Re: Are there any CA packages that support XMLRPC?
Richard Hartmann wrote: I am replying to myself to clarify somthing which I should have put better: I want to run my own CA, not buy certificates from established ones. You said CA packages, you didn't say something to the effect of use a retail Certificate Authority. So at least some of us interpreted that as run your own CA. That being said the existence of any code that handles that sort of thing is interesting, since there are so few implementations. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
intermediate CA configuration
i want to create intermediate CA from root CA by using openssl.cnf. how to configure openssl.cnf file for creating intermediate ca which contains all attributes like root ca which is having obj signing,certificate revocation...can any body help me -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a12792609 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
CBC with ciphertext stealing?
I need to use CBC with ciphertext stealing. I found the following on Wikipedia: CBC ciphertext stealing encryption using a standard CBC interface 1. Encrypt the plaintext through the last full block using the standard CBC mode. 2. Pad the last partial block with the trailing ciphertext of the last full block 3. Encrypt the last block (plaintext plus ciphertext) 4. Swap the last two ciphertext blocks. 5. Truncate the ciphertext to the length of the original plaintext. Reading the AES_cbc_encrypt() code, it seems to me that it already does steps 1-3. So I think all I have to do is: - call AES_cbc_encrypt() with the entire plaintext. - perform 4 and 5 on the result. Am I correct or am I missing something? I found some implementation of AES_cts_encrypt() here: http://ftp.scythe.jp/pub/2005/aes_cts_openssl-20051128.c http://ftp.scythe.jp/pub/2005/aes_cts_openssl-20051128.c but for some reason it performs all steps itself, so I'm a little unsure. Thanks for any help! -- View this message in context: http://www.nabble.com/AES-cbc--How-to-Init-Openssl--tf4376933.html#a12793433 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Safe signed certificate generation during server installation ?
Thank you very much for your response , David and Victor. I really appreciate it. So could someone guide me with the best practices used in such scenarios? Is there a way to securely embed the private key in the installers / CA certificate? I guess I'm confused. What purpose would a certificate serve if anyone can generate one that serves any purpose? If I can generate a certificate that says I'm the pope just by entering that into your installer, then a certificate that says I'm the pope doesn't prove I'm the pope. For now, my purpose is not to establish and identity of a server with the certificate. I plan to use a signed certificate, so that the client can be sure that the server indeed holds the private key associated with the public key provided by the server in its certificate. So what's the point of the entire exercise?! For the requirement of certificate generation on the fly (during installation) following is the scenario: A] I have a client - server application that I would be shipping to different customers. The admin at every customer will install the client and server software on different machines. For the SSL to work, the client software would require a root CA cert, and the server software would require its certificate + key. (NOTE: Only the clients in a particular customer's network will be able to access the server in that particular customer's n/w.) B] I plan to provide the required root cert + server cert to the customer to kick start the applications in the customer environment. I have a CA established at my end. The root CA cert of this CA will be used to generate server certificates (NOTE: I will not be using a CA chain. There will be only one certificate issuing authority) C] Now from the point of view of 'ease of deployment', I would like to burn the same image of my server/client software on say 10 CDs and ship them to 10 customers. But, every customer will need to have a distinct server certificate for his server installation. ( Also, it is possible that a customer may wish to run two servers on two machines in the same network. So he will need two different server certificates.) So, if I have to provide the certificates to the customer as part of my product, I would have to generate 10 distinct certificate, and one certificate to one CD. So basically I will be writing 10 distinct CD images for 10 customers. Also, I would be generating the certificates for these customers based on the information that 'they' provide to me. So considering the points above, I thought of providing the certificate generation capability as part of my installation itself. This way, I will have to burn the same image on all the 10 CDs. Also, my customers will be saved from sending me the information required to generate a certificate for them. Instead, they themselves (The admin who installs the server) can provide this information as part of installation and the certificate will be generated behind the scenes. Victor, Typically this means that the administrator has some way to authenticate to a credential enrollment system (kadmind, X.509 cert enrollment website, ...) and can interact with the system to generate the cert for the newly built host I am sorry but I am not sure I followed what you said about Could you please explain this, may be with an example scenario / real life scenario? I will highly appreciate any comments / suggestions / help tackling this scenario. Thank you. ~ Urjit DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: intermediate CA configuration
This should be good for most purposes. Note the basicConstraints attribute of pathlen. Unlike the root CA which has no pathlen, the intermediate has a pathlen of 0. ### subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always crlDistributionPoints=URI:http://crl1.somedomain.com/IntCA.crl,URI:http: //crl2.somedomain.com/IntCA.crl basicConstraints = critical, CA:true,pathlen:0 keyUsage=critical, keyCertSign,cRLSign extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping nsCertType = server, client certificatePolicies=ia5org,@polsect1 [polsect1] policyIdentifier = 1.3.6.1.4.1.0.1.2.1.2.1 CPS=http://www.somedomain.com/legal/cps-intCA.pdf ### Donald E. Bynum Director, Architecture Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mallika Sent: Thursday, September 20, 2007 4:06 AM To: openssl-users@openssl.org Subject: intermediate CA configuration i want to create intermediate CA from root CA by using openssl.cnf. how to configure openssl.cnf file for creating intermediate ca which contains all attributes like root ca which is having obj signing,certificate revocation...can any body help me -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a1279 2609 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Are there any CA packages that support XMLRPC?
On 20/09/2007, Rodney Thayer [EMAIL PROTECTED] wrote: That being said the existence of any code that handles that sort of thing is interesting, since there are so few implementations. Yes, it seems that everyone who does any real work in this direction keeps the fruits to themselves :/ If I were to modify/enhance a command line solution that is under the GPL, I might be able to give back. If I bake our own, I am not so sure. So, as there do not seem to be any solutions that do what I need, does anyone know of a command line based Perl CA that is able to create root and sub CAs and person/email/server certificates automagically that I could enhance to speak XMLRPC? Any and all suggestions are welcome, even if they do not fit the above exactly. Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problems with TinyCA filenames
Hello out there! I've got a problem with the OpenSSL-based program TinyCA. I used this nice GUI-prog to create some certificates. I also created some certificates with commandline OpenSSL. Now my problem: TinyCA show's an nice overview about all certificates in the folder incl. CommonName, OrganisationUnit etc. But the certificates I created with OpenSSL directly are not displayed correctly. I found out that TinyCA uses CommonName,OU etc. to create the filename: Certs created with TinyCA are named like this: VGVzdENBOiA6Q2xhc3MxOkRldXRzY2hlIEJ1bmRlc2Jhbms6IDpEZXV0c2NobGFuZDpERQ==.pem My OpenSSL created files are just: example.pem (thats what I entered) Does anyone got an idea which function is used by TinyCA to convert CommonName etc. to this crazy filename? :confused: And how could i create files with this name too? Thanks for your help! Daniel -- View this message in context: http://www.nabble.com/Problems-with-TinyCA-filenames-tf4488473.html#a12800216 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
compiling openssl for a vxworks target
All, I'm sure this topic has been broached before, but I cannot seem to find anything on the mailing list concerning getting core crypto and ssl compiled for vxworks. I have looked through the main makefile in the openssl/ directory and the openssl website, but have not found anything specific concerning compiling for vxworks. Does anyone have any pointers? Regards, Daniel Clusin
RE: Safe signed certificate generation during server installation ?
For now, my purpose is not to establish and identity of a server with the certificate. I plan to use a signed certificate, so that the client can be sure that the server indeed holds the private key associated with the public key provided by the server in its certificate. You have a non-standard security model. The standard SSL security model has the CA sign the certificate to verify that the *name* in the certificate belongs to the key in the certificate. It is almost always a mistake to try to get commodity software to enforce a non-standard security model. That is, you can't expect programs like firefox and IE to connect to SSL servers using certificates generated with a non-standard security model and get any kind of sane behavior. It sounds like you don't need a certificate at all. You just need the server to be able to prove that it own a particular private key. Presumably this is for server persistence (so I can tell I'm talking to the same server I was last time). So I think the servers should be using self-signed certificates and the clients should be configured to accept self-signed certificates (since they don't care about being able to verifyt the common name). There is no point in having a CA at all, as I understand your problem. The only point in embedding the CA in the installer and configured the clients to trust the CA would be to all the clients to trust the common name in the certificate. But clearly the clients *can't* trust the common name in the certificate. So it seems like you're trying to solve a problem that's actually a design property of your security model. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: intermediate CA configuration
I have given the command openssl x509 -req -days 365 -in intermediate.csr -CA root.certkey -CAcreateserial -out intermediate.crt -extensions usr_cert -extfile /etc/sll/openssl.cnf after creating the root CA, the root.certkey is having key and crt files.Is this command enough for creating the intermediate CA. if i create a user certificate with this intermediate CA.In SSL authentication it is giving error 24,Unknown CA. In client machine i installed all the certificates root CA and Intermediate CA and client certificate.It is showing clear hierarchy.ROOTintermediate.client. i copied the root and intermediate certificates in /etc/ssl/certs and did c_rehash.BUT with the intermediate client certificate ,client could able to authenticate and showing the ERROR 24 and UNKNOWN CA.if i provide any other root ca , the client can be able to authenticate with that root CA client certificate.please help me... Bynum, Don wrote: This should be good for most purposes. Note the basicConstraints attribute of pathlen. Unlike the root CA which has no pathlen, the intermediate has a pathlen of 0. ### subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always crlDistributionPoints=URI:http://crl1.somedomain.com/IntCA.crl,URI:http: //crl2.somedomain.com/IntCA.crl basicConstraints = critical, CA:true,pathlen:0 keyUsage=critical, keyCertSign,cRLSign extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping nsCertType = server, client certificatePolicies=ia5org,@polsect1 [polsect1] policyIdentifier = 1.3.6.1.4.1.0.1.2.1.2.1 CPS=http://www.somedomain.com/legal/cps-intCA.pdf ### Donald E. Bynum Director, Architecture Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mallika Sent: Thursday, September 20, 2007 4:06 AM To: openssl-users@openssl.org Subject: intermediate CA configuration i want to create intermediate CA from root CA by using openssl.cnf. how to configure openssl.cnf file for creating intermediate ca which contains all attributes like root ca which is having obj signing,certificate revocation...can any body help me -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a1279 2609 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a12810885 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]