Safe signed certificate generation during server installation ?
Hello everyone, I have a server application that will use Openssl to communicate with its clients over SSL secured channel. This server requires a unique signed server certificate. I plan to use my personal CA to issue these server certificates. Now for the ease of deployment, I plan to create server certificates as part of server installation procedure. For this, I plan to embed the openssl utility in my server installer. The user will be prompted for some information like C/ST/OU/CN etc. and a certificate request will be generated using the embedded openssl application. With this, every server will have its own certificate request. Now in order to get these requests signed by the CA, I can either: 1. Ask the user to send the request to me, and I will send back the signed certificate 2. Embed my CA certificate in the installer, and sign the certificate request then and there as it is generated. I am more inclined towards the second option as it saves the user and myself from exchanging the cert request / signed certificates. But I feel that this will be more risky, as in order to sign the certificate, I will have to make my CA private key available in the installer (Is this correct understanding?). So could someone guide me with the best practices used in such scenarios? Is there a way to securely embed the private key in the installers / CA certificate? Thanks, ~ Urjit DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails.
Re: connection termiated (LINUX)
I thing I have finally found where the problem is. When the TCP connection is interrupted (pulling out network cable) there are some timeouts set for TCP connection. Defaultly on LINUX systems, theese configuration items, that sets TCP timeouts are in /proc/sys/net/ipv4/[tcp_keepalive_...]. I have read that theese timeouts can be set to each socket separetely. Are in openssl some functions that allow me to do that. Or must I create some raw socket by standart system functions and then set this socket to new BIO? Thanks for any response Milan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Adding OpenSSL certificate user data with parameters
Hi, When I run the following command, it doesn' t ask me question about signing. But I have to press enter button two times. I want to press only once to enter button. This command creates emtpy new-cert.pem file and it does not add information to demoCA/index.txt file. Is the following command correct? # openssl ca -key 123456 -config openssl.cnf -out new-cert.pem -infiles new-req.pem -h 21 | grep batch With the following command I can create certificate, but this command asks two question. # openssl ca -key 123456 -config openssl.cnf -out new-cert.pem -infiles new-req.pem Sincerelly, Kadir. Marek Marcola [EMAIL PROTECTED] wrote: Hello, When I run the following command password has not been asked, but 2 confirmation appeared which are like following. Is it possible to give y value in openssl parameter. openssl ca -key 123456 -config openssl.cnf -out new-cert3.pem -infiles new-req3.pem Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y $ openssl ca -h 21 | grep batch -batch - Don't ask questions Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out.
Re: Adding OpenSSL certificate user data with parameters
Hello, When I run the following command, it doesn' t ask me question about signing. But I have to press enter button two times. I want to press only once to enter button. This command creates emtpy new-cert.pem file and it does not add information to demoCA/index.txt file. Is the following command correct? # openssl ca -key 123456 -config openssl.cnf -out new-cert.pem -infiles new-req.pem -h 21 | grep batch Try: $ openssl ca -key 123456 -config openssl.cnf -out new-cert.pem -infiles new-req.pem -batch Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Adding OpenSSL certificate user data with parameters
Hi, I tried the following command. But this command asks some questions ( for instance it asks me Sign the certificate? [y/n]: question) and waits for answer from me. I want to answer this questions with openssl command automatically. Is this possible? # openssl ca -key 123456 -config openssl.cnf -out new-cert.pem -infiles new-req.pem -batch Sincerelly, Kadir. Marek Marcola [EMAIL PROTECTED] wrote: Hello, When I run the following command, it doesn' t ask me question about signing. But I have to press enter button two times. I want to press only once to enter button. This command creates emtpy new-cert.pem file and it does not add information to demoCA/index.txt file. Is the following command correct? # openssl ca -key 123456 -config openssl.cnf -out new-cert.pem -infiles new-req.pem -h 21 | grep batch Try: $ openssl ca -key 123456 -config openssl.cnf -out new-cert.pem -infiles new-req.pem -batch Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - Pinpoint customers who are looking for what you sell.
ECDSA and ECICS with OpenSSL
Hi, Is it possible to implement ECDSA and ECICS using OpenSSL? I did not find anything in the documentation or the man pages, although I was told that OpenSSL is capable of elliptic curve cryptography which had been donated by sun. Btw, are there any patent implications? Thanks, Markus -- Markus Schaber | Logical TrackingTracing International AG Dipl. Inf. | Software Development GIS Fight against software patents in Europe! www.ffii.org www.nosoftwarepatents.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ECDSA and ECICS with OpenSSL
Hello, Is it possible to implement ECDSA and ECICS using OpenSSL? I did not find anything in the documentation or the man pages, although I was told that OpenSSL is capable of elliptic curve cryptography which had been donated by sun. Elliptic curves are in OpenSSL 0.9.8e version. EDCSA is implemeted in this version and may be used. Source of this implementation you may find in crypto/ec. Btw, are there any patent implications? Point compression, look in crypto/ec/ec2_smpt.c Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ECDSA and ECICS with OpenSSL
Hi Marek, I am sorry to write you directly but I have posted my question twice on the openssl site and for some reason it never get published. I would like to use only the ECDSA, is there any simple way to compile it alone (ofcourse with the modules it's using). I have tried doing it manually, but there are too many switches and defines that I do not know. Any suggestions are appreciated Thanks in advance Eman On 9/19/07, Marek Marcola [EMAIL PROTECTED] wrote: Hello, Is it possible to implement ECDSA and ECICS using OpenSSL? I did not find anything in the documentation or the man pages, although I was told that OpenSSL is capable of elliptic curve cryptography which had been donated by sun. Elliptic curves are in OpenSSL 0.9.8e version. EDCSA is implemeted in this version and may be used. Source of this implementation you may find in crypto/ec. Btw, are there any patent implications? Point compression, look in crypto/ec/ec2_smpt.c Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Adding OpenSSL certificate user data with parameters
Hi, I solved the problem. I used -batch parameter with openssl with the following command. Now I wonder what is the answers of the questions (Sign the certificate? [y/n]:). How can I learn which option [y/n] (yes/no) is used? openssl ca -batch -key 123456 -config openssl.cnf -out new-cert.pem -infiles new-req.pem Sincerelly, Kadir. Kadir [EMAIL PROTECTED] wrote: Hi, I tried the following command. But this command asks some questions ( for instance it asks me Sign the certificate? [y/n]: question) and waits for answer from me. I want to answer this questions with openssl command automatically. Is this possible? # openssl ca -key 123456 -config openssl.cnf -out new-cert.pem -infiles new-req.pem -batch Sincerelly, Kadir. Marek Marcola [EMAIL PROTECTED] wrote: Hello, When I run the following command, it doesn' t ask me question about signing. But I have to press enter button two times. I want to press only once to enter button. This command creates emtpy new-cert.pem file and it does not add information to demoCA/index.txt file. Is the following command correct? # openssl ca -key 123456 -config openssl.cnf -out new-cert.pem -infiles new-req.pem -h 21 | grep batch Try: $ openssl ca -key 123456 -config openssl.cnf -out new-cert.pem -infiles new-req.pem -batch Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - Pinpoint customers who are looking for what you sell. - Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search.
Re: Adding OpenSSL certificate user data with parameters
Hello, I solved the problem. I used -batch parameter with openssl with the following command. Now I wonder what is the answers of the questions (Sign the certificate? [y/n]:). How can I learn which option [y/n] (yes/no) is used? In OpenSSL source file apps/ca.c look at 'batch' variable, you will find something like that: if (!batch) { BIO_printf(bio_err,Sign the certificate? [y/n]:); (void)BIO_flush(bio_err); buf[0]='\0'; fgets(buf,sizeof(buf)-1,stdin); if (!((buf[0] == 'y') || (buf[0] == 'Y'))) { BIO_printf(bio_err,CERTIFICATE WILL NOT BE CERTIFIED\n); ok=0; goto err; } } as you see, any string starting with 'y' or 'Y' will accept signing. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ECDSA and ECICS with OpenSSL
Hello, Is it possible to implement ECDSA and ECICS using OpenSSL? I did not find anything in the documentation or the man pages, although I was told that OpenSSL is capable of elliptic curve cryptography which had been donated by sun. Elliptic curves are in OpenSSL 0.9.8e version. EDCSA is implemeted in this version and may be used. Source of this implementation you may find in crypto/ec. Does that mean that ECICS is not implemented yet? What is ECICS ? I can not find any information :-( I'm sure OpenSSL implements generic EC algorithms, ECDSA and ECDH Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Adding OpenSSL certificate user data with parameters
Hello, Is it possible to give answer of Sign the certificate? [y/n]:question to openssl command with some parameters? I prefer y option. Does openssl accepts y option with the following command by default? openssl ca -batch -key 123456 -config openssl.cnf -out new-cert.pem -infiles new-req.pem Yes, when I use command like that one I have no prompt and certificate request is signed. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ECDSA and ECICS with OpenSSL
Hi Marek, First I would like to thank you for your quick reply. I just have one more small question :) As far as I could see the ASN.1 is used basically to calculate the size of the signature (at least on the ecdsa side). So if I know exactly the size of the signatures then I can only remove the use of the ASN.1? Thanks again Eman On 9/19/07, Marek Marcola [EMAIL PROTECTED] wrote: Hello, I am sorry to write you directly but I have posted my question twice on the openssl site and for some reason it never get published. I would like to use only the ECDSA, is there any simple way to compile it alone (ofcourse with the modules it's using). I have tried doing it manually, but there are too many switches and defines that I do not know. I've never tried but I think that this is possible and not very complicated. EC/ECDSA works on big numbers, so you must get all needed source files from crypto/bn, remove some logging from there and one CRYPTO_LOCK. You should create your own Makefile for that and compile to library. Next you should get source from crypto/ec and crypto/ecdsa (only files you need) and compile. You should remove or change logging functions and ASN.1 (reading/writing ECDSA signature to binary ASN1 form from/to BIGNUM should be implemented by you - very easy). I think this is possible :-) Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: ECDSA and ECICS with OpenSSL
Hello, Marek: I suspect Markus is referring to ECIES (Elliptic Curve Integrated Encryption Scheme) as specified in ANSI X9.63 and the IEEE P1363a Draft. OK, thank you for information. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Adding OpenSSL certificate user data with parameters
Hi, Is it possible to give answer of Sign the certificate? [y/n]:question to openssl command with some parameters? I prefer y option. Does openssl accepts y option with the following command by default? openssl ca -batch -key 123456 -config openssl.cnf -out new-cert.pem -infiles new-req.pem Sincerelly, Kadir. Marek Marcola [EMAIL PROTECTED] wrote: Hello, I solved the problem. I used -batch parameter with openssl with the following command. Now I wonder what is the answers of the questions (Sign the certificate? [y/n]:). How can I learn which option [y/n] (yes/no) is used? In OpenSSL source file apps/ca.c look at 'batch' variable, you will find something like that: if (!batch) { BIO_printf(bio_err,Sign the certificate? [y/n]:); (void)BIO_flush(bio_err); buf[0]='\0'; fgets(buf,sizeof(buf)-1,stdin); if (!((buf[0] == 'y') || (buf[0] == 'Y'))) { BIO_printf(bio_err,CERTIFICATE WILL NOT BE CERTIFIED\n); ok=0; goto err; } } as you see, any string starting with 'y' or 'Y' will accept signing. Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - Yahoo! oneSearch: Finally, mobile search that gives answers, not web links.
Re: SSL won't compile on debian etch amd64
adding that 0 got the compiler to continue .. i got another error a bit later though could it be my system being a bit messed up ? those problems seem really fishy to me /usr/bin/ld: skipping incompatible /usr/bin/../lib/libdl.so when searching for -ldl /usr/bin/ld: skipping incompatible /usr/bin/../lib/libdl.a when searching for -ldl /usr/bin/ld: skipping incompatible /usr/lib/libdl.so when searching for -ldl /usr/bin/ld: skipping incompatible /usr/lib/libdl.a when searching for -ldl /usr/bin/ld: cannot find -ldl collect2: ld returned 1 exit status Darryl Miles wrote: Florian Schnabel wrote: i tried both the etch version and the stock version of openssl 0.9.8e and got exactly the same error comment out your FD_ZERO(), FD_SET() and FD_ISSET() macros from the file s_server.c this will confirm the problem is with glibc, then please file a bug report with debian. Maybe a: find /usr/include /usr/local/include -type f -name *.[hH] -exec egrep -H (FD_ZERO|FD_SET|FD_ISSET) {} \; Will give you are starting point of what to track down, maybe there is a #ifdef option to disable using inline assembler. Looking at my x86_64 system /usr/include/bits/select.h it has a C implementation of the macros from glibc 2.3.6. #define __FD_ZERO(s) \ do {\ unsigned int __i;\ fd_set *__arr = (s);\ for (__i = 0; __i sizeof (fd_set) / sizeof (__fd_mask); ++__i) \ __FDS_BITS (__arr)[__i] = 0;\ } while (0) #define __FD_SET(d, s) (__FDS_BITS (s)[__FDELT(d)] |= __FDMASK(d)) #define __FD_CLR(d, s) (__FDS_BITS (s)[__FDELT(d)] = ~__FDMASK(d)) #define __FD_ISSET(d, s) ((__FDS_BITS (s)[__FDELT(d)] __FDMASK(d)) != 0) But my i386 system using glibc 2.3.3 has BOTH an inline assembler version selected when defined __GNUC__ __GNUC__ = 2 so I guess your quickest fix is to disable them maybe by appending 0 to the #if rule. Please file a bug report with debian! Darryl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ECDSA and ECICS with OpenSSL
Hi, Marek, Marek Marcola [EMAIL PROTECTED] wrote: Does that mean that ECICS is not implemented yet? What is ECICS ? I can not find any information :-( I'm sure OpenSSL implements generic EC algorithms, ECDSA and ECDH Sorry, that was a typo, I meant ECIES, of course. It seems that I spent too much of last night trying to understand sources of information about cryptography. Regards, Markus -- Markus Schaber | Logical TrackingTracing International AG Dipl. Inf. | Software Development GIS Fight against software patents in Europe! www.ffii.org www.nosoftwarepatents.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ECDSA and ECICS with OpenSSL
Hi, Marek, Marek Marcola [EMAIL PROTECTED] wrote: Hello, Is it possible to implement ECDSA and ECICS using OpenSSL? I did not find anything in the documentation or the man pages, although I was told that OpenSSL is capable of elliptic curve cryptography which had been donated by sun. Elliptic curves are in OpenSSL 0.9.8e version. EDCSA is implemeted in this version and may be used. Source of this implementation you may find in crypto/ec. Does that mean that ECICS is not implemented yet? Btw, are there any patent implications? Point compression, look in crypto/ec/ec2_smpt.c Thanks, I'll have a look there. Regards, Markus -- Markus Schaber | Logical TrackingTracing International AG Dipl. Inf. | Software Development GIS Fight against software patents in Europe! www.ffii.org www.nosoftwarepatents.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ECDSA and ECICS with OpenSSL
Hello, I am sorry to write you directly but I have posted my question twice on the openssl site and for some reason it never get published. I would like to use only the ECDSA, is there any simple way to compile it alone (ofcourse with the modules it's using). I have tried doing it manually, but there are too many switches and defines that I do not know. I've never tried but I think that this is possible and not very complicated. EC/ECDSA works on big numbers, so you must get all needed source files from crypto/bn, remove some logging from there and one CRYPTO_LOCK. You should create your own Makefile for that and compile to library. Next you should get source from crypto/ec and crypto/ecdsa (only files you need) and compile. You should remove or change logging functions and ASN.1 (reading/writing ECDSA signature to binary ASN1 form from/to BIGNUM should be implemented by you - very easy). I think this is possible :-) Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: ECDSA and ECICS with OpenSSL
Marek: I suspect Markus is referring to ECIES (Elliptic Curve Integrated Encryption Scheme) as specified in ANSI X9.63 and the IEEE P1363a Draft. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: September 19, 2007 7:35 AM To: openssl-users@openssl.org Subject: Re: ECDSA and ECICS with OpenSSL Hello, Is it possible to implement ECDSA and ECICS using OpenSSL? I did not find anything in the documentation or the man pages, although I was told that OpenSSL is capable of elliptic curve cryptography which had been donated by sun. Elliptic curves are in OpenSSL 0.9.8e version. EDCSA is implemeted in this version and may be used. Source of this implementation you may find in crypto/ec. Does that mean that ECICS is not implemented yet? What is ECICS ? I can not find any information :-( I'm sure OpenSSL implements generic EC algorithms, ECDSA and ECDH Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ECDSA and ECICS with OpenSSL
Hello, As far as I could see the ASN.1 is used basically to calculate the size of the signature (at least on the ecdsa side). So if I know exactly the size of the signatures then I can only remove the use of the ASN.1? ECDSA functions works in general on BIGNUM's (packed in some structures) and ECDSA signature is two BIGNUM's (r,s). If you want to transfer signature to your peer, this numbers are converted to ASN1 SEQUENCE of two INTEGERs. Your peer must get this SEQUENCE and convert to BIGNUM (r,s) and next check signature. If can convert this two BIGNUMs to ASN1 and from ASN1 to BIGNUMs (which is very ease) then you will do not need OpenSSL ASN1 module. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Configuration file for subjectAltName
I can't allow our production users to get invalid certificate errors nor do I want to affect my clients with redirection requests. I am also helping our Exchange2007 folks with the autodiscovery function and the MS docs recommend a SAN-certificate for these very reasons. In my test environment, I am trying to proof this out using a test website and the self-signed certificate warning is expected, however considering the message below, the invalid site message is what I thought the use of a SAN-cert would eliminate: [ ! The security certificate was issued by a company you have not chosen to trust. View the certificate... ! The name on the security certificate is invalid or does not match the name of the site ] Once I purchase a trusted certificate, I was assuming both of these warnings would be removed; I thought a SAN-certificate would allow me to connect to the website using alternative names without getting the invalid or does not match warning. Thanks, David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Tuesday, September 18, 2007 6:54 PM To: openssl-users@openssl.org Subject: RE: Configuration file for subjectAltName Below are my cnf file and the commands I tried. The key and the crt were both created, however when I render the test website using blah002.mysite.com I get a security warning message anyway. I must have done something wrong or left off a step ... It's not clear what you are trying to do. That you get a security warning with a browser doesn't indicate anything wrong with your key or certificate, it just indicates that the browser doesn't trust your certificate to establish your identity. Is there any reason it should? If not, then this is correct behavior. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Safe signed certificate generation during server installation ?
So could someone guide me with the best practices used in such scenarios? Is there a way to securely embed the private key in the installers / CA certificate? I guess I'm confused. What purpose would a certificate serve if anyone can generate one that serves any purpose? If I can generate a certificate that says I'm the pope just by entering that into your installer, then a certificate that says I'm the pope doesn't prove I'm the pope. So what's the point of the entire exercise?! DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Configuration file for subjectAltName
Once I purchase a trusted certificate, I was assuming both of these warnings would be removed; I thought a SAN-certificate would allow me to connect to the website using alternative names without getting the invalid or does not match warning. Thanks, David What error are you getting now? Is it specific about whether the problem is that certificate is invalid or that it does not match or what? The certificate only proves the identity of the server if the client is using a name that is contained in the certificate, and the client software uses the same stored in that place. What is the client software? What name is it using to access the server? And what are the contents of the name fields in the certificate? Is the certificate signed by an authority the clients are configured to trust? If there are any needed intermediate certificates, is the server sending them to the clients? If you're sure it's supposed to work, and it's not, you need to troubleshoot. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Safe signed certificate generation during server installation ?
On Wed, Sep 19, 2007 at 08:01:28AM -0700, David Schwartz wrote: So could someone guide me with the best practices used in such scenarios? Is there a way to securely embed the private key in the installers / CA certificate? I guess I'm confused. What purpose would a certificate serve if anyone can generate one that serves any purpose? If I can generate a certificate that says I'm the pope just by entering that into your installer, then a certificate that says I'm the pope doesn't prove I'm the pope. So what's the point of the entire exercise?! Bootstrapping server credentials in a scalable fashion in a large environment is a tricky problem. Whether the credentials are Kerberos host keytabs, or X.509 identity certs, the best practice is to entitle the human administrator who builds the host to generate the initial host credentials. Typically this means that the administrator has some way to authenticate to a credential enrollment system (kadmind, X.509 cert enrollment website, ...) and can interact with the system to generate the cert for the newly built host. Some systems impose a higher barrier for re-issuing creds for an existing name (impersonation risk) than for obtaining creds for a never used name. This is what operating an authentication system is all about, the keys, certs, ... are just the technical bits of stale evidence of alleged past due diligence. Security derives more from getting the process right than from the cryptographic strengh of the various protocols. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Are there any CA packages that support XMLRPC?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Thayer Sent: Thursday, September 13, 2007 7:47 PM To: openssl-users@openssl.org Subject: Re: Are there any CA packages that support XMLRPC? Richard Hartmann wrote: On 13/09/2007, Rodney Thayer [EMAIL PROTECTED] wrote: Why XMLRPC instead of any of the existing online enrollment protocols? Well, the main reason is that, like it or not, XMLRPC is developing into a kind of lingua franca when it comes to interoperability. The easy availablity of TLS for this path is an obvious plus. I think that's a reasonable view. the RPC aspect of it is outrageously insecure but it's certainly all the rage. Not that I am trying to defend the existing online enrollment protocols, mind you... Well, if there is anything that works in a secure and reliable way, I am all ears :) There's CMP which has only a few implementations (and none open source that I can find), and there's SCEP which has some commercial implementations (and no open source ones that I can find.) What CLIENT do you think would interoperate with such a CA, should it exist? A self-baked one. Fair enough. If there were something out there that one were trying to interoperate with that would of course be interesting. http://comodopartners.com/api lh.. smime.p7s Description: S/MIME cryptographic signature
RE: Configuration file for subjectAltName
I ran the following command, openssl x509 -text -in certname.crt but I do not see any of the subjectAltNames from my config file. Is this the correct command to see the names in the cert? I am not getting an error, per say, but a common IE warning message about, invalid or does not match when I try and connect to my test website using an IE browser as a client. This works as expected when my URL is blah.mysite.com, however when I try using the alt_name blah002.mysite.com, I get the invalid or does not match warning. This is a self-signed cert so I fully expect to get the 'certificate not trusted' message, I was attempting to not have the invalid or does not match warning message. commonName = blah.mysite.com subjectAltName = @alt_names [ alt_names ] DNS.1 = blah.mysite.com DNS.2 = blah002.mysite.com Thanks, David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Wednesday, September 19, 2007 10:04 AM To: openssl-users@openssl.org Subject: RE: Configuration file for subjectAltName Once I purchase a trusted certificate, I was assuming both of these warnings would be removed; I thought a SAN-certificate would allow me to connect to the website using alternative names without getting the invalid or does not match warning. Thanks, David What error are you getting now? Is it specific about whether the problem is that certificate is invalid or that it does not match or what? The certificate only proves the identity of the server if the client is using a name that is contained in the certificate, and the client software uses the same stored in that place. What is the client software? What name is it using to access the server? And what are the contents of the name fields in the certificate? Is the certificate signed by an authority the clients are configured to trust? If there are any needed intermediate certificates, is the server sending them to the clients? If you're sure it's supposed to work, and it's not, you need to troubleshoot. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl error
Hello, All, is anybody experienced the following error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac thank you for any help in advance. Richard - Check out the hottest 2008 models today at Yahoo! Autos.
Re: Are there any CA packages that support XMLRPC?
I am replying to myself to clarify somthing which I should have put better: I want to run my own CA, not buy certificates from established ones. Sorry for asking a misleading question :/ Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Configuration file for subjectAltName
From what I can tell the extensions are just not being added to my certificate. I see no indication the extensions were added in the output of the following command ... [EMAIL PROTECTED]:Active] ssl.crt # openssl x509 -in btesting.bx05.com.crt -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: 84:36:1d:d4:d4:8b:a6:4d Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=xx, L=xx, O=xx, OU=IT, CN=btesting.bx05.aa.com Validity Not Before: Sep 19 20:55:41 2007 GMT Not After : Sep 18 20:55:41 2008 GMT Subject: C=US, ST=xx, L=xx, O=, OU=IT, CN=btesting.bx05..com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): ... Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption ... Here is my configuration file. [ req ] default_bits= 1024 default_md = sha1 #default_keyfile = key1 distinguished_name = req_distinguished_name prompt = no string_mask = nombstr req_extensions = v3_req [ req_distinguished_name ] countryName = US stateOrProvinceName = xx localityName= xx organizationName= xx organizationalUnitName = IT commonName = btesting.bx05.com emailAddress= [EMAIL PROTECTED] [ v3_req ] basicConstraints= CA:FALSE keyUsage= nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.1 = btesting.bx05.com DNS.1 = biptst.bx05.com Does anyone know why the extensions are not being included? Thanks, David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murphy, David F Sent: Wednesday, September 19, 2007 1:07 PM To: openssl-users@openssl.org Subject: RE: Configuration file for subjectAltName I ran the following command, openssl x509 -text -in certname.crt but I do not see any of the subjectAltNames from my config file. Is this the correct command to see the names in the cert? I am not getting an error, per say, but a common IE warning message about, invalid or does not match when I try and connect to my test website using an IE browser as a client. This works as expected when my URL is blah.mysite.com, however when I try using the alt_name blah002.mysite.com, I get the invalid or does not match warning. This is a self-signed cert so I fully expect to get the 'certificate not trusted' message, I was attempting to not have the invalid or does not match warning message. commonName = blah.mysite.com subjectAltName = @alt_names [ alt_names ] DNS.1 = blah.mysite.com DNS.2 = blah002.mysite.com Thanks, David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Wednesday, September 19, 2007 10:04 AM To: openssl-users@openssl.org Subject: RE: Configuration file for subjectAltName Once I purchase a trusted certificate, I was assuming both of these warnings would be removed; I thought a SAN-certificate would allow me to connect to the website using alternative names without getting the invalid or does not match warning. Thanks, David What error are you getting now? Is it specific about whether the problem is that certificate is invalid or that it does not match or what? The certificate only proves the identity of the server if the client is using a name that is contained in the certificate, and the client software uses the same stored in that place. What is the client software? What name is it using to access the server? And what are the contents of the name fields in the certificate? Is the certificate signed by an authority the clients are configured to trust? If there are any needed intermediate certificates, is the server sending them to the clients? If you're sure it's supposed to work, and it's not, you need to troubleshoot. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Configuration file for subjectAltName
On Wed, Sep 19, 2007 at 04:09:29PM -0500, Murphy, David F wrote: From what I can tell the extensions are just not being added to my certificate. I see no indication the extensions were added in the output of the following command ... [EMAIL PROTECTED]:Active] ssl.crt # openssl x509 -in btesting.bx05.com.crt -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: 84:36:1d:d4:d4:8b:a6:4d Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=xx, L=xx, O=xx, OU=IT, CN=btesting.bx05.aa.com Validity Not Before: Sep 19 20:55:41 2007 GMT Not After : Sep 18 20:55:41 2008 GMT Subject: C=US, ST=xx, L=xx, O=, OU=IT, CN=btesting.bx05..com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): ... Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption ... This is a version 1 certificate, and so cannot possibly hold v3 extensions. You need to generate a v3 cert. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to write engine
Hi, My requirement is to write to a new engine that will be loaded by an application for its crypto functionalities. The engine shall communicate with the smart card for encryption/ decryption, and digital signature. I have no clue how to start with. Is there any documentation available regarding this? I just want to know the following things to start with. How to include a new engine to the existing openssl engine list? How to load this engine from an application? Any level of help will be appreciated. Thanks in advance -- with regards Subramanaim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]