Unabe to create multiple certificates from a single self-signed CA.
Hi Folks ! I want to create 5 certificates from a single self-signed CA. I 've been able to create 3 certificates as of now. However, only the first certificate of mine is working with the root certificate, the other 2 are not working. The later 2 certificates are created from the same CA.crt and CA.key as were used to create the first certificate. The differences that lie with all the 3 certificates are as below: 1. Common Name 2. Subject and DNS name in the SubjectAltName 3. Serial Number of the certificates. (with number 2 and 3 choosen for the later created 2 certificates) Frankly. I do not how to create multiple certifiacates from a single self-signed CA. Please some one guide me in this. Also, my CA.crt and CA.key have already been flashed to the device, so I do not have any option of re-creating the CA.crt and CA.key. I saw some where on a post that separate CA.keys need to be developed as well for creating multiple certificates. Is this true? If Yes, do I need to create the new CA.key for every new certificate to be certified by this single CA, keepig in consideration that CA.crt and 1 CA.key have already been flashed to the device? Please some help and elaborate me on this. Thanks and regards, Rajat
SSL_read() returns result of 0 with SSL_ERROR_SYSCALL - error queue empty?
Hey, I am making some progress on the multithreaded socket server. Thinks are going well. However; every so often pretty much all (or all of them, I'm yet to check - either way, it's a majority) of the connected sockets end up having SSL_read() performed on them, and this function returns 0. I then run SSL_get_error(ssl, [return value of SSL_read) which gives me back SSL_ERROR_SYSCALL I then run ERR_print_errors_fp(stdout) to check the remainder of the errors, but there are none! And errno immediately after calling SSL_read() is zero (I set it to zero prior to calling SSL_read as well). What is going on here? A majority of the sockets all return this at the same time (a read loop which iterates each socket, comes across this error for all of them) usually within 1-2 times per hour, causing the sockets to be closed (because I pick up a return of 0 as an error). What is going wrong here? 80+ connected clients all get disconnected due to this outstanding issue. The other 99% of the time, the system is functioning correctly and communicating fine. Because it says SSL_ERROR_SYSCALL, I do as the manual suggests and check the error queue - there are no other errors. Errno is also zero. What am I supposed to do to handle this error? Any ideas? Thanks, Andrew
Re: Unabe to create multiple certificates from a single self-signed CA.
On Tuesday 22 May 2007 07:37, Rajat Dudeja wrote: Hi Folks ! I want to create 5 certificates from a single self-signed CA. I 've been able to create 3 certificates as of now. However, only the first certificate of mine is working with the root certificate, the other 2 are not working. Could you please explain what do you mean by not working? The later 2 certificates are created from the same CA.crt and CA.key as were used to create the first certificate. The differences that lie with all the 3 certificates are as below: 1. Common Name 2. Subject and DNS name in the SubjectAltName 3. Serial Number of the certificates. (with number 2 and 3 choosen for the later created 2 certificates) Frankly. I do not how to create multiple certifiacates from a single self-signed CA. Please some one guide me in this. Also, my CA.crt and CA.key have already been flashed to the device, so I do not have any option of re-creating the CA.crt and CA.key. I saw some where on a post that separate CA.keys need to be developed as well for creating multiple certificates. Is this true? Not as far as I know - what you need is separate user keys. You generate a new user key and you use this to sign a csr, e.g.: $ openssl genrsa -des3 -out user2_key.pem 2048 $ openssl req -new -key user2_key.pem -out user2_req.pem Notes: 1. If you are keeping to the convention of naming the extensions *.crt and *.key then change the above, from user2_key.pem to user2.key, from user2_req.pem to user2.csr. You may also want to add the date to the name of the *.csr file, so that when you create a newer version you do not mix them up. 2. 2048 can be any appropriate number of bits (1024, 4096, etc). depending on the required strength of the private key. 3. On a linux machine check the man pages for the relevant openssl commands and options like so: $ man openssl-x509, $ man openssl-genrsa, etc. Then you use your CA.crt and your CA.key to sign the user2_cert.csr with: $ openssl x509 -req -in user2_req.pem -days 365 -CA CA.crt -CAkey \ CA.key -set_serial 01 -out user2_cert.pem That should create a new SSL certificate, signed by your CA, valid for one year, for user2. Repeat for user3 to user5. Of course, there's more than one ways to skin a cat - the above is just one of them. It depends how many certs you will be creating over time; setting up a /etc/ssl/openssl.cnf file with your default settings will help automate the process and minimise the option entries on the command line. -- Regards, Mick pgpwqq2sjm5Z1.pgp Description: PGP signature
How to improve the performance of SSL_Read
Hi, How to improve the performance of the SSL Read call?. Is there any call to increase the Buffercapacity. I am able to read around 1300 bytes at a time. It is taking 5 to 6 seconds for reading the whole response (Header and Body)from the server which is very slow. I have tried using BIO_gets but I am not able to read the body. I am able to read only the Header and after that it is comming out of while loop. Please help me to solve this issue. Please send me any Openssl examples using BIO_gets and SSL_Read to me. Thanks in Advance, Ghouse. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using OpenSSL certs in Kmail
On Monday 21 May 2007 22:56, Mick wrote: I have created a PKCS12 certificate and imported it into Kmail. However, when I try to select it as the preferred key for my email account, it comes up with a red x across the key symbol. I take this to mean that it is unsuitable. When I check it with Kleopatra I see this under Dump: keyType: 4096 bit RSA subjKeyId: [?] authKeyId: [?] keyUsage: [error: No value] extKeyUsage: [none] policies: [none] chainLength: [error: No value] crlDP: [error] authInfo: [error] subjInfo: [error] It also shows under Details: Can be used for signingNo Can be used for encryption No Can be used for certification No Can be used for authentication No gpgsm also spits out some errors: validity: 2007-05-19 18:12:12 through 2010-05-18 18:12:12 key type: 4096 bit RSA key usage: [error: No value] chain length: [error: No value] However, when I am examining the email.crt certificate I created with openssl x509, which I later fed into openssl pkcs12 to create the pkcs12 certificate everything seems to be in order: Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Any ideas what I've done wrong? Hmm, I wonder if this is just a Kmail bug . . . I have tried decoupling the key and the certs from the pkcs12 bundle and imported them manually using gpgsm but the same errors come up. -- Regards, Mick pgpRLyIHDajdV.pgp Description: PGP signature
Re: Custom extensions in certificate request
On Mon, May 21, 2007, Shane wrote: Hello all, I am attempting to write a script which generates csr requests capable of submiting to www.symbiansigned.com to generate a developer certificate. Currently to my knowledge there is no Unix software to do this. I had a look at the csr generated by the Symbian Windows software and it's using a few custom extensions not recognized by openssl. Two of these are common for all csr requests and one is specific to the hardware device. I can generate the extensions by using entries in openssl.cnf but I'm not sure of what values to give the custom extensions. Here is the output of req -text -noout of the Symbian-generated csr. Attributes: Requested Extensions: 1.2.826.0.1.1796587.1.1.1.1: critical 0...35881118300 1.2.826.0.1.1796587.1.1.1.6: critical ...-... Signature Algorithm: dsaWithSHA1 The first extension should be marked critical according to this but has no value data, atleast none displayed by req. The second again with no value data and the third with the value shown as ...-. I assume that the ...- bit is because the value is non-displayable. Any way to have openssl generate a hexdump of the value of these extensions. Also, for extensions with no value, how would one write that in openssl.cnf? If I write the extension as xxx=critical, openssl shokes or xxx=critical,der: chokes again it appears it needs something in the data part. I'm not sure an empty extension is legal. The display OpenSSL uses for an unsupported extension by default isn't very informative but it is there for legacy reasons. Try including the option: -reqopt ext_parse which will put unsupported ASN1 extensions through the ASN1 parser. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Newbie questions
Hello, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? Much appreciated, Garyc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
c_rehash problems
Hi,i have a scenario with 2 computers: one using gentoo and one using windows i need stunnel to encrypt the connection between both computers and so in order to make stunnel work i have to create certificate for both computer fortunately it's automatic for gentoo but it's not for both windows and cygwin so i used a tutorial: http://www.stunnel.org/examples/client_cert.html but here comes the c_rehash problem $ c_rehash c_rehash: rehashing skipped ('openssl' program not available) it says that in both windows and cygwin...what should i do? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Sending data to s_server?
Hello, I want to see a message from my test client to the openssl s_server. I connect fine. However when I send a message to the server I see from the following: C:\www\opensssl\bin\openssl.exe s_server -accept 2000 -debug -nocert Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters ACCEPT read from 0xa4a380 [0xa54bb0] (11 bytes = 11 (0xB) - 68 65 6c 6f 20 77 6f-72 6c 64hello world ERROR 2272:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:562: shutting down SSL CONNECTION CLOSED ACCEPT It looks like its just printing the first 11 characters of the message. Not sure why it clipped the what the hell is going on part but I'm sure its pretty obvious. Not to me. Could somebody be so kind to enlighen me on what is going on. Thanks, Garyc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Sending data to s_server?
Hello, I want to see a message from my test client to the openssl s_server. I connect fine. However when I send a message to the server I see from the following: C:\www\opensssl\bin\openssl.exe s_server -accept 2000 -debug -nocert Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters ACCEPT read from 0xa4a380 [0xa54bb0] (11 bytes = 11 (0xB) - 68 65 6c 6f 20 77 6f-72 6c 64hello world ERROR 2272:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:562: shutting down SSL CONNECTION CLOSED ACCEPT It looks like its just printing the first 11 characters of the message. Not sure why it clipped the what the hell is going on part but I'm sure its pretty obvious. Not to me. Could somebody be so kind to enlighen me on what is going on. This only means that your client established TCP conenction but there is no SSL negotiation. Your client is not trying to establish SSL connection over TCP connection and send your data directly over TCP. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to improve the performance of SSL_Read
ghouse mohiddin wrote: Hi, How to improve the performance of the SSL Read call?. Is there any call to increase the Buffercapacity. I am able to read around 1300 bytes at a time. It is taking 5 to 6 seconds for reading the whole response (Header and Body)from the server which is very slow. 1300 bytes at a time sounds like one TCP segment at a time. How much data in total are you reading in those 5 to 6 seconds? If there really isn't all that much data, perhaps the sender is having to retransmit some of it. Check the netstat statistics and link-level statistics on both ends and look for drops, errors, retransmissions and the like. rick jones __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Custom extensions in certificate request
On Tue, May 22, 2007, Shane wrote: Hi, On Tue, May 22, 2007 at 12:57:36PM +0200, Dr. Stephen Henson wrote: The display OpenSSL uses for an unsupported extension by default isn't very informative but it is there for legacy reasons. Try including the option: -reqopt ext_parse which will put unsupported ASN1 extensions through the ASN1 parser. Would indeed be helpful but it doesn't seem to change the output. Attributes: Requested Extensions: 1.2.826.0.1.1796587.1.1.1.1: critical and so on Command is: openssl req -noout -text -reqopt ext_parse -in test.csr Does the output look exactly the same? Is so please send me the CSR (by private email if you prefer) and I'll see what the problem is. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Application wont start 0xc0150002 Error
Hi All, My application uses libeay32.dll and Ssleay32.dll. I have noticed that on some computers my application won't start giving a 0xc0150002 Error. I am not sure why I having this problem. Anyone has faced a similar problem Thanks, --Amit