CRL how to
Hi, I have installed openssl and have started generating client certificates. I would like to know, how I can create and maintain CRLs. I would appreciateif anybody provides any help or resource pointers for this. thanx in advanceSarath Chandra M
RE: Enconding of General Name and related
Yeah, I've come across this also. It seems that a CHOICE within a CHOICE is encoded with an explicit tag even if it is in an implicit tag module. I guess this is to avoid the ambiguity that you mention. This is so in ASN1. Moreover in the RFC 3161 I found the following definition tsa [0] GeneralName OPTIONAL, in a module that seems to me with IMPLICIT tagging. Therefore I have this doubt: when I encode this value if I use IMPLICIT tagging I'm modifying the tagging of the encoding of the previous CHOICE whit the (possible) conseguence of having an ambiguous encoding. Is this correct or am I missing some important points ? CHOICEs are always EXPLICIT. Be careful with some compilers or almost-compilers, when using a syntax like tsa [0] GeneralName OPTIONAL If the compiler does not 'know' that GeneralName is a CHOICE. You might need to rewrite tsa [0] EXPLICIT GeneralName OPTIONAL __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: CRL how to
Hi Sarath, In the openssl CA Directory there is a file named index.txt which contains a summary of the issued certificate. For example: V 020925082220Z 01 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Goofy V 020925082341Z 02 unknown /C=AU/ST=New Zeland/L=Wellington/O=Internet Widgits Pty Ltd/OU=uncle duck/CN=Gogo This entries must be modified in order to make the CRL: R 020925082220Z 010925090120Z 01 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Goofy R 020925082341Z 010925092341Z 02 unknown /C=AU/ST=New Zeland/L=Wellington/O=Internet Widgits Pty Ltd/OU=uncle duck/CN=Gogo At this point just enter the following statements at prompt: $ ca -gencrl -crldays 30 -out temp.pem $ crl2pkcs -in temp.pem -out pkcs7_crl.pem At this point you have a PKCS7 file containing a CRL, which can be imported into whatever application supporting it. Best Regards [Gerardo Maiorano] -- Original Message -- Hi, I have installed openssl and have started generating client certificates. I would like to know, how I can create and maintain CRLs. I would appreciate if anybody provides any help or resource pointers for this. thanx in advance Sarath Chandra M __ Abbonati a Tiscali! Con VoceViva puoi anche ascoltare ed inviare email al telefono. Chiama VoceViva all' 892 800http://voceviva.tiscali.it __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problems with CRL
Hello! I have some problems with CRL. I have inserted the following line in the Certificate Extensions section of my openssl.cnf file: crlDistributionPoints=URI:http://www.myhost.com/cgi-bin/my.crl And I faced the following problem. MS Outlook Express tries to get http://www.myhost.com/cgi-bin/my.crl But I do not know how MS Outlook Express checks for revoked cerificates when it is online. Does anyone know about that? What does my.crl mean? Does it have to be a script or something else? If it is a script what does it have to do? I mean the format of the response for MS Outlook Express. Yours faithfully, Valery E-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Get Signature Algorithm
How to get 'signature algorithm' from a X509 certificate? Any idea or simple source code on it? Thanks in advance... - Novice :( __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl-0.9.6b.tar.gz.asc
Hello, I'm having trouble to check openssl package integrity (And I have to do it) In ftp://ftp.openssl.org/source/ I could find 3 files available: openssl-tar.gz openssl-tar.gz.md5 openssl-tar.gz.asc As far as I know, the asc file should be the public key and I should add to pgp before anything else: %pgp -ka openssl-0.9.6b.tar.gz.asc (And the file is under ~/.pgp/ ) Looking for new keys... File '' has signature, but with no text. Keyring add error. What can be wrong? Should the file name be inside the quotes? I have Pretty Good Privacy(tm) Version 6.5.8 Is this the problem since openssl-0.9.6b.tar.gz.asc is Version: 2.6.3ia What is the md5 file for? Thanks, Victor _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: openssl-0.9.6b.tar.gz.asc
The md5 file contains an md5 checksum of the openssl package. To verify the package use md5sum openssl-0.9.6b.tar.gz The result of the above should match the md5 file. I'm not so sure about why you can't add the pgp signature. It makes no difference AFAIK that the version of the signature is 2.6.3ia. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Victor S. [mailto:[EMAIL PROTECTED]] Sent: 25 September 2001 14:21 To: [EMAIL PROTECTED] Subject: openssl-0.9.6b.tar.gz.asc Hello, I'm having trouble to check openssl package integrity (And I have to do it) In ftp://ftp.openssl.org/source/ I could find 3 files available: openssl-tar.gz openssl-tar.gz.md5 openssl-tar.gz.asc As far as I know, the asc file should be the public key and I should add to pgp before anything else: %pgp -ka openssl-0.9.6b.tar.gz.asc (And the file is under ~/.pgp/ ) Looking for new keys... File '' has signature, but with no text. Keyring add error. What can be wrong? Should the file name be inside the quotes? I have Pretty Good Privacy(tm) Version 6.5.8 Is this the problem since openssl-0.9.6b.tar.gz.asc is Version: 2.6.3ia What is the md5 file for? Thanks, Victor _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No shared cipher in debug mode
Title: Message Hi all, I have come across quite a strange problem. I have an application that when ran through explorer or the command prompt will run with the DSA cipher. Now when I run the application through Visual Studio 6 or through debug in Visual Studio 6 the applicatino fails with a 'No shared cipher' during the HELLO phase.. I do have SSL_CTX_set_cipher_list ( ctx, "ALL") so I dont understand how I could get a no shared cipher problem Has anyone else run into this problem? -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
RE: CRL how to
Title: RE: CRL how to Hi, How to automatically put an entry in the CRL when a new Client certificate is generated. regards Sarath -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 25 September 2001 13:28 To: [EMAIL PROTECTED] Subject: RE: CRL how to Hi Sarath, In the openssl CA Directory there is a file named index.txt which contains a summary of the issued certificate. For example: V 020925082220Z 01 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Goofy V 020925082341Z 02 unknown /C=AU/ST=New Zeland/L=Wellington/O=Internet Widgits Pty Ltd/OU=uncle duck/CN=Gogo This entries must be modified in order to make the CRL: R 020925082220Z 010925090120Z 01 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Goofy R 020925082341Z 010925092341Z 02 unknown /C=AU/ST=New Zeland/L=Wellington/O=Internet Widgits Pty Ltd/OU=uncle duck/CN=Gogo At this point just enter the following statements at prompt: $ ca -gencrl -crldays 30 -out temp.pem $ crl2pkcs -in temp.pem -out pkcs7_crl.pem At this point you have a PKCS7 file containing a CRL, which can be imported into whatever application supporting it. Best Regards [Gerardo Maiorano] -- Original Message -- Hi, I have installed openssl and have started generating client certificates. I would like to know, how I can create and maintain CRLs. I would appreciate if anybody provides any help or resource pointers for this. thanx in advance Sarath Chandra M __ Abbonati a Tiscali! Con VoceViva puoi anche ascoltare ed inviare email al telefono. Chiama VoceViva all' 892 800 http://voceviva.tiscali.it __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: CRL how to
Hi Sarah, Why do you want to include a client certificate in the CRL as soon as this client certificate is created? Putting a certificate into the CRL means it's revoked and no longer valid. If you want to revoke a certificate, read the help proposed for the 'openssl ca' command. Hope this helps. On Tue, 25 Sep 2001, Sarath Chandra M wrote: Hi, How to automatically put an entry in the CRL when a new Client certificate is generated. regards Sarath -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 25 September 2001 13:28 To: [EMAIL PROTECTED] Subject: RE: CRL how to Hi Sarath, In the openssl CA Directory there is a file named index.txt which contains a summary of the issued certificate. For example: V 020925082220Z 01 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Goofy V 020925082341Z 02 unknown /C=AU/ST=New Zeland/L=Wellington/O=Internet Widgits Pty Ltd/OU=uncle duck/CN=Gogo This entries must be modified in order to make the CRL: R 020925082220Z 010925090120Z 01 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Goofy R 020925082341Z 010925092341Z 02 unknown /C=AU/ST=New Zeland/L=Wellington/O=Internet Widgits Pty Ltd/OU=uncle duck/CN=Gogo At this point just enter the following statements at prompt: $ ca -gencrl -crldays 30 -out temp.pem $ crl2pkcs -in temp.pem -out pkcs7_crl.pem At this point you have a PKCS7 file containing a CRL, which can be imported into whatever application supporting it. Best Regards [Gerardo Maiorano] -- Original Message -- Hi, I have installed openssl and have started generating client certificates. I would like to know, how I can create and maintain CRLs. I would appreciate if anybody provides any help or resource pointers for this. thanx in advance Sarath Chandra M __ Abbonati a Tiscali! Con VoceViva puoi anche ascoltare ed inviare email al telefono. Chiama VoceViva all' 892 800http://voceviva.tiscali.it __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - That's not a bug, that's a feature. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
REPOST: confused about signing cert requests from clients
Hello, I posted the message below last Friday, and I haven't seen any response, not even a curt directive to RTFM (which I have). Perhaps I'm not asking in the right way, or perhaps I'm not asking the right people. If any of you could explicitly tell me how to sign a certificate request from a browser, while adding my own subject distinguished name, I'd appreciate that very much. Or perhaps you can tell me where I can find out, or give me a pointer to a perl script which does so? -- Christopher Hi all, I've been researching the literature for about a week now, and I've got a very good handle on what needs to happen at the browser with respect to generating a certificate request and installing the signed certificate, but I can't figure out what I need to do to receive the certificate request from a client and sign it with my CA within a CGI script. 1) In what form would the certificate request arrive from the browser? 2) How do I sign it while adding a Subject DN based on how they log in like Thawte does? 3) Is there a way of getting the signed cert to be written to STDOUT instead of a file so I can handle the cert directly without having to open a file? 4) I've seen indications that the signed cert can be combined with the CA cert in one download, so that the CA can be a trusted CA. How does one do this? TIA for your help. --Christopher __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]