RE: sk_pop_free() cannot convert parameter 2

[Angus Lee]

>= Original Message From [EMAIL PROTECTED] =

>> C:\Work\EudSMIME\SetngDlg.cpp(378) : error C2664: 'sk_pop_free' : cannot
>> convert parameter 2 from 'void (PKCS12_SAFEBAG *)' to 'void (__cdecl 
*)(void)'
>> None of the functions with this name in scope match the target type
>>From those errors it looks like you are trying to call these macros in
>C++. Why do you need to do that? You can parse PKCS#12 files much more
>easily with PKCS12_parse() which should have no problems.

Could you please give me a segment of the sample code that would convert 
PKCS#12 file to PEM format. I'm nor very familiar with the API's in OpenSSL. 
What I do now is copy from the code segment of pkcs12.c in OpenSSL 0.9.5a. 
Thank you.

Angus Lee

---
Get Your Free Email at http://www.hknetmail.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Authentication problems.

[David]

Hi,

I have installed openssl and openssh on three Redhat servers. Two
servers are 6.0 and one is 6.1. I used rpms from SuSE6.4 

When I do a rpm -q I get the following result. 

rpm -q openssh  openssh-1.2.2-27
rpm -q openssl  openssl-0.9.5-14

When I loaded the rpms the following message was displayed in all three
cases. I loaded the rpms from a telnet session. When I loaded them
locally on a RedHat 6.1 box I didn't receive this messages. I may be a
red herring but I thought I had better mention it.

fillup not found. This should not happen. Please compare
etc/rc.config and var/adm/fillup-templates/rc.config.ssh and
update by hand.

The installation on the Redhat 6.1 server works but on the two 6.0
servers I can't authenticate. As far as I can tell the three servers are
setup the same. Following is the message that comes up when I run sshd
-d.

debug: Client protocol version 1.5; client software version TTSSH/1.5.1
Win32
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Starting up PAM with username "bob"
debug: Attempting authentication for bob.
debug: PAM Password authentication for "bob" failed: Module is unknown
Failed password for bob from xxx.xxx.xxx.xxx port 1097

Can someone help please with a remedy.

I use rpms because I am an absolute newbie and every time I have tried
complying so far I have broken something.

Thanks.

David.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificates

[Simos Xenitellis]

On Mon, 24 Jul 2000, ppruett wrote:

> 
> FYI for list users, we to have searched long and hard
> for the steps to be a "bundled root CA" 
>
... 
> 
> I think that it would be a good to have a section on "bundled root CA"
> for Simos' bookon  openpki  http://ospkibook.sourceforge.net
> If anyone else out there has some more information on this please
> send it to the list.  I suspect like ourselves others have wasted effort
> with Netscape and MSIE trying to determine their process for picking
> root CAs that they bundle.  
...

Hello,
Thanks for your e-mail.

I will add a section on this issue in the new version of the document,
using the information provided from your two e-mails to the openssl
mailling list, making appropriate references to the source.

>From documents I read from the FPKI (Federal PKI/NIST), I found that
the term "trust-list PKI" is a good one to describe the PKI that the
browsers constitute.

I believe that the browser companies would want the highest assurance
from the CAs that they are serious and are doing their best to keep the
private key safe. Thus, there should be a strict procedure in place.

My guess is that one needs to pay lot of money to have ones root
certificate in the browser. 

Nevertheless, I believe that there is no much information on bundling
of root certs because it's not some typical procedure. The communication
of the CAs with the browser companies probably takes place off the Net. 
It's an issue of finding a person that was involved in the procedure,
and it's a tough one because it does not seem to involve techies rather 
than law people, insurance people and managers.

Any non-techies in this list?

Simos Xenitellis


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Compiling openssl-0.9.5a with rsaref

[Paul Allen]

Al Sparks wrote:
> 
> I'm trying to compile openssl-0.9.5a on an Alpha running Red Hat 6.1
> Linux kernel 2.2.13-0.9.  It compiles fine, until I configure it to
> also compile rsaref.

I guess by now Al's figured out he has to build the RSAREF library
and copy it to something like /usr/local/lib/librsaref.a in order
for the openssl link to find it.

I built openssl-0.9.5a with rsaref2 (with the buffer overflow patch
applied) on an Alpha running RedHat 6.2, and it hangs in "make test"
while checking the RSA stuff.  OpenSSH built on top of this OpenSSL
version also hangs when it tries to call the RSA code.  An strace
shows that it's in a tight loop not making any system calls.  I
haven't tried any further debugging.

If I build OpenSSL with its internal RSA implementation, it works
fine and OpenSSH likes it as well.  Since I'm inside the US, I'm
violating the patent (for another month or two) if I actually use
this version.  I've done identical builds of RSAREF2,  
openssl-0.9.5a, and openssh-2.1.1p3 on Solaris {6,7,8}, Intel Linux,
and Irix 6.x, and all work fine.  It just stumbles on the Alpha.

Has anyone been here before?  Or do I get to debug code on 
unfamiliar hardware all by myself?  :-)

Paul Allen

-- 
Paul L. Allen   | voice: (425) 865-3297  fax: (425) 865-2964
Unix Technical Support  | [EMAIL PROTECTED]
Boeing Phantom Works Math & Computing Technology Site Operations,
POB 3707 M/S 7L-68, Seattle, WA 98124-2207
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

What does SSL_pending() do? Where does handshaking occur?

[David B]

Going through the s_client.c example, I cannot find the section in which 
SSL handshaking occurs. The larger question is, in which call does OpenSSL 
take care of pending business?

Around line 405 the init_client() call seems to be a regular socket connect 
that has nothing to do with SSL. Then the socket is set to non-blocking.

Presumably the SSL handshaking has to take place after that, and within the 
endless for() loop.

I would assume that the SSL_pending() call is responsible for returning 
true if SSL is in the middle of an operation that would otherwise block. 
Does it do this? Does it also handle these tasks? Otherwise, where do the 
handshaking and presumably other interim SSL tasks occur?

Many thanks,
David

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Abusing OpenSSL for E-Business applications?

[Richard Dykiel]

I'm using the PKCS#7 functions to append signatures to files we're sending
over the Internet and it works fine. We're planning to do some encryption
also. The main difficulty is to uderstand and use properly these functions.

Thank god, there has always been a good support from this mailing list, and
from the openssl development team.

> -Original Message-
> From: Remo Inverardi [mailto:[EMAIL PROTECTED]]
> Sent: Monday, July 24, 2000 4:41 PM
> To: [EMAIL PROTECTED]
> Subject: Abusing OpenSSL for E-Business applications?
> 
> 
> I was wondering if anyone ever used the algorithms from OpenSSL
> for E-Business applications beyond plain SSL? While I see most of
> the basic PK applications present in the toolkit (signing documents,
> authentication, encryption, etc), I would like to hear about your
> experience with the OpenSSL package in non-SSL applications.
> 
> Thanks for your time.
> 
> Remo
> __
> 
> [ http://public.toilet.ch/ ] "Ich dusche warm!" [ http://www.vbs.ch/ ]
> __
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Abusing OpenSSL for E-Business applications?

[Remo Inverardi]

I was wondering if anyone ever used the algorithms from OpenSSL
for E-Business applications beyond plain SSL? While I see most of
the basic PK applications present in the toolkit (signing documents,
authentication, encryption, etc), I would like to hear about your
experience with the OpenSSL package in non-SSL applications.

Thanks for your time.

Remo
__

[ http://public.toilet.ch/ ] "Ich dusche warm!" [ http://www.vbs.ch/ ]
__
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: The rsaref library

[Richard Levitte - VMS Whacker]

From: "Remo Inverardi" <[EMAIL PROTECTED]>

invi> a) Is the rsaref library the same as Bsafe? Or is it a part of
invi>Bsafe?

No.  RSAref is a reference implementation of the RSA algorithm.  Bsafe
has a better implementation and contains more than just RSA routines.

About the rest, I'll let someone else answer.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

The rsaref library

[Remo Inverardi]

After reading about the rsaref library, several questions came to
mind:

a) Is the rsaref library the same as Bsafe? Or is it a part of
   Bsafe?

b) Why is it impossible to order the Bsafe library from Switzerland?
   I tried several times (also on the Australian RSA Site which seems
   to redirect to the US Site) but didn't even get an answer.

c) What is the advantage of using the Bsafe library? Are any of the
   algorithms better than those of OpenSSL? Is there anything more
   in it?

Thanks for your help, Remo
__

[ http://public.toilet.ch/ ] "Ich dusche warm!" [ http://www.vbs.ch/ ]
__
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Compiling openssl-0.9.5a with rsaref

[Al Sparks]

I didn't rename that file.  I'll give that a try.

Also, I ddin't hit the send button 3 times, and in fact, your message
posted 3 times also.  I noticed that when I replied to your message, I was 
presented with 2 "[EMAIL PROTECTED]" in the To: field.  I took
one of them out.

I'll check the headers on my messages but maybe it's not user error for once.

Thanks again for the tip.
=== Al

--- Ricardo Stella <[EMAIL PROTECTED]> wrote:
> 
> Please hit 'Send' only once... your message came in three times...
> 
> Anyway,
> 
> Did you 'install' the rsaref library ?  Looks like when you are
> compiling, it can't find it...
> 
> Also, did you rename 'rsaref.a' to 'librsaref.a' ?
> 
> 
> 
> Al Sparks wrote:
> > 
> > I'm trying to compile openssl-0.9.5a on an Alpha running Red Hat 6.1
> > Linux kernel 2.2.13-0.9.  It compiles fine, until I configure it to
> > also compile rsaref.
> > 
> > When I do a make, it errors out (after about 4-5 minutes).
> > 
> > Here's a few lines of the last part of the output from make:
> > 
> > *
> > *
> > ssl.c -o openssl.o
> > rm -f openssl
> > gcc -o openssl -DMONOLITH -I../include -DRSAref -mcpu=ev5 -O3
> > DL_ENDIAN -DTERMIO openssl.o verify.o asn1pars.o req.o dgst.o dh.o
> > dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o
> > rsa.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o
> > speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o
> > sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o -L.
> > -L.. -L../.. -L../../.. -L.. -lssl -L.. -lcrypto -lRSAglue -lrsaref
> > /usr/bin/ld: cannot open -lrsaref: No such file or directory
> > collect2: ld returned 1 exit status
> > make[1]: *** [openssl] Error 1
> > make[1]: Leaving directory `/usr/src/openssl-0.9.5a/apps'
> > make: *** [all] Error 1
> > *
> > *
> > 
> > Any suggestions?
> >=== Al
> > 
> > __
> > Do You Yahoo!?
> > Get Yahoo! Mail – Free email you can access from anywhere!
> > http://mail.yahoo.com/
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> > 
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> > 
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> 
> -- 
> --
>  Ricardo Stella  O.I.T.
>  (609)896-5000 x7436   _suAve_   Rider University
>   *** Remove 'no-spam' from e-mail address before replying.  ***> begin:vcard 
> adr;dom:;;;Lawrenceville;NJ;08648;
> adr:;;2083 Lawreceville Road;Lawrenceville;NJ;08648;
> n:Stella;Ricardo
> tel;fax:1-609-219-4994
> tel;work:1-609-896-5000 x7436
> x-mozilla-html:FALSE
> url:http://poseidon.rider.edu
> org:Rider University;O.I.T.
> version:2.1
> title:Manager
> x-mozilla-cpt:;-9584
> fn:Ricardo Stella
> end:vcard
> 


__
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Importing Site Certificates into Netscape

[Wade L. Scholine]

When I made myself a client cert to mess around with client auth, I was able
to get the issuer cert into NS4.7 by importing a pkcs12 that had my client
cert chained with the root cert.

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Monday, July 24, 2000 5:25 AM
> To: [EMAIL PROTECTED]
> Subject: Importing Site Certificates into Netscape
> 
> 
> 
> Whilst investigating what can be done with X-509 
> certificates, it occurred
> to me that maybe having separate, role-based, signing 
> certificates for the
> likes of E-Mail/SSL.  So I went ahead, created my root (no 
> problems), made
> another certificate that was not a CA (but sign-only) and 
> signed that with
> the root and finally created a personal one.  All this 
> imported marvelously
> into Internet Exploder, but when it came time to do the same 
> with Netscrape,
> things fell apart in the middle.
> 
> Is would appear that it is impossible to import a "web server 
> certificate"
> into Netscape without it being served by a web server - 
> correct ?  The MIME
> hack to get the root CA in with a "double click" appears not 
> to work for
> application/x-x509-server-cert.
> 
> Are there any other avenues worth exploring that are likely 
> to bear fruit
> here ?
> 
> Thanks,
> Darren
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Compiling openssl-0.9.5a with rsaref

[Ricardo Stella]

Please hit 'Send' only once... your message came in three times...

Anyway,

Did you 'install' the rsaref library ?  Looks like when you are
compiling, it can't find it...

Also, did you rename 'rsaref.a' to 'librsaref.a' ?



Al Sparks wrote:
> 
> I'm trying to compile openssl-0.9.5a on an Alpha running Red Hat 6.1
> Linux kernel 2.2.13-0.9.  It compiles fine, until I configure it to
> also compile rsaref.
> 
> When I do a make, it errors out (after about 4-5 minutes).
> 
> Here's a few lines of the last part of the output from make:
> 
> *
> *
> ssl.c -o openssl.o
> rm -f openssl
> gcc -o openssl -DMONOLITH -I../include -DRSAref -mcpu=ev5 -O3
> DL_ENDIAN -DTERMIO openssl.o verify.o asn1pars.o req.o dgst.o dh.o
> dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o
> rsa.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o
> speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o
> sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o -L.
> -L.. -L../.. -L../../.. -L.. -lssl -L.. -lcrypto -lRSAglue -lrsaref
> /usr/bin/ld: cannot open -lrsaref: No such file or directory
> collect2: ld returned 1 exit status
> make[1]: *** [openssl] Error 1
> make[1]: Leaving directory `/usr/src/openssl-0.9.5a/apps'
> make: *** [all] Error 1
> *
> *
> 
> Any suggestions?
>=== Al
> 
> __
> Do You Yahoo!?
> Get Yahoo! Mail – Free email you can access from anywhere!
> http://mail.yahoo.com/
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
--
 Ricardo Stella  O.I.T.
 (609)896-5000 x7436   _suAve_   Rider University
  *** Remove 'no-spam' from e-mail address before replying.  ***

begin:vcard 
adr;dom:;;;Lawrenceville;NJ;08648;
adr:;;2083 Lawreceville Road;Lawrenceville;NJ;08648;
n:Stella;Ricardo
tel;fax:1-609-219-4994
tel;work:1-609-896-5000 x7436
x-mozilla-html:FALSE
url:http://poseidon.rider.edu
org:Rider University;O.I.T.
version:2.1
title:Manager
x-mozilla-cpt:;-9584
fn:Ricardo Stella
end:vcard

Compiling openssl-0.9.5a with rsaref

[Al Sparks]

I'm trying to compile openssl-0.9.5a on an Alpha running Red Hat 6.1
Linux kernel 2.2.13-0.9.  It compiles fine, until I configure it to
also compile rsaref.

When I do a make, it errors out (after about 4-5 minutes).

Here's a few lines of the last part of the output from make:


*
*
ssl.c -o openssl.o
rm -f openssl
gcc -o openssl -DMONOLITH -I../include -DRSAref -mcpu=ev5 -O3 
DL_ENDIAN -DTERMIO openssl.o verify.o asn1pars.o req.o dgst.o dh.o
dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o
rsa.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o
speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o
sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o -L.
-L.. -L../.. -L../../.. -L.. -lssl -L.. -lcrypto -lRSAglue -lrsaref 
/usr/bin/ld: cannot open -lrsaref: No such file or directory
collect2: ld returned 1 exit status
make[1]: *** [openssl] Error 1
make[1]: Leaving directory `/usr/src/openssl-0.9.5a/apps'
make: *** [all] Error 1
*
*

Any suggestions?
   === Al


__
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Activation of SSL

[Elisee NGAN TAMBA]

I am new in this mailing list.

A want to activate SSL communication on my Mail server [sendmail v8]
I don't know how i can do it.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Netscape Comm bug ?

[Dr Stephen Henson]

Anders Östling wrote:
> 
> 
> When an Outlook user sends an encrypted and signed message to a Netscape
> user,
> it crashes the outlook client when he attempt to read the message. The
> MS user can
> send the same message to himself w/o problems.
> 

I take it you mean that the Netscape client crashes?

There is a problem with all current Netscape clients. They misbehave
(usually crash) when they come across a certificate with a string type
they don't understand. This means a BMPString or a UTF8String. This
means that anything following the PKIX guidelines that uses certain
characters (international ones or things like '@' in certain fields)
will trigger this.

Signing a news group message with such a certificate could make you
rather unpopular...

This is a real pain and has been holding up things like proper
international character suppport in certificates.

Anyway apparently if you install Netscape personal security manager
(PSM) this problem doesn't seem to happen any more. At least it didn't
with a test certificate which crashed previous versions I'd tested it
on. I haven't had time to check this thoroughly yet though.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: problem in signing & verifying with smime.c

[Dr Stephen Henson]

mariano Jess wrote:
> 
> Hi.
> 
> I generate a s/mime with:
> 
> openssl smime -sign -in texto.txt -text -out mensaje.msg -signer
> certificate.crt -inkey privatekey.key
> 
> And it's all ok
> 
> when a try verify this file (mensaje.msg) with:
> 
> openssl smime -verify -in mensaje.msg -out signedtxt.txt -signer
> certificate.crt
> 
> An error occurs with the message:
> 
> 523:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify
> error:.\crypto\pkcs7\pk7_smime.c:205:Verify error:unable to get local
> issuer certificate.
> 
> My certificate is generated with openssl and it's signed with my own CA.
> That certificates had been working correctly both  in all test and
> applicattions made until now.
> 
> Somebody knows what am I doing bad?.
> 

You need to include the path to your CA certificate in the verify
command using either -CApath or -CAfile . If you have more than two
certificates in the chain then you need to include the intermediate
certificates in the sign operation using the -certfile command.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificates

[ppruett]

on being a bundled Root CA-

I suspect that a root CA will some local laws and policies 
to adhere to and declare that they adhere to law/policy numbers number
such and such...
Then I suspect the web browsers writers will want a nominal setup fee
$1K + ?   to review an application and a couple of boxes of
hard copy documentation  and here is the kicker, INSURANCE.
And for something like this only high risk will insure, Loyds of London?
And what will the rootCA need insurance for? Damages due
to improper handling of CAs?

Back in 1996 The American Bar Association wrote a paper
that has guidlines for pki
http://www.abanet.org/scitech/ec/isc/dsgfree.html

It has paragrpaphs like

" By issuing a certificate, a certification authority represents to any
person who reasonably relies on a certificate or a digital signature
verifiable by the public key listed in the certificate, that the
certification authority, in accordance with any applicable certification
practice statement of which the relying person has notice, has confirmed
that "
Which indicates that a root CA would have to have a certification practice
statement. This I would expect anyways and the rest of the wordage
is so general with thoughts like the certificates need appropriate
archiving but not saying what is appropriate.  
I suspect the E-sign laws will be similar, vague, which is good
actually, I'd hate to see a law that says a Guild/monopoly like MS or
Verisign has to give approval.

And the local government will have a say on the rootCA, maybe
rootCA registry in HavenCO is not a bad idea afterall.
The recent laws passed in year 2000 for US about ecommerce are weaker
than when introduced but will have some impact
For those doing business in the USA we may even see the SEC
regulating how CAs store the records, X.509 certs, and elect. signatures:
http://www.mbc.com/ecommerce/legis/congress.html#hb1714
SUMMARY: This Bill, introduced by House Commerce Committee Chairman Thomas
Bliley (R-Va.), directs the Department of Commerce to promote the use and
acceptance of electronic signatures on an international basis by following
certain principles outlined in the bill. The principles include: (a) free
markets and self-regulation rather than government standards or rules for
the use of electronic records and signatures; (b) technology-neutral
policies; (c) allowing parties to a transaction to establish reasonable
requirements regarding the use and types of electronic records and
signatures; (d) legal validity not to be denied to electronic records and
electronic signatures on the ground that they are not in writing; and (e)
no foreign government imposition of standards on private industry.
This Bill is in the process of coordination with S.761 through a Joint
Conference Committee.
The Bill also amends the Securities Exchange Act of 1934 to give the SEC
the authority to prescribe regulations covering the use of electronic
records and signatures as long as the Commission does not promulgate
regulations contrary to the principles listed above.


h..



> I think that it would be a good to have a section on "bundled root CA"
> for Simos' bookon  openpki  http://ospkibook.sourceforge.net
> If anyone else out there has some more information on this please
> send it to the list.  I suspect like ourselves others have wasted effort
> with Netscape and MSIE trying to determine their process for picking
> root CAs that they bundle.  
>   Right now the only "easy" way to be root ca I think is to
> pay for being a Chained CA Serverce from Thawte or Verisign (same company)
> but you gotta  adhere to a lot of rules and use approved software only
> and I'm not sure openssl compiled by self will be acceptable
> 
> Of course for an enterprise that is afraid of opensource they
> could go the MS solution, I for one do not want this to be the only option
> for us in the future...
> Microsoft Windows 2000 will ship with an integrated public key
> infrastructure and CertSrv 2.0, which will have a more complete user
> interface, built-in support for CA hierarchies, and additional
> capabilities such as a time-stamping server.
> On Mon, 24 Jul 2000, Simos Xenitellis wrote:
> > For certificates you buy, the "root certificate" is already there
> > in your browser so your client can connect with SSL transparently.
> > 
> > I heard that putting your root certificate in a browser costs 
> > a lot lot of money. Can someone verify/provide links on this procedure?
> > simos
> > http://ospkibook.sourceforge.net (new version out, 2.4.7)
> > 


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Win32 OpenSSL Binary

[Boyce, Nick]

On 24 Jul 2000, Uli Koeppe asked :

> is there any such thing as a compiled openssl program win32 
> for Windows 98 and/or NT, (command line version) that can 
> be downloaded from somewhere in the web?

I *think* you can get what you want from http://www.opensa.de/, but it's a
while since I looked, and when I checked the link just now it gave me an
error page stating 
"Please use the domain-name instead of the IP-address"
so maybe the server's misconfigured at the moment.

As I recall, the site is dedicated to a Win32 port of
OpenSSL/Mod_SSL/Apache/Sendmail and any other such Unix-originated open
software as may be wonderfully useful.

> Nick
> Systems Team, EDS Healthcare, Bristol, UK
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificates

[Leland V. Lammert]

At 04:06 AM 7/24/00, you wrote:
>You can get a trial one (e.g. at Verisign), or build your own CA

You don't need to build your own CA for a single cert, .. a CA is only required (IIUC) 
to manage *client certs*.

>I think a good certificate is made of two things, trust (in the CA), and
>availability of your cert for other people to contact you.

Sorry, .. but *anybody* can get a CERT, from *any* vendor. All you need is the 
appearance of a business (i.e. telephone, mailing address, minimal credit report, ...) 
- trust is not an issue.


Lee

   Leland V. Lammert[EMAIL PROTECTED]
  Chief Scientist Omnitec Corporation
  Network/Internet Consultants  www.omnitec.net


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificates

[ppruett]

FYI for list users, we to have searched long and hard
for the steps to be a "bundled root CA" 

No one seems to be able to give us an answer at Microsoft,
nor locate an accurate URL, guess that is no suprise.

The best we got from Netscape was this URL
http://home.netscape.com/security/caprogram/index.html
" This program is open to certificate authorities that bundle their root
public keys with Netscape Communicator. For more information on joining
the program, email the program administrator.   
  mailto:[EMAIL PROTECTED]   "
We tried email to this email address and got no response, no surprise.

WE did get a better response from Opera:

- Forwarded message from "Yngve N. Pettersen" <[EMAIL PROTECTED]> -
Subject: Re: certificate of authority
  Our general procedure is that we need official documents that confirms
that the Certificate Authority exists, such as authorized copies of
company registration papers and  the company's Annual Report (in english
translation if necessary). We would also like an estimate of the number of
customers and sales revenue. Domain name registration papers are also
useful.
  Of course, we will also need the certificate(s) in X509 DER  format,
confirmation of the signature(s) , and access to testfacilities where the
certificates can be tested.
  We are considering to set up a general contract which will be free of
cost, but have  not done so yet. If you instead would like to have a
special contract we have decided to charge for the cost of negotiating the
contract, and the installation and testing of the certificates (prices
have not yet been set).
--



I think that it would be a good to have a section on "bundled root CA"
for Simos' bookon  openpki  http://ospkibook.sourceforge.net
If anyone else out there has some more information on this please
send it to the list.  I suspect like ourselves others have wasted effort
with Netscape and MSIE trying to determine their process for picking
root CAs that they bundle.  
  Right now the only "easy" way to be root ca I think is to
pay for being a Chained CA Serverce from Thawte or Verisign (same company)
but you gotta  adhere to a lot of rules and use approved software only
and I'm not sure openssl compiled by self will be acceptable

Of course for an enterprise that is afraid of opensource they
could go the MS solution, I for one do not want this to be the only option
for us in the future...
Microsoft Windows 2000 will ship with an integrated public key
infrastructure and CertSrv 2.0, which will have a more complete user
interface, built-in support for CA hierarchies, and additional
capabilities such as a time-stamping server.




On Mon, 24 Jul 2000, Simos Xenitellis wrote:
> For certificates you buy, the "root certificate" is already there
> in your browser so your client can connect with SSL transparently.
> 
> I heard that putting your root certificate in a browser costs 
> a lot lot of money. Can someone verify/provide links on this procedure?
> simos
> http://ospkibook.sourceforge.net (new version out, 2.4.7)
> 



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

problem in signing & verifying with smime.c

[mariano Jesús]

Hi.

I generate a s/mime with:

openssl smime -sign -in texto.txt -text -out mensaje.msg -signer
certificate.crt -inkey privatekey.key

And it's all ok

when a try verify this file (mensaje.msg) with:

openssl smime -verify -in mensaje.msg -out signedtxt.txt -signer
certificate.crt

An error occurs with the message:

523:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify
error:.\crypto\pkcs7\pk7_smime.c:205:Verify error:unable to get local
issuer certificate.

My certificate is generated with openssl and it's signed with my own CA.
That certificates had been working correctly both  in all test and
applicattions made until now.

Somebody knows what am I doing bad?.

thanks in advance.




__
  Mariano Jesus Perez
   University of Málaga (Spain)
 Security Group (GYSUM)
__


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificates

[Leland V. Lammert]

At 07:11 AM 7/24/00, you wrote:
>1. Are there free certificates somewhere?

Yes. You can build your own (see the OpenSSL docs for creating a CSRT), .. the only 
difference is that you will not have traceability to a root cert, and any users will 
get the dialog boxe(s)'do you really trust this site'.

>2. Does higher price mean a better certificate?

No.  The encryption is the same [for the selected encryption technology] once the user 
and server have agreed on the CERT.

>Or why are the prices sometimes so high?

Because companies like to make money. Prime example - RSA.

>Can anyone give me some advice about this?

You can also check out EquiFax - they have a standard CERT for $45, last time I 
checked.

Lee

   Leland V. Lammert[EMAIL PROTECTED]
  Chief Scientist Omnitec Corporation
  Network/Internet Consultants  www.omnitec.net


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificates

[Simos Xenitellis]

On Mon, 24 Jul 2000, Michael Beaucourt wrote:

> Hi,
> 
> I'm working on a Redhat Linux 6.1 system (soon 6.2) and I am relatively 
> new to SSL. But I will need the technology in the near future for an 
> e-commerce solution. Now, after reading some stuff I understand you need 
> to buy a server certificate. I have visited some sites like thawte.com 
> and verisign.com but find their prices very high.
> Now, what I am wondering:
> 
> 1. Are there free certificates somewhere?

You can make your own self-signed root ca certificate and import
it in your and others browsers.

> 2. Does higher price mean a better certificate? Or why are the prices 
> sometimes so high?

For certificates you buy, the "root certificate" is already there
in your browser so your client can connect with SSL transparently.

I heard that putting your root certificate in a browser costs 
a lot lot of money. Can someone verify/provide links on this procedure?

Also, the CA that signs your certificate needs to pay money for
fancy security measures that will give you confidence. Confidence that
their private key will remain secret and noone
will be able to decrypt the communications of your clients.

simos
http://ospkibook.sourceforge.net (new version out, 2.4.7)


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificates

[Douglas Wikström]

> > 1. Are there free certificates somewhere?
> 
> You can get a trial one (e.g. at Verisign) or build your own CA
If building your own, your customers will need to download your homemade
CA-cert and verify its fingerprint offband somehow. This could be a
solution when having few customers coming back a lot (like retailers
buying from a company). If selling directly to end customers I
personally would not recommend using your own CA.

> > 2. Does higher price mean a better certificate? Or why are the prices
> > sometimes so high?
> I think a good certificate is made of two things, trust (in the CA), and
> availability of your cert for other people to contact you
You pay the CA to verify that you are really you. This is why others
trusting the CA assumes that a cert signed by the CA really came from
who it says it came from. The technical part of the cert making is
already present in the openssl software.

The verification is as booring and nontechnical as verification at a
bank when getting a plastic card... although not as secure though, since
no physical presence is needed.

If that was my job I would too try to overcharge :-)

Since most users do NOT check which CA signed a certain server cert
gotten from a website I can see no point in buying a more expensive
server cert. (possibly the administrative services differ, like
updating?)

The issues of a "free"-ca or "open community"-ca was discussed a while
ago on this list, check the archives if interrested.

/Douglas

> 
> >
> > Can anyone give me some advice about this?
> >
> > Thanks in advance.
> >
> > Best Regards,
> > Michael
> >
> 
> Felipe!
> 
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 

--
 Douglas Wikström <[EMAIL PROTECTED]>
--
 Yes, God created Man before Woman,
 but one always makes a draft before the masterpiece.
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

No Subject

[ukoeppe]

Hi, sorry for just popping in like that, but is there any such thing as a
compiled openssl program win32 for Windows 98 and/or NT, (command line
version) that can be downloaded from somewhere in the web? I just read the "
INSTALLATION ON THE WIN32 PLATFORM" explanation and it's looks kind of hairy
to me. All I need is the command line program, I don't want to become some
kind of encryption or C hotshot just to get the tool ;)

TIA
Uli Koeppe mailto [EMAIL PROTECTED]





__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificates

[felipe . saintjean]

Michael Beaucourt wrote:

> Hi,
>
> I'm working on a Redhat Linux 6.1 system (soon 6.2) and I am relatively
> new to SSL. But I will need the technology in the near future for an
> e-commerce solution. Now, after reading some stuff I understand you need
> to buy a server certificate. I have visited some sites like thawte.com
> and verisign.com but find their prices very high.
> Now, what I am wondering:
>
> 1. Are there free certificates somewhere?

You can get a trial one (e.g. at Verisign), or build your own CA

>
> 2. Does higher price mean a better certificate? Or why are the prices
> sometimes so high?
>

I think a good certificate is made of two things, trust (in the CA), and
availability of your cert for other people to contact you

>
> Can anyone give me some advice about this?
>
> Thanks in advance.
>
> Best Regards,
> Michael
>

Felipe!


> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: sk_pop_free() cannot convert parameter 2

[Dr Stephen Henson]

Angus Lee wrote:
> 
> Hi,
> 
> There're three sk_pop_free() calls in the dump_certs_keys_p12() function in
> the pkcs12.c program. I copied the code from dump_certs_keys_p12() function
> into my program and compiled in VC6 /w SP4 on Win98SE. VC6 reported that:
> C:\Work\EudSMIME\SetngDlg.cpp(378) : error C2664: 'sk_pop_free' : cannot
> convert parameter 2 from 'void (PKCS12_SAFEBAG *)' to 'void (__cdecl *)(void)'
> None of the functions with this name in scope match the target type
> C:\Work\EudSMIME\SetngDlg.cpp(381) : error C2664: 'sk_pop_free' : cannot
> convert parameter 2 from 'void (PKCS12_SAFEBAG *)' to 'void (__cdecl *)(void)'
> None of the functions with this name in scope match the target type
> C:\Work\EudSMIME\SetngDlg.cpp(383) : error C2664: 'sk_pop_free' : cannot
> convert parameter 2 from 'void (struct pkcs7_st *)' to 'void (__cdecl
> *)(void)'
> None of the functions with this name in scope match the target type
> 
> Has anyone got any idea? I've come accross similar problem with the
> M_PKCS12_unpack_authsafes() function. Someone told me to cast the parameter in
> the macros definitions. However sk_pop_free is indeed a function inside
> OpenSSL. I don't think simply doing a cast will work. Please help me. Thank
> you.
> 

>From those errors it looks like you are trying to call these macros in
C++. Why do you need to do that? You can parse PKCS#12 files much more
easily with PKCS12_parse() which should have no problems.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

certificates, can't live with them can't live without them !!

[Pinca George]

Hello,
 
I have two questions for those who are using 
certificates :
 
1. Open-ssl has a directory 'certs' which seems to 
contain CA certs, are those CA trusted certs which are used to autenticate 
client certificates, like browsers use to autenticate server certs ? 

If so, how do I add my own CA cert which I wanna 
trust ?
 
2. In internet explorer if I have a pem x509 cert 
and private key, how do I import them under 'personal' certs, so I can 
autenticate myself to a SSL server ?? Is it possible or is it the IE style key 
generation the only way ???
 
Thank you,
 
george pinca

Certificates

[Michael Beaucourt]

Hi,

I'm working on a Redhat Linux 6.1 system (soon 6.2) and I am relatively 
new to SSL. But I will need the technology in the near future for an 
e-commerce solution. Now, after reading some stuff I understand you need 
to buy a server certificate. I have visited some sites like thawte.com 
and verisign.com but find their prices very high.
Now, what I am wondering:

1. Are there free certificates somewhere?
2. Does higher price mean a better certificate? Or why are the prices 
sometimes so high?

Can anyone give me some advice about this?

Thanks in advance.

Best Regards,
Michael
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PEM certs formatted at 76 chars per line

[Michael Ströder]

"Pablo J. Royo" wrote:
> 
> I´m using this cert from Baltimore with openssl0.9.5a.

This question is for openssl-users not openssl-dev.

> I don´t know why they generate PEM certs with 76 chars in each line, 
> instead of 64 as everybody does.

Should be no problem. Depends on their base64 lib.

> If you take the cert and manually put it with 64
> chars per line and the "BEGIN/END CERTIFICATE" stuff all goes well, but if
> not x509 command says:

What's the problem?

You can either wrap it with (leave the 76 chars/line alone)
-BEGIN CERTIFICATE-
-END CERTIFICATE-

or use the command-line:

openssl base64 -in baltimore.base64 -a -d | openssl x509 -inform der

Ciao, Michael.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PEM certs formatted at 76 chars per line

[Richard Levitte - VMS Whacker]

From: "Pablo J. Royo" <[EMAIL PROTECTED]>

royop> So I´d like to know if there is a way to use the same b64
royop> functions to handle it, or what kind of modification should I
royop> do to bio64 or PEM routines. It would be easy?

What you want to do is hack in crypto/evp/encode.c.  I've no idea how
easy or difficult it is to get it right.

The better question is really if there is a good reason (and no,
"because that's how it's done with PEM" is not a sufficient argument
:-)) to keep this limitation.  If not, I'm willing to look into that
sometime within the next few weeks.  A reminder will always be welcome
:-).

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Netscape Comm bug ?

[Anders Östling]

Hi
I have a certificate problem that is not really OpenSSL related, but
I'll try anyway.

I have setup an IPlanet CMS and a IPlanet LDAP server. The RA system can
create
and publish end-user certs.

When an Outlook user sends an encrypted and signed message to a Netscape
user,
it crashes the outlook client when he attempt to read the message. The
MS user can
send the same message to himself w/o problems.

If he sends an encrypted message, everything is fine. If the message is
only signed,
the same crash occurs.

To verify this, I (the NS user) sent a signed and encrypted to myself.
Works. Is there
any known incompatibilites between MS and NS when it comes to signing
messages ?

Another observation that leads me to bealive that the NS client is buggy
is when
I open the TOOLS->Security Console->Certs->Peope and try to import a
user cert
from the directory. I can locate the cert in the directory, but when
I press OK to add
the cert to my private database, it either crashes the client or it does
not get inserted.

If I examine the LDAP entries for the two test users, I see that the
only attribute that is
tied to the entries is "usercertificate;binary". There is no
"usersmimecertificate" attribute
which I suppose that the CA/RA should have published when the cert was
signed.

If anyone out there has experiences in the IPLanet products, I would
apprectiate to
get in contact with you.

Best regards

Anders Östling


 S/MIME Cryptographic Signature

Re: problem to install server certificate with iis

[Erwann ABALEA]

Our customers get this error very often It's not an OpenSSL problem,
but an IIS problem

If you take a look at Microsoft's site and search for "80093005", you'll
find a description of this error code, and it has nothing to do with
IIS...

Check some things:
 - remove everything before the "-BEGIN ..." and after the "-END
   ..."
 - you should have no empty line between the 2 delimiters
 - every line should be 64 chars length, except the last one
 - you shouldn't have any "stange" character, such as incorrect
   end-of-line (open your file with Notepad, and check that you don't have
   something as a little square at the end of the lines)

If that still doesn't work, then it probably means that the problem is not
related to the certificate, but merely to the private key, or something
else...

The best thing to do then is delete the key, and start again, until it
works...

On Mon, 24 Jul 2000 [EMAIL PROTECTED] wrote:

> I work on win NT server and I have created ca certificate and server
> certificate and now I want to install it on iis but when I do it, I
> obtain :
> the certificate is invalid
> CAPI2 error = 80093005
> Does anyone has already had this error and solve it?
> 
> Thanx in advence,
> audrey occello
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

-- 
Erwann ABALEA
System and Development Engineer - Certplus SA
[EMAIL PROTECTED]
- RSA PGP Key ID: 0x2D0EABD5 -


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

PEM certs formatted at 76 chars per line

[Pablo J. Royo]

Hi

I´m using this cert from Baltimore with openssl0.9.5a.
I don´t know why they generate PEM certs with 76 chars in each line, instead
of 64 as everybody does.If you take the cert and manually put it with 64
chars per line and the "BEGIN/END CERTIFICATE" stuff all goes well, but if
not x509 command says:

unable to load certificate
12482:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:761:

So I´d like to know if there is a way to use the same b64 functions to
handle it, or what kind of modification should I do to bio64 or PEM
routines.It would be easy?

Thanks



 baltimore.pem

problem to install server certificate with iis

[occello]

I work on win NT server and I have created ca certificate and server
certificate and now I want to install it on iis but when I do it, I
obtain :
the certificate is invalid
CAPI2 error = 80093005
Does anyone has already had this error and solve it?

Thanx in advence,
audrey occello
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Importing Site Certificates into Netscape

[Darren Reed]

Whilst investigating what can be done with X-509 certificates, it occurred
to me that maybe having separate, role-based, signing certificates for the
likes of E-Mail/SSL.  So I went ahead, created my root (no problems), made
another certificate that was not a CA (but sign-only) and signed that with
the root and finally created a personal one.  All this imported marvelously
into Internet Exploder, but when it came time to do the same with Netscrape,
things fell apart in the middle.

Is would appear that it is impossible to import a "web server certificate"
into Netscape without it being served by a web server - correct ?  The MIME
hack to get the root CA in with a "double click" appears not to work for
application/x-x509-server-cert.

Are there any other avenues worth exploring that are likely to bear fruit
here ?

Thanks,
Darren

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]