/random support for earlier Solaris versions, see Sun's statement at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606zone_32=SUNWski (the SUNWski package is available in patch 105710). On systems without /dev/urandom and /dev/random, it is a good idea to use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for details. Starting with version 0.9.7, OpenSSL will automatically look for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and /etc/entropy. Most components of the openssl command line utility automatically try to seed the random number generator from a file. The name of the default seeding file is determined as follows: If environment variable RANDFILE is set, then it names the seeding file. Otherwise if environment variable HOME is set, then the seeding file is $HOME/.rnd. If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will use file .rnd in the current directory while OpenSSL 0.9.6a uses no default seeding file at all. OpenSSL 0.9.6b and later will behave similarly to 0.9.6a, but will use a default of "C:\" for HOME on Windows systems if the environment variable has not been set. If the default seeding file does not exist or is too short, the "PRNG not seeded" error message may occur. The openssl command line utility will write back a new state to the default seeding file (and create this file if necessary) unless there was no sufficient seeding. Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work. Use the "-rand" option of the OpenSSL command line tools instead. The $RANDFILE environment variable and $HOME/.rnd are only used by the OpenSSL command line tools. Applications using the OpenSSL library provide their own configuration options to specify the entropy source, please check out the documentation coming the with application. -- Regards -Ursprngliche Nachricht-Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Gesendet: Freitag, 13. August 2004 04:31An: [EMAIL PROTECTED]Betreff: Re: question about certificate creation u mean "openssl.cnf"? what hold back me to make certificate is about "unable to load 'random state'This means that the random number generator has not been seeded" how to deal with it? Regards - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 8:21 PM Subject: AW: question about certificate creation Maybe you didn't specify a configuration file? -Ursprngliche Nachricht-Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Gesendet: Donnerstag, 12. August 2004 10:48An: [EMAIL PROTECTED]Betreff: question about certificate creation this is my first time to play with openssl(version:OpenSSL 0.9.7b 10 Apr 2003), below is the problem i met when i execute thecommand: perl CA.pl -newca the following information is found, why? and how to fix it? CA certificate filename (or enter to create) Making CA certificate ...Unable to load config infounable to load 'random state'This means that the random
AW: ErrorMessage on certificate generation
Well, that lead me to some other error messages. But it seems to be the right way ;-) Regards Thomas -Ursprüngliche Nachricht- Von: Antoine Latter [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 30. Juli 2004 16:06 An: [EMAIL PROTECTED] Betreff: Re: ErrorMessage on certificate generation I was receiving the: wrong number of fields on line 1 (looking for field 6, got 1, '' left) error myself, yesterday. I fixed it by making sure that my blank index.txt was truly and properly blank - I had an empty line in the file, which messed everything up and caused opessl to segfault, which is probably the same as Speicherzugriffsfehler. Antoine On Fri, 30 Jul 2004 11:43:03 +0200, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi all, I am currently developing a routine (UNIX shell script) for automatic certificat generation. The script contains the following command: openssl ca -config $CADIR/TMF-TestCA.cnf -name $PURPOSE -in $i -out $CADIR/certOut/$REQ.pem where $PURPOSE names the section of the config file to be used. The command produces the an output as follow: Using configuration from /home/OpenSSL-CA/TMF-TestCA/TMF-TestCA.cnf wrong number of fields on line 1 (looking for field 6, got 1, '' left) TMF-TestCA/bin/ComputeRequests: line 15: 5411 Speicherzugriffsfehler openssl ca -config $CADIR/TMF-TestCA.cnf -name $PURPOSE -in $i -out $CADIR/certOut/$REQ.pem Speicherzugriffsfehler means memory access error. Can anybody tell me what's going wrong? Maybe there is anything wrong with my config file? Best regards Thomas Beckmann __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: ErrorMessage on certificate generation
Okay, this is for all having the same problem... Obviously OpenSSL will only work using an empty index.txt. What you have to do is - concatenate the content of index.txt with YOUR database file (e. g. database.txt). So database.txt will contain the information index.txt should originally keep. - remove the old index.txt - create a new (empty) index.txt with touch index.txt It's just a quick an dirty work-around. But it works ;-) Regards Thomas -Ursprüngliche Nachricht- Von: Antoine Latter [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 30. Juli 2004 16:06 An: [EMAIL PROTECTED] Betreff: Re: ErrorMessage on certificate generation I was receiving the: wrong number of fields on line 1 (looking for field 6, got 1, '' left) error myself, yesterday. I fixed it by making sure that my blank index.txt was truly and properly blank - I had an empty line in the file, which messed everything up and caused opessl to segfault, which is probably the same as Speicherzugriffsfehler. Antoine On Fri, 30 Jul 2004 11:43:03 +0200, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi all, I am currently developing a routine (UNIX shell script) for automatic certificat generation. The script contains the following command: openssl ca -config $CADIR/TMF-TestCA.cnf -name $PURPOSE -in $i -out $CADIR/certOut/$REQ.pem where $PURPOSE names the section of the config file to be used. The command produces the an output as follow: Using configuration from /home/OpenSSL-CA/TMF-TestCA/TMF-TestCA.cnf wrong number of fields on line 1 (looking for field 6, got 1, '' left) TMF-TestCA/bin/ComputeRequests: line 15: 5411 Speicherzugriffsfehler openssl ca -config $CADIR/TMF-TestCA.cnf -name $PURPOSE -in $i -out $CADIR/certOut/$REQ.pem Speicherzugriffsfehler means memory access error. Can anybody tell me what's going wrong? Maybe there is anything wrong with my config file? Best regards Thomas Beckmann __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]