Re: CRL in OpenSSL 0.9.6c
Thank You. But since I use Borland C++ Builder to compile OpenSSL and still it is broken to make DLL's with this compiler is any DLL's of 0.9.7 version compiled with VC++ available for download ? Or maybe this problem is corrected wit 0.9.7 version (I wish so...) Best Regards Boguslaw - Original Message - From: "Dr S N Henson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, March 09, 2002 8:25 PM Subject: Re: CRL in OpenSSL 0.9.6c > Bogus³aw Brandys wrote: > > > > Hello, > > > > I have one question about CRL: is X509_verify_cert parse CRL list ? > > I had try to use X509_STORE_load_locations to load CRL file with revokation > > of certificate which is used for signing. Surpsise is that verify is always > > successful neither certificate is signed as revoked in CRL or not. > > Maybe I don't understand something ? > > > > It doesn't work because CRL checking was only added in 0.9.7. > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: [EMAIL PROTECTED] > Senior crypto engineer, Gemplus: http://www.gemplus.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: [EMAIL PROTECTED] PGP key: via homepage. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Tego nie znajdziesz w zadnym sklepie! [ http://oferty.onet.pl ] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRL in OpenSSL 0.9.6c
Bogus³aw Brandys wrote: > > Hello, > > I have one question about CRL: is X509_verify_cert parse CRL list ? > I had try to use X509_STORE_load_locations to load CRL file with revokation > of certificate which is used for signing. Surpsise is that verify is always > successful neither certificate is signed as revoked in CRL or not. > Maybe I don't understand something ? > It doesn't work because CRL checking was only added in 0.9.7. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Revocation list usage (CRL)
hello, I have such a code in my signing DLL: int verifycert(X509 *x509) { /* Return values: 0 - certificate is VALID -1 - certificate is INVALID ,REVOKED or EXPIRED . */ int exitcode,i; unsigned char *c = ROOT_certificate; X509 *root = d2i_X509(NULL,&c,sizeof(ROOT_certificate)); X509_STORE *store = X509_STORE_new(); X509_STORE_CTX *store_ctx = X509_STORE_CTX_new(); char * dir = getfilepath(); X509_STORE_add_cert(store,root); X509_STORE_load_locations(store,"root.crl",dir); > Look above ! I put this to simplify code : root.crl is a list of revoked certificates placed in "dir". I know that i could use PEM to load CRL and substract X509_CRL from it but this code was working really good for my root CA when I had : X509_STORE_load_locations(store,"root.pem",dir); (before I just put root CA into code (hardcode)) <-- end of comment Seem it's not working with CRL !!! Why ?? Please give me explanation course I'm still don't know well the OpenSSL code. Best Regards Boguslaw .and below is the rest of code if you like it ;-) X509_STORE_CTX_init(store_ctx,store,x509,NULL); i = X509_verify_cert(store_ctx); if (i) exitcode = 0; else { exitcode = -1; int err = X509_STORE_CTX_get_error(store_ctx); fillerror(err); } X509_STORE_CTX_cleanup(store_ctx); X509_STORE_CTX_free(store_ctx); X509_STORE_free(store); X509_free(root); return exitcode; } -- Okresl Swoje potrzeby - my znajdziemy oferte za Ciebie! [ http://oferty.onet.pl ] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Hard-coded trusted CA-cert
Hello, I'm newbie but now I can hardcode root certificate.Thank You! Still one question : X509 *x; .. X509_free(x); //do I must call this ? Also any example how to read certificate to/and from memory buffer would be nice. ;-) Boguslaw Brandys - Original Message - From: "Dilkie, Lee" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 26, 2002 6:20 PM Subject: RE: Hard-coded trusted CA-cert > Dennis, > > This is what I did. I think I just looked into the SSL_CTX_load_verify_locations() function and copied what it did. > > > { > > X509 *x=NULL; > unsigned char* c; > > c = CACert; > x = d2i_X509( NULL, &c, (long) sizeof( CACert ) ); > if( x == NULL ){ > PostErrStack( "MiSslInit(): d2i_X509(CACert) failed" ); > goto ERROR_CLEANUP; > } > if( !SSL_CTX_add_extra_chain_cert( sslctx, x ) ){ > PostErrStack( "MiSslInit(): SSL_CTX_add_extra_chain_cert() failed" ); > goto ERROR_CLEANUP; > } > } > > hope this helps. > > -lee > > -Original Message- > From: Dennis Jarosch [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 26, 2002 5:47 AM > To: [EMAIL PROTECTED] > Subject: Hard-coded trusted CA-cert > > > Hi everybody! > > I'm searching for a way of hard-coding a trusted CA certificate into a > client executable. I have browsed the archives and the documentation, > but I was unable to find anything useful yet. > > Currently, I use SSL_CTX_load_verify_locations() to load my trusted > CA-file. In my case there will only be one trusted CA and I'd prefer not > to load it from a file. > > So is there a way of declaring something like this: > > unsigned char CACert[]={0x30,0x82,0x02,0x6B,...} > > which could be generated using 'openssl x509 -C -noout -in cacert.pem' > and feeding it to the CTX for verification? > > Thanks for any help! > > Dennis > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Okresl Swoje potrzeby - my znajdziemy oferte za Ciebie! [ http://oferty.onet.pl ] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CRL in OpenSSL 0.9.6c
Hello, I have one question about CRL: is X509_verify_cert parse CRL list ? I had try to use X509_STORE_load_locations to load CRL file with revokation of certificate which is used for signing. Surpsise is that verify is always successful neither certificate is signed as revoked in CRL or not. Maybe I don't understand something ? Boguslaw -- Okresl Swoje potrzeby - my znajdziemy oferte za Ciebie! [ http://oferty.onet.pl ] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Creating a SSL Certificate
Hi Eugenio, Creating SSL certificates is the raison d'etre of OpenSSL. So yes, that's possible. About domain names: you are confusing the domain name (like "example.com") with the common name (like "www.example.com"). The common name is the same as the name of your webserver. If you create a Certificate Signing Request, you will always be asked for the common name. If you need OpenSSL just for signing one single Certificate Signing Request, you could as well create a self-signed certificate with IIS. That would be way easier. IIS undoubtedly will offer this possibility. Best regards, Huibert Quoting Eugenio Pacheco <[EMAIL PROTECTED]>: > Hi, > > Is it possible to create a SSL Certificate using openssl? I didn't quite > understand what these certificates are for. Usually SSL Certificates ask > for a domain name so it can be associated with it, and I didn't get > anywhere asking me for a domain name. How can I create a SSL Certificate > using openssl and install it in IIS for a website? Is it possible? > > Thanks in advance. > > Eugenio Pacheco > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Creating a SSL Certificate
Hi, Is it possible to create a SSL Certificate using openssl? I didn't quite understand what these certificates are for. Usually SSL Certificates ask for a domain name so it can be associated with it, and I didn't get anywhere asking me for a domain name. How can I create a SSL Certificate using openssl and install it in IIS for a website? Is it possible? Thanks in advance. Eugenio Pacheco __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client private-key and certificate w IE Browser
Amodhini U wrote: > > Hi, > > > Could you please help me? Specifically, how can I > import a PKCS#8 private-key into the local IE > Browser's security database? > (After that, importing the associated local > certificate in .der or .cer format should be plain > sailing.) > You can't. AFAIK IE doesn't support PKCS#8. > (I don't want to combine the local private-key and > local certificate into a PKCS#12 object. That would > compromise security.) > What makes you think that? PKCS#12 is the only standard way to import an externally generated key and certificate into IE. In any case PKCS#12 uses PKCS#8 internally for private key storage and encryption. It could be argued that the need to generate and transfer a private key externally is already reducing the security of this system. A better way to do thing is to generate the private key and certificate request on the client using Xenroll and then just install the certificate. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Client private-key and certificate w IE Browser
Hi, Using OpenSSL I've created a (RSA algorithm) Root private-key and associated (X.509v3) Root CA certificate. On each user (client) (Windows) machine I've been happily creating, again using OpenSSL, a private-key and associated client certificate (issued by my above Root CA in response to a CSR). The goal is to provide client authentication to a central secure web server. On each client machine I was able to import the Root CA certificate into the IE browser's security database. However I'm failing miserably to import the local private-key into the local IE Browser's security database. (Consequently, of course, importing the local client certificate alone into the IE Browser is of no use at all.) Could you please help me? Specifically, how can I import a PKCS#8 private-key into the local IE Browser's security database? (After that, importing the associated local certificate in .der or .cer format should be plain sailing.) (I don't want to combine the local private-key and local certificate into a PKCS#12 object. That would compromise security.) Thank you very much, in advance Amodhini U [EMAIL PROTECTED] __ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: I need to know how to generate a certificate in pkcs7 format withopenSSL
It is in apps directory -Original Message- From: GOLDING,CHARLTON (Non-HP-Corvallis,ex1) [mailto:[EMAIL PROTECTED]] Sent: Friday, March 08, 2002 2:21 PM To: '[EMAIL PROTECTED]' Subject: RE: I need to know how to generate a certificate in pkcs7 format withopenSSL Chet Golding Hewlett-Packard ESDO, Operations Engineering >-Original Message- >From: Dr S N Henson [mailto:[EMAIL PROTECTED]] >Sent: Thursday, March 07, 2002 6:01 PM Thanks, [Steve, good info!] we're on the right track now. A few fine details to work out but it is running. I had a question on this following part: >The openssl docs describe how the certificate creation utilities work in >some detail and there's a wrapper perl script CA.pl that calls the >openssl utility using the most commonly used options. I've not found a CA.pl script. What I see in the /misc directory is a CA script but that isn't in perl, so I wanted to check in case I'm missing something. Where can I find this CA.pl? Chet Golding Hewlett-Packard ESDO, Operations Engineering __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]