req -set_serial doesn't work
Hello, I try to create a self-signed root certificate with openssl req -new -x509 -days 9131 -key CAkey.pem -out CAcert.pem . OK - works. But the serial number is 0. Then I try to set the serial number. I found no way to do it in openssl.cnf. The documentation mentions an option for req: -set_serial n serial number to use when outputting a self signed certificate. But it doesn't work - when I use this option I always get only the usage message. I used openssl req -new -x509 -days 9131 -key CAkey.pem -out CAcert.pem -set_serial 1 and tried also -serial, -setserial etc.. Is this not yet implemented? Is there any way to set the serial number of self-signed certificates to another value than 0 ? Best regards, Jochen Keutel. --- Dr. Jochen Keutel Wusterhausener Str. 8 D-15732 Eichwalde Germany phone +49 30 678 19189 mobile +49 177 6572720 e-mail [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: x509 versions
On Fri, Jul 05, 2002, Justin Georgeson wrote: I'm working on a project that needs SSL on a J2ME platform. There's an implementation called kSSL, which I think is still alpha, so there's a good chance that's %95 of the problem. We currently suspect this implementation needs x509 v1 certificates, but OpenSSL seems to generate v 3 certificates (note: that's the version of x509, not ssl). I don't see anything about different versions of x509 in the man page for req. I don't mind hearing that I can't do v1 with OpenSSL (but finding out how would sure be nice). Thanks. If you comment out the relevant line in the config file (openssl.cnf) which specifies the extension section you should end up with a V1 certificate. By default these are: x509_extensions = usr_cert in the CA_default section (used by 'ca') and x509_extensions = v3_ca in the req section (used by 'req'). Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: req -set_serial doesn't work
On Sun, Jul 07, 2002, Jochen Keutel wrote: Hello, I try to create a self-signed root certificate with openssl req -new -x509 -days 9131 -key CAkey.pem -out CAcert.pem . OK - works. But the serial number is 0. Then I try to set the serial number. I found no way to do it in openssl.cnf. The documentation mentions an option for req: -set_serial n serial number to use when outputting a self signed certificate. But it doesn't work - when I use this option I always get only the usage message. set_serial is in OpenSSL 0.9.7 only. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: xenroll.dll and password protection of keys?
On Fri, Jul 05, 2002, Richard Levitte - VMS Whacker wrote: I'm trying to create a form for IE to build a PKCS10 request, using xenroll.dll. It works well, except for one thing: it seems like the private key never gets protected (I'm used to Netscape, where the key database is protected with a password). I've tied to fiddle with the parameters KeySpec and GenKeyFlags, and changing KeySpec to 2 (instead of 1) does generate a dialog box from which you can choose, if you want, to move the key to some store and to set a password for that store (if I understand everything correctly). I'd like to force the user to protect the key or the key store with a password instead of just giving them the option to do it. Anyone know how one does that? Or is it something fundamental about the key stores that I have missunderstood? Well AFAIK you can't do that. The corresponding CryptoAPI calls just have a single flag CRYPT_USER_PROTECTED which then throws up the dialog you see. Apart from that theres no control over what happens. MS does occasionally add some functionality to CryptoAPI so this may be possible on future versions but the newer versions frequently only ship on the latest OSes, though they do occasionally get silently added with MSIE upgrades. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl on windows
Hi I would like to know if it is possible to use openssl on a windows platform?In the past I have used SSH on a Linux box to run openssl. Thanks V EMAIL DISCLAIMER Please Note: The information contained in this message may be privileged and confidential, protected from disclosure, and/or intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying or other dissemination of this communication is strictly prohibited. If you received this communication in error, please immediately reply to the sender, delete the message and destroy all copies of it. Thank You __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: req -set_serial doesn't work
Hello, set_serial is in OpenSSL 0.9.7 only. thanks. I'm using 0.9.6d. I've been confused because the documentation on http://www.openssl.org/ showed this flag - and I didn't know that also features of coming versions (0.9.7 is still Beta ...) are shown. I should have read the changelog (http://www.openssl.org/news/changelog.html) before ... There is clearly stated that this comes new with 0.9.7. Thanks again, Jochen. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl on windows
On Sun, Jul 07, 2002 at 03:37:19AM -0400, Vorster, Vian wrote: Hi I would like to know if it is possible to use openssl on a windows platform?In the past I have used SSH on a Linux box to run openssl. what do you want to do with it? Thanks V EMAIL DISCLAIMER Please Note: The information contained in this message may be privileged and confidential, protected from disclosure, and/or intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying or other dissemination of this communication is strictly prohibited. If you received this communication in error, please immediately reply to the sender, delete the message and destroy all copies of it. Thank You __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]