Re: how to sign CRMF/SPKAC using openssl
On 2009-05-28 21:51 PDT, tito wrote: > I am making a CA site for my college project purpose.I learned that > different browsers use different methods to generate CSR.Making CSR in > IE was easy.For vista systems I used CertEnroll.dll methods and for > non-vista IE i used xenroll.dll.I generated CSR in javascript > successfully using that. it is in PKCS10. > > I want to make my project compatible for mozilla and opera too > i want to do the same for mozilla too but i guess mozilla method doesnt > generate PKCS10 format. Correct. > Then i came across generateCRMF and keygen tags..keygen is not > recommended i guess. Both methods are fully supported. They have different capabilities. Pick the one that does what you want (or comes closest to it). > how to sign the CRMF request key i get in openssl ? > if i am using keygen tag, i think it gives SPKAC format..can we sign > SPKAC using openssl ? > i am able to generate CRMF and SPKAC..but doesnt know how to sign those > in openssl.please help me in regard with this.. I believe that OpenSSL has facilities to handle both formats, SPKAC and CRMF. But having said that, I cannot offer you any help to issue certs based on those forms of requests using OpenSSL. Sorry. That's a question for an OpenSSL forum, as someone else also wrote in this thread. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
thank you for the info.. 2009/5/29 Georgi Guninski > On Fri, May 29, 2009 at 01:09:13PM +0530, tito wrote: > > plz see my command here.. > > C:\OpenSSL\bin>openssl ca -config openssl.cnf -verbose -days 180 -notext > > > -batch -spkac spak1.txt -out spaksign.pem -passin pass:mypass > > > Using configuration from openssl.cnf > > > error loading the config file 'openssl.cnf' > > > 796:error:02001002:system library:fopen:No such file or > > > directory:.\crypto\bio\bss_file.c:126:fopen('openssl.cnf','rb') > > > 796:error:2006D080:BIO routines:BIO_new_file:no such > > > file:.\crypto\bio\bss_file.c:129: > > > 796:error:0E078072:configuration file routines:DEF_LOAD:no such > > > file:.\crypto\conf\conf_def.c:197: > > > > > don't support windows stuff, sorry. > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
On Fri, May 29, 2009 at 01:09:13PM +0530, tito wrote: > plz see my command here.. > C:\OpenSSL\bin>openssl ca -config openssl.cnf -verbose -days 180 -notext > > -batch -spkac spak1.txt -out spaksign.pem -passin pass:mypass > > Using configuration from openssl.cnf > > error loading the config file 'openssl.cnf' > > 796:error:02001002:system library:fopen:No such file or > > directory:.\crypto\bio\bss_file.c:126:fopen('openssl.cnf','rb') > > 796:error:2006D080:BIO routines:BIO_new_file:no such > > file:.\crypto\bio\bss_file.c:129: > > 796:error:0E078072:configuration file routines:DEF_LOAD:no such > > file:.\crypto\conf\conf_def.c:197: > > don't support windows stuff, sorry. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
hii thanx a lot Georgi... im new to php..just for my info , > $keyreq = "SPKAC=".str_replace(str_split(" \t\n\r\0\x0B"), '', $key); > this code removes newline chars ?? i did generate the spkac string and put in openssl bin directory..but im getting some error..probably due to my openssl CA setup plz see my command here.. " openssl ca -config openssl.cnf -verbose -days 180 -notext -batch -spkac spak1.txt -out spaksign.pem -passin pass:mypass " C:\OpenSSL\bin>openssl ca -config openssl.cnf -verbose -days 180 -notext > -batch -spkac spak1.txt -out spaksign.pem -passin pass:mypass > Using configuration from openssl.cnf > error loading the config file 'openssl.cnf' > 796:error:02001002:system library:fopen:No such file or > directory:.\crypto\bio\bss_file.c:126:fopen('openssl.cnf','rb') > 796:error:2006D080:BIO routines:BIO_new_file:no such > file:.\crypto\bio\bss_file.c:129: > 796:error:0E078072:configuration file routines:DEF_LOAD:no such > file:.\crypto\conf\conf_def.c:197: > my directory structure is C:\OpenSSL | |-bin | |---openssl.exe |---openssl.cfg |---spak1.txt |--- PEM(FOLDER) | |demoCA etc. please tell me.. am i issuing some wrong command here ? 2009/5/29 Georgi Guninski > On Fri, May 29, 2009 at 10:21:16AM +0530, tito wrote: > > how to sign the CRMF request key i get in openssl ? > > if i am using keygen tag, i think it gives SPKAC format..can we sign > SPKAC > > using openssl ? > > i am able to generate CRMF and SPKAC..but doesnt know how to sign those > in > > openssl.please help me in regard with this.. > > > > hi, > > i install test certificates with openssl this way: > > first you need openssl CA set up. > > generating the cert on the client is something like this: > > > > > > > > c1.php is something like this: > #!/usr/bin/php-cgi > > $key = $_POST['pubkey']; > $keyreq = "SPKAC=".str_replace(str_split(" \t\n\r\0\x0B"), '', $key); > $keyreq .= "\nCN=luser"; > print $keyreq > ?> > > in $keyreq you can stuff like "CN=luser" on new line. > > save $keyreq to file spak1.txt on the CA. > > in the openssl CA sign the req like this: > openssl ca -config ./openssl.cnf -verbose -days 180 -notext -batch -spkac > ./spak1.txt -out spaksign.pem -passin pass:$YOURPASS > > this will create the cert in newcerts/$number.pem > > send $number.pem to the client with content type: > application/x-x509-user-cert > > the certificate is installed in firefox. > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
On Fri, May 29, 2009 at 10:21:16AM +0530, tito wrote: > how to sign the CRMF request key i get in openssl ? > if i am using keygen tag, i think it gives SPKAC format..can we sign SPKAC > using openssl ? > i am able to generate CRMF and SPKAC..but doesnt know how to sign those in > openssl.please help me in regard with this.. > hi, i install test certificates with openssl this way: first you need openssl CA set up. generating the cert on the client is something like this: c1.php is something like this: #!/usr/bin/php-cgi in $keyreq you can stuff like "CN=luser" on new line. save $keyreq to file spak1.txt on the CA. in the openssl CA sign the req like this: openssl ca -config ./openssl.cnf -verbose -days 180 -notext -batch -spkac ./spak1.txt -out spaksign.pem -passin pass:$YOURPASS this will create the cert in newcerts/$number.pem send $number.pem to the client with content type: application/x-x509-user-cert the certificate is installed in firefox. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
Hi Tito, As far as I know you cannot set the format, you will have to deal with all formats at the CA. Cheers, Anders - Original Message - From: tito To: mozilla's crypto code discussion list Sent: Friday, May 29, 2009 08:04 Subject: Re: how to sign CRMF/SPKAC using openssl thnx anders.. i have posted in openssl forum my query.. can i make PKCS10 string using tag then ? 2009/5/29 Anders Rundgren I have two answers. 1. This is an OpenSSL question and should be directed to an OpenSSL forum 2. Browsers indeed have different key-generation methods but they do have one thing in common: the methods are completely useless, not even PIN protection is a part of the plot unless you use pre-configured hard tokens Anders - Original Message - From: tito To: dev-tech-crypto@lists.mozilla.org Sent: Friday, May 29, 2009 06:51 Subject: how to sign CRMF/SPKAC using openssl Hi , I am making a CA site for my college project purpose.I learned that different browsers use different methods to generate CSR.Making CSR in IE was easy.For vista systems I used CertEnroll.dll methods and for non-vista IE i used xenroll.dll.I generated CSR in javascript successfully using that. it is in PKCS10. I want to make my project compatible for mozilla and opera too i want to do the same for mozilla too but i guess mozilla method doesnt generate PKCS10 format Then i came across generateCRMF and keygen tags..keygen is not recommended i guess. how to sign the CRMF request key i get in openssl ? if i am using keygen tag, i think it gives SPKAC format..can we sign SPKAC using openssl ? i am able to generate CRMF and SPKAC..but doesnt know how to sign those in openssl.please help me in regard with this.. ..thanks a lot. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
thnx anders.. i have posted in openssl forum my query.. can i make PKCS10 string using tag then ? 2009/5/29 Anders Rundgren > I have two answers. > > 1. This is an OpenSSL question and should be directed to an OpenSSL forum > > 2. Browsers indeed have different key-generation methods but they do have > one > thing in common: the methods are completely useless, not even PIN > protection > is a part of the plot unless you use pre-configured hard tokens > > Anders > > - Original Message - > From: tito > To: dev-tech-crypto@lists.mozilla.org > Sent: Friday, May 29, 2009 06:51 > Subject: how to sign CRMF/SPKAC using openssl > > > Hi , > > I am making a CA site for my college project purpose.I learned that > different browsers use different > methods to generate CSR.Making CSR in IE was easy.For vista systems I used > CertEnroll.dll methods > and for non-vista IE i used xenroll.dll.I generated CSR in javascript > successfully using that. it is > in PKCS10. > > I want to make my project compatible for mozilla and opera too > i want to do the same for mozilla too but i guess mozilla method doesnt > generate PKCS10 format > Then i came across generateCRMF and keygen tags..keygen is not recommended > i guess. > how to sign the CRMF request key i get in openssl ? > if i am using keygen tag, i think it gives SPKAC format..can we sign SPKAC > using openssl ? > i am able to generate CRMF and SPKAC..but doesnt know how to sign those in > openssl.please help me in > regard with this.. > > ..thanks a lot. > > > > > > > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
I have two answers. 1. This is an OpenSSL question and should be directed to an OpenSSL forum 2. Browsers indeed have different key-generation methods but they do have one thing in common: the methods are completely useless, not even PIN protection is a part of the plot unless you use pre-configured hard tokens Anders - Original Message - From: tito To: dev-tech-crypto@lists.mozilla.org Sent: Friday, May 29, 2009 06:51 Subject: how to sign CRMF/SPKAC using openssl Hi , I am making a CA site for my college project purpose.I learned that different browsers use different methods to generate CSR.Making CSR in IE was easy.For vista systems I used CertEnroll.dll methods and for non-vista IE i used xenroll.dll.I generated CSR in javascript successfully using that. it is in PKCS10. I want to make my project compatible for mozilla and opera too i want to do the same for mozilla too but i guess mozilla method doesnt generate PKCS10 format Then i came across generateCRMF and keygen tags..keygen is not recommended i guess. how to sign the CRMF request key i get in openssl ? if i am using keygen tag, i think it gives SPKAC format..can we sign SPKAC using openssl ? i am able to generate CRMF and SPKAC..but doesnt know how to sign those in openssl.please help me in regard with this.. ..thanks a lot. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
how to sign CRMF/SPKAC using openssl
Hi , I am making a CA site for my college project purpose.I learned that different browsers use different methods to generate CSR.Making CSR in IE was easy.For vista systems I used CertEnroll.dll methods and for non-vista IE i used xenroll.dll.I generated CSR in javascript successfully using that. it is in PKCS10. I want to make my project compatible for mozilla and opera too i want to do the same for mozilla too but i guess mozilla method doesnt generate PKCS10 format Then i came across generateCRMF and keygen tags..keygen is not recommended i guess. how to sign the CRMF request key i get in openssl ? if i am using keygen tag, i think it gives SPKAC format..can we sign SPKAC using openssl ? i am able to generate CRMF and SPKAC..but doesnt know how to sign those in openssl.please help me in regard with this.. ..thanks a lot. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto