Re: how to sign CRMF/SPKAC using openssl
On 2009-05-28 21:51 PDT, tito wrote: > I am making a CA site for my college project purpose.I learned that > different browsers use different methods to generate CSR.Making CSR in > IE was easy.For vista systems I used CertEnroll.dll methods and for > non-vista IE i used xenroll.dll.I generated CSR in javascript > successfully using that. it is in PKCS10. > > I want to make my project compatible for mozilla and opera too > i want to do the same for mozilla too but i guess mozilla method doesnt > generate PKCS10 format. Correct. > Then i came across generateCRMF and keygen tags..keygen is not > recommended i guess. Both methods are fully supported. They have different capabilities. Pick the one that does what you want (or comes closest to it). > how to sign the CRMF request key i get in openssl ? > if i am using keygen tag, i think it gives SPKAC format..can we sign > SPKAC using openssl ? > i am able to generate CRMF and SPKAC..but doesnt know how to sign those > in openssl.please help me in regard with this.. I believe that OpenSSL has facilities to handle both formats, SPKAC and CRMF. But having said that, I cannot offer you any help to issue certs based on those forms of requests using OpenSSL. Sorry. That's a question for an OpenSSL forum, as someone else also wrote in this thread. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
thank you for the info..
2009/5/29 Georgi Guninski
> On Fri, May 29, 2009 at 01:09:13PM +0530, tito wrote:
> > plz see my command here..
> > C:\OpenSSL\bin>openssl ca -config openssl.cnf -verbose -days 180 -notext
> > > -batch -spkac spak1.txt -out spaksign.pem -passin pass:mypass
> > > Using configuration from openssl.cnf
> > > error loading the config file 'openssl.cnf'
> > > 796:error:02001002:system library:fopen:No such file or
> > > directory:.\crypto\bio\bss_file.c:126:fopen('openssl.cnf','rb')
> > > 796:error:2006D080:BIO routines:BIO_new_file:no such
> > > file:.\crypto\bio\bss_file.c:129:
> > > 796:error:0E078072:configuration file routines:DEF_LOAD:no such
> > > file:.\crypto\conf\conf_def.c:197:
> > >
>
> don't support windows stuff, sorry.
>
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
On Fri, May 29, 2009 at 01:09:13PM +0530, tito wrote:
> plz see my command here..
> C:\OpenSSL\bin>openssl ca -config openssl.cnf -verbose -days 180 -notext
> > -batch -spkac spak1.txt -out spaksign.pem -passin pass:mypass
> > Using configuration from openssl.cnf
> > error loading the config file 'openssl.cnf'
> > 796:error:02001002:system library:fopen:No such file or
> > directory:.\crypto\bio\bss_file.c:126:fopen('openssl.cnf','rb')
> > 796:error:2006D080:BIO routines:BIO_new_file:no such
> > file:.\crypto\bio\bss_file.c:129:
> > 796:error:0E078072:configuration file routines:DEF_LOAD:no such
> > file:.\crypto\conf\conf_def.c:197:
> >
don't support windows stuff, sorry.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
hii thanx a lot Georgi...
im new to php..just for my info ,
> $keyreq = "SPKAC=".str_replace(str_split(" \t\n\r\0\x0B"), '', $key);
>
this code removes newline chars ??
i did generate the spkac string and put in openssl bin directory..but im
getting some error..probably due to my openssl CA setup
plz see my command here..
" openssl ca -config openssl.cnf -verbose -days 180 -notext -batch -spkac
spak1.txt -out spaksign.pem -passin pass:mypass "
C:\OpenSSL\bin>openssl ca -config openssl.cnf -verbose -days 180 -notext
> -batch -spkac spak1.txt -out spaksign.pem -passin pass:mypass
> Using configuration from openssl.cnf
> error loading the config file 'openssl.cnf'
> 796:error:02001002:system library:fopen:No such file or
> directory:.\crypto\bio\bss_file.c:126:fopen('openssl.cnf','rb')
> 796:error:2006D080:BIO routines:BIO_new_file:no such
> file:.\crypto\bio\bss_file.c:129:
> 796:error:0E078072:configuration file routines:DEF_LOAD:no such
> file:.\crypto\conf\conf_def.c:197:
>
my directory structure is
C:\OpenSSL
|
|-bin
|
|---openssl.exe
|---openssl.cfg
|---spak1.txt
|--- PEM(FOLDER)
|
|demoCA etc.
please tell me.. am i issuing some wrong command here ?
2009/5/29 Georgi Guninski
> On Fri, May 29, 2009 at 10:21:16AM +0530, tito wrote:
> > how to sign the CRMF request key i get in openssl ?
> > if i am using keygen tag, i think it gives SPKAC format..can we sign
> SPKAC
> > using openssl ?
> > i am able to generate CRMF and SPKAC..but doesnt know how to sign those
> in
> > openssl.please help me in regard with this..
> >
>
> hi,
>
> i install test certificates with openssl this way:
>
> first you need openssl CA set up.
>
> generating the cert on the client is something like this:
>
>
>
>
>
>
>
> c1.php is something like this:
> #!/usr/bin/php-cgi
>
> $key = $_POST['pubkey'];
> $keyreq = "SPKAC=".str_replace(str_split(" \t\n\r\0\x0B"), '', $key);
> $keyreq .= "\nCN=luser";
> print $keyreq
> ?>
>
> in $keyreq you can stuff like "CN=luser" on new line.
>
> save $keyreq to file spak1.txt on the CA.
>
> in the openssl CA sign the req like this:
> openssl ca -config ./openssl.cnf -verbose -days 180 -notext -batch -spkac
> ./spak1.txt -out spaksign.pem -passin pass:$YOURPASS
>
> this will create the cert in newcerts/$number.pem
>
> send $number.pem to the client with content type:
> application/x-x509-user-cert
>
> the certificate is installed in firefox.
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
On Fri, May 29, 2009 at 10:21:16AM +0530, tito wrote: > how to sign the CRMF request key i get in openssl ? > if i am using keygen tag, i think it gives SPKAC format..can we sign SPKAC > using openssl ? > i am able to generate CRMF and SPKAC..but doesnt know how to sign those in > openssl.please help me in regard with this.. > hi, i install test certificates with openssl this way: first you need openssl CA set up. generating the cert on the client is something like this: c1.php is something like this: #!/usr/bin/php-cgi in $keyreq you can stuff like "CN=luser" on new line. save $keyreq to file spak1.txt on the CA. in the openssl CA sign the req like this: openssl ca -config ./openssl.cnf -verbose -days 180 -notext -batch -spkac ./spak1.txt -out spaksign.pem -passin pass:$YOURPASS this will create the cert in newcerts/$number.pem send $number.pem to the client with content type: application/x-x509-user-cert the certificate is installed in firefox. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
Hi Tito, As far as I know you cannot set the format, you will have to deal with all formats at the CA. Cheers, Anders - Original Message - From: tito To: mozilla's crypto code discussion list Sent: Friday, May 29, 2009 08:04 Subject: Re: how to sign CRMF/SPKAC using openssl thnx anders.. i have posted in openssl forum my query.. can i make PKCS10 string using tag then ? 2009/5/29 Anders Rundgren I have two answers. 1. This is an OpenSSL question and should be directed to an OpenSSL forum 2. Browsers indeed have different key-generation methods but they do have one thing in common: the methods are completely useless, not even PIN protection is a part of the plot unless you use pre-configured hard tokens Anders - Original Message - From: tito To: dev-tech-crypto@lists.mozilla.org Sent: Friday, May 29, 2009 06:51 Subject: how to sign CRMF/SPKAC using openssl Hi , I am making a CA site for my college project purpose.I learned that different browsers use different methods to generate CSR.Making CSR in IE was easy.For vista systems I used CertEnroll.dll methods and for non-vista IE i used xenroll.dll.I generated CSR in javascript successfully using that. it is in PKCS10. I want to make my project compatible for mozilla and opera too i want to do the same for mozilla too but i guess mozilla method doesnt generate PKCS10 format Then i came across generateCRMF and keygen tags..keygen is not recommended i guess. how to sign the CRMF request key i get in openssl ? if i am using keygen tag, i think it gives SPKAC format..can we sign SPKAC using openssl ? i am able to generate CRMF and SPKAC..but doesnt know how to sign those in openssl.please help me in regard with this.. ..thanks a lot. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
thnx anders.. i have posted in openssl forum my query.. can i make PKCS10 string using tag then ? 2009/5/29 Anders Rundgren > I have two answers. > > 1. This is an OpenSSL question and should be directed to an OpenSSL forum > > 2. Browsers indeed have different key-generation methods but they do have > one > thing in common: the methods are completely useless, not even PIN > protection > is a part of the plot unless you use pre-configured hard tokens > > Anders > > - Original Message - > From: tito > To: dev-tech-crypto@lists.mozilla.org > Sent: Friday, May 29, 2009 06:51 > Subject: how to sign CRMF/SPKAC using openssl > > > Hi , > > I am making a CA site for my college project purpose.I learned that > different browsers use different > methods to generate CSR.Making CSR in IE was easy.For vista systems I used > CertEnroll.dll methods > and for non-vista IE i used xenroll.dll.I generated CSR in javascript > successfully using that. it is > in PKCS10. > > I want to make my project compatible for mozilla and opera too > i want to do the same for mozilla too but i guess mozilla method doesnt > generate PKCS10 format > Then i came across generateCRMF and keygen tags..keygen is not recommended > i guess. > how to sign the CRMF request key i get in openssl ? > if i am using keygen tag, i think it gives SPKAC format..can we sign SPKAC > using openssl ? > i am able to generate CRMF and SPKAC..but doesnt know how to sign those in > openssl.please help me in > regard with this.. > > ..thanks a lot. > > > > > > > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to sign CRMF/SPKAC using openssl
I have two answers. 1. This is an OpenSSL question and should be directed to an OpenSSL forum 2. Browsers indeed have different key-generation methods but they do have one thing in common: the methods are completely useless, not even PIN protection is a part of the plot unless you use pre-configured hard tokens Anders - Original Message - From: tito To: dev-tech-crypto@lists.mozilla.org Sent: Friday, May 29, 2009 06:51 Subject: how to sign CRMF/SPKAC using openssl Hi , I am making a CA site for my college project purpose.I learned that different browsers use different methods to generate CSR.Making CSR in IE was easy.For vista systems I used CertEnroll.dll methods and for non-vista IE i used xenroll.dll.I generated CSR in javascript successfully using that. it is in PKCS10. I want to make my project compatible for mozilla and opera too i want to do the same for mozilla too but i guess mozilla method doesnt generate PKCS10 format Then i came across generateCRMF and keygen tags..keygen is not recommended i guess. how to sign the CRMF request key i get in openssl ? if i am using keygen tag, i think it gives SPKAC format..can we sign SPKAC using openssl ? i am able to generate CRMF and SPKAC..but doesnt know how to sign those in openssl.please help me in regard with this.. ..thanks a lot. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
how to sign CRMF/SPKAC using openssl
Hi , I am making a CA site for my college project purpose.I learned that different browsers use different methods to generate CSR.Making CSR in IE was easy.For vista systems I used CertEnroll.dll methods and for non-vista IE i used xenroll.dll.I generated CSR in javascript successfully using that. it is in PKCS10. I want to make my project compatible for mozilla and opera too i want to do the same for mozilla too but i guess mozilla method doesnt generate PKCS10 format Then i came across generateCRMF and keygen tags..keygen is not recommended i guess. how to sign the CRMF request key i get in openssl ? if i am using keygen tag, i think it gives SPKAC format..can we sign SPKAC using openssl ? i am able to generate CRMF and SPKAC..but doesnt know how to sign those in openssl.please help me in regard with this.. ..thanks a lot. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
