Easy Question - Signing a certificate
Dear SSL users, I apologize if this is an often asked question. I have been looking through the documentation, and experimenting, but I have not been able to do what I want to do. I have a private key that I created with /usr/local/ssl/bin/req -new -x509 This key is now called privkey.pem I know want to create a new key/certificate pair /usr/local/ssl/bin/req -new -x509 -keyout keyb.pem cert.pem I now have keyb.pem (the private key for keyb), and cert.pem (the public key for b (am I correct?)). What I now want to do is sign cert.pem with privkey.pem, so that people seeing cert.pem could be sure that it was trusted by privkey.pem. How can I do this? I tried /usr/local/ssl/bin/x509 -signkey privkey.pem cert.pem cert2.pem However, when I try to look at cert2 with /usr/local/ssl/bin/asn1parse cert2.pem I see no mention of privkey... If anyone could tell me what I am doing wrong, I would be most appreciative. It certainly is asking me for the passphrase of privkey, so maybe it is signing correctly and I just don't know how to see it? Thank you very much for your time, Julien Beasley [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Easy Question - Signing a certificate
Julien Beasley wrote: Dear SSL users, I apologize if this is an often asked question. I have been looking through the documentation, and experimenting, but I have not been able to do what I want to do. I have a private key that I created with /usr/local/ssl/bin/req -new -x509 This key is now called privkey.pem I know want to create a new key/certificate pair /usr/local/ssl/bin/req -new -x509 -keyout keyb.pem cert.pem I now have keyb.pem (the private key for keyb), and cert.pem (the public key for b (am I correct?)). Yes, the self-signed certificate (according to -x509), not yet-to-be-signed certificate request. What I now want to do is sign cert.pem with privkey.pem, so that people seeing cert.pem could be sure that it was trusted by privkey.pem. You have already a certificate signed by a private key keyb. How can I do this? Do you really need 2-step process: keypair generation and certificate signing? "req -x509" can do all the job required. I tried /usr/local/ssl/bin/x509 -signkey privkey.pem cert.pem cert2.pem However, when I try to look at cert2 with /usr/local/ssl/bin/asn1parse cert2.pem I see no mention of privkey... If anyone could tell me what I am doing Please be sure a private key is never placed in a certificate so it will not apper in asn1parse output wrong, I would be most appreciative. It certainly is asking me for the passphrase of privkey, so maybe it is signing correctly and I just don't know how to see it? You can check whether a signature (made by someone's private key) can be verified with his public key. x509 did ask you for private key passphrase because you ask it to load private key with "-signkey". Hope this helps, Vadim Fedukovich __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to Revoke a Certificate ???
On Fri, Mar 26, 1999 at 08:59:48PM +0100, [EMAIL PROTECTED] wrote: I have the need to revoke a certificate, anyway I cannot find the revoke facility to manage the job ( including altering the index.txt that I think is used to manage the CRL (??)). Where do I find it?? ( command line tool... ). Hi, i have attached an earlier posting to ssl-users. This program works fine with SSLeay-0.8.1, maybe you have to make some modifications to compile it with OpnSSL. Ciao, Lars [EMAIL PROTECTED] /* From [EMAIL PROTECTED] Wed Dec 17 15:22:56 1997 this code is a simple/sample utility written by me and Sergio Tabanelli that put the revocation date on the "index.txt" ... after the execution of this utility you must run the ca utility (as in the standard sslEAY distribution) to obtain the crl. We have done this work using an approach "a la Tim Hudson" so it can be used and linked as a standard sslEAY "app" if placed in the "apps" directory. Remo. code follow: * Copyright (C) 1995-1997 Eric Young ([EMAIL PROTECTED]) * All rights reserved. * * This package is an SSL implementation written * by Eric Young ([EMAIL PROTECTED]). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson ([EMAIL PROTECTED]). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright *notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright *notice, this list of conditions and the following disclaimer in the *documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software *must display the following acknowledgement: *"This product includes cryptographic software written by * Eric Young ([EMAIL PROTECTED])" *The word 'cryptographic' can be left out if the rouines from the library *being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from *the apps directory (application code) you must include an acknowledgement: *"This product includes software written by Tim Hudson ([EMAIL PROTECTED])" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include stdio.h #include stdlib.h #include string.h #include sys/types.h #include sys/stat.h #include "apps.h" #include "bio.h" #include "err.h" #include "txt_db.h" #include "evp.h" #include "x509.h" #include "objects.h" #include "pem.h" #include "conf.h" #ifndef W_OK #include sys/file.h #endif #undef PROG #define PROG revoke_main #define BASE_SECTION"ca" #define CONFIG_FILE "lib/ssleay.cnf" #define ENV_DEFAULT_CA "default_ca" #define ENV_DIR "dir" #define ENV_CERTS "certs" #define ENV_CRL_DIR "crl_dir" #define ENV_CA_DB "CA_DB" #define ENV_NEW_CERTS_DIR "new_certs_dir" #define
Re: ml on NT compilation
Thanks Robert, I tried this and it still fails with the same error. Does anyone know what 'ml' is? It appears to be some sort of assembler utility, is this right? Andy Robert Eiglmaier wrote: Andy, I once also had this error. It appears to be the result of not or not properly configured makefiles. Try to execute ms\do_ms.bat first and afterwards ms\32all.bat hth Robert -Original Message- From: Andy Shaw [mailto:[EMAIL PROTECTED]] Sent: Monday, March 29, 1999 1:59 PM To: [EMAIL PROTECTED] Subject: ml on NT compilation I am trying to compile openssl on NT and get the following error md5_dgst.c ml /Cp /coff /c /Cx /Focrypto\md5\asm\m5-win32.obj .\crypto\md5\asm\m5-win32.asm The name specified is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'ml' : return code '0x1' Stop. Anyone know what 'ml' is? Andy -- Andy Shaw [EMAIL PROTECTED] Phone: +44 (0)1223 715002 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Andy Shaw [EMAIL PROTECTED] Phone: +44 (0)1223 715002 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to Revoke a Certificate ???
On Fri, Mar 26, 1999 at 08:59:48PM +0100, [EMAIL PROTECTED] wrote: I have the need to revoke a certificate, anyway I cannot find the revoke facility to manage the job ( including altering the index.txt that I think is used to manage the CRL (??)). Where do I find it?? ( command line tool... ). Here is a simple script to do it. $1 is the certificate serial number in hex as it appears in the index.txt file. #!/bin/sh # #revoke the $1 cert # cp -p demoCA/index.txt demoCA/index.txt.rev.old if [ $? -ne 0 ] ; then echo "Copy failed" exit 2 fi revtime=`date -u +%y%m%d%H%M%SZ` awk "BEGIN { FS = \"\t\" } \ \$4 ~/^$1\$/ {OFS = \"\t\"; \$1 = \"R\"; \$3 = \"$revtime\" ; print \$0 } \ \$4 !~/^$1\$/ {print \$0 }" demoCA/index.txt.rev.old demoCA/index.txt diff demoCA/index.txt.rev.old demoCA/index.txt __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ml on NT compilation
On Mon, 29 Mar 1999, Andy Shaw wrote: I am trying to compile openssl on NT and get the following error md5_dgst.c ml /Cp /coff /c /Cx /Focrypto\md5\asm\m5-win32.obj .\crypto\md5\asm\m5-win32.asm The name specified is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'ml' : return code '0x1' Stop. Anyone know what 'ml' is? Yeah, it's the Assembler of the Visual Studio stuff. If you don't have it, then before running "nmake -f ms\ntdll.mak", run "ms\do_ms.bat". It's stated in the INSTALL.W32 file... -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: ml on NT compilation
ml is the command line driver for the Microsoft Macro Assembler. Sounds like you haven't got it installed. If you run the PERL script that generates the makefile with NO_ASM as one of the arguments you get the C version of the object file produced. Cheers me dears, Ash -Original Message- From: Andy Shaw [mailto:[EMAIL PROTECTED]] Sent: 29 March 1999 12:59 To: [EMAIL PROTECTED] Subject: ml on NT compilation I am trying to compile openssl on NT and get the following error md5_dgst.c ml /Cp /coff /c /Cx /Focrypto\md5\asm\m5-win32.obj .\crypto\md5\asm\m5-win32.asm The name specified is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'ml' : return code '0x1' Stop. Anyone know what 'ml' is? Andy -- Andy Shaw [EMAIL PROTECTED] Phone: +44 (0)1223 715002 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: library has no ciphers...
-Original Message- From: Pascal Gienger [mailto:[EMAIL PROTECTED]] Sent: Saturday, March 27, 1999 1:29 PM To: [EMAIL PROTECTED] Subject: "library has no ciphers"... Surely, I am a fool, but I can't find the error why SSL_CTX_new does not work for me. I tried a very simple mycontext = SSL_CTX_new(TLSv1_server_method()); and the result is 28848:error:140A90A1:SSL routines:SSL_CTX_new:library has no ciphers:ssl_lib\ .c:963: and mycontext is NULL. :( In my older version (SSLeay-0.9.0b) a correct incantation is void SSLeay_add_all_algorithms(void); /* in c_all.c */ or void SSLeay_add_ssl_algorithms(void); /* in ssl_algs.c */ One day RSN I'm going to start using the current OpenSSL version in which these will perhaps have been renamed. I've been doing this right before the call to SSLv23_server_method(), it's not clear to me how critical the placement is. It is surely a RTFM problem but I can't find the answer... I use OpenSSL 0.9.2b on a FreeBSD 3.1-ELF-System. It would surely be an RTFM if there were an FM to R, maybe that will come soon. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to Revoke a Certificate ???
Lars Weber wrote: Oops, former posting wasn't the original program, it contains some modifications. Here comes the original program. But have a look at the date subroutines for correct working with y2k... Ok. Anyway, I get an error ( there is not a function called BN_bn2ascii in the OpenSSL (I think it should be the bn.h/bn.c ??)). It must be modified a little... see ya, Massimiliano Pala ([EMAIL PROTECTED]) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl creates zero length file on error?
Hi, OpenSSL askes (in ca cert signing process) at last "Sign the certificate? [y/n]:". If I answer "n", a "certificate" with 0 bytes size had been created. Since I use OpenSSL from within a Makefile, I would like if OpenSSL does not create such empty files. Is there a possiblity to change this behavoir in next versions? oki, Steffen __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: ml on NT compilation
I tried this and it still fails with the same error. Does anyone know what 'ml' is? It appears to be some sort of assembler utility, is this right? Yes, it is. But you don't really need it. Follow the instruction (point 4) of http://www.engelschall.com/sw/mod_ssl/distrib/mod_ssl-SNAP/INSTALL.Win32, (it is not necessary to modify des.h) With that, OpenSSL 0.9.1c works fine for me (under NT4.0). Cheers, Ch. Buchs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Testers wanted: Integrating TLS(SSL) into postfix (for Netscape 4.5)
This message is crossposted to the Postfix users list and the OpenSSL users list. Hi out there! by looking for a good way to allow mail relaying for our roaming users, I had the idea to use TLS with Netscape and client certificates. Of course, it turned out more difficult than expected, as it is not enough to just run "sslwrap" or "stunnel" around the SMTP port. It was necessary to implement (parts of) RFC 2487. After digging around a little bit I found postfix to be the best readable and extendable source code, so I decided to use postfix as a base and write a patchkit using the OpenSSL library I have now a working (at least for me :-) version ready and want to invite other people to participate in the development and test (and/or just use) my enhancement. You can access the software from our website http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/ The outfit is a little bit raw as of now, but that may improve in the future :-) Of course, I would like to hear your comments and bug reports or even better bug fixes... Best regards, Lutz Jaenicke -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]