Re: Creating certificates
Hello, So I have played arround a little bit more yesterday, but with the same result. Attached are the the openssl.cnf I am using. The problem is the same, I do not know how to override the subject information from the config file (specified in the req_distinguished_name section), from the command line. And this is what I execute from the cmd line: openssl genrsa -des3 -out ..\demo_store\private\private_key_client.pem -passout pass:pass 1024 openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial Regards, Gerald On Mon, Aug 17, 2009 at 7:20 PM, Serge Fonville serge.fonvi...@gmail.comwrote: What does your openssl.cnf look like, since it is used in the req? On Mon, Aug 17, 2009 at 6:00 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hy, So my end goal is to have a CA, which I can use to sign certificates. I have set up a CA, that was not that hard. But now I want to create certificates signed by my CA, and I want to provide the subject from the command line. I don't want it to be read from the openssl.cnf. That is because I have to create more certificates, and I do not want to modify the opennssl.cnf, for each of them. I have tried to create certificates, signed by my CA, and the subject information was provided in the openssl.cnf file. That I have succeeded. Then I have tried to provide the subject information from the command line, and that I have failed. And I have verified the contents of the certificate, and the subject was not what I have specified in the command line, but what was found in the config file. So it looks to me like if this option: -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate is ignored, and like openssl tries to read this info from the config file, and I do not understand why :(. Regards, Gerald On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville serge.fonvi...@gmail.com wrote: Hi, I assume you have done a lot of googling and have read the docs extensively. First, what is your end goal? Since creating a certificate and having it signed by your own CA is not that difficult. What resources have you consulted. What have you already tried. Have you looked at the resulting certificate to verify its contents Regards, Serge Fonville On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with -subj in the first openssl req command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald openssl.cnf Description: Binary data
Re: Benachrichtung zum Übermittlungsstatus (Fehlges chlagen)
I find this also annoying, but I don't know where this comes from ... :(. Any ideas ? 2009/8/17 Serge Fonville serge.fonvi...@gmail.com I'm not sure about you guys, but I find this very annoying 2009/8/17 postmas...@next-motion.de Dies ist eine automatisch erstellte Benachrichtigung +APw-ber den Zustellstatus. +ANw-bermittlung an folgende Empf+AOQ-nger fehlgeschlagen. c...@next-motion.de Final-Recipient: rfc822;c...@next-motion.de rfc822%3...@next-motion.de Action: failed Status: 5.2.2 X-Display-Name: Carsten Breitbarth - next.motion OHG -- Forwarded message -- From: Serge Fonville serge.fonvi...@gmail.com To: openssl-users@openssl.org Date: Mon, 17 Aug 2009 18:20:37 +0200 Subject: Re: Creating certificates What does your openssl.cnf look like, since it is used in the req? On Mon, Aug 17, 2009 at 6:00 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hy, So my end goal is to have a CA, which I can use to sign certificates. I have set up a CA, that was not that hard. But now I want to create certificates signed by my CA, and I want to provide the subject from the command line. I don't want it to be read from the openssl.cnf. That is because I have to create more certificates, and I do not want to modify the opennssl.cnf, for each of them. I have tried to create certificates, signed by my CA, and the subject information was provided in the openssl.cnf file. That I have succeeded. Then I have tried to provide the subject information from the command line, and that I have failed. And I have verified the contents of the certificate, and the subject was not what I have specified in the command line, but what was found in the config file. So it looks to me like if this option: -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate is ignored, and like openssl tries to read this info from the config file, and I do not understand why :(. Regards, Gerald On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville serge.fonvi...@gmail.com wrote: Hi, I assume you have done a lot of googling and have read the docs extensively. First, what is your end goal? Since creating a certificate and having it signed by your own CA is not that difficult. What resources have you consulted. What have you already tried. Have you looked at the resulting certificate to verify its contents Regards, Serge Fonville On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with -subj in the first openssl req command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald
ecdsa public key output
Hello I'm trying to import ecdsa certificates for a java server using the java keytool utility. After having had trouble with openssl generated certificates, I generated a certificate using the keytool utility to see what the difference is. Upon running the openssl x509 -in cert.crt -noout -text command on this certificate, the output I get is (only public key info for brevity): Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:99:cc:aa:5b:7d:fc:e1:aa:c8:0e:d0:98:b2:ed: 79:65:cb:66:7e:0f:c2:b9:7b:28:42:1b:65:1a:86: 4b:02:dc:7c:5f:d1:21:1f:ca:f2:ac * ASN1 OID: secp160k1* Which is different from the openssl generated certificates in that it has the curve name in the public key, instead of the curve parameters. The same data (ASN1 OID: secp160k1) in an openssl certificate is: Field Type: prime-field Prime: 00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:fe:ff:ff:ac:73 A:0 B:7 (0x7) Generator (uncompressed): 04:3b:4c:38:2c:e3:7a:a1:92:a4:01:9e:76:30:36: f4:f5:dd:4d:7e:bb:93:8c:f9:35:31:8f:dc:ed:6b: c2:82:86:53:17:33:c3:f0:3c:4f:ee Order: 01:00:00:00:00:00:00:00:00:00:01:b8:fa:16:df: ab:9a:ca:16:b6:b3 Cofactor: 1 (0x1) The keytool output does not seem to be incorrect according to RFC 5280, which defines SubjectPublicKeyInfo ::= SEQUENCE { algoritmAlgorithmIdentifier subjectPublicKey BIT STRING } AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } unless I am reading this wrong, but the way algorithm parameters are defined seem to allow for both variants. I'm looking into making the java certificate store understand openssl-generated certificates (possibly with 3rd party APIs) as that would make my life easier. However, at the same time I'm trying to tackle the problem at the other end, so I was also wondering if I can get (maybe programatically ?), openssl to output the public key info in the way in which the keytool understands: the curve name instead of the curve parameters. I've had no trouble using a client written in C with openssl to connect to the above mentioned server (using the keytool generated certificate as the server certificate), but since I need some certificate request interaction between the java and C sides, I need to look into this issue further. Any ideas on how to get the curve name in the certificate instead of the curve parameters ? Thanks in advance, -- Laura __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Creating CA certificates
Hi, I am using following steps to create Ca server certificate : 1. Create CA certificate shell *openssl genrsa 2048 ca-key.pem* shell *openssl req -new -x509 -nodes -days 1000 \* *-key ca-key.pem ca-cert.pem* 2. Create server certificate shell *openssl req -newkey rsa:2048 -days 1000 \* *-nodes -keyout server-key.pem server-req.pem* shell *openssl x509 -req -in server-req.pem -days 1000 \* *-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 server-cert.pem* Now, the certificates get created without any error. But when i run openssl s_server i get following error : unable to load server certificate private key file 4174:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY Are the steps correct? Thanks, Kane
Re: Creating CA certificates
Hi, To my surprise. I tried the same steps and I am getting a similar kind of error. Please help me as well, if you get a solution. Thanks and regards, Vishal On Tue, Aug 18, 2009 at 1:32 AM, Abhishek Kane abhishek.k...@gmail.comwrote: Hi, I am using following steps to create Ca server certificate : 1. Create CA certificate shell *openssl genrsa 2048 ca-key.pem* shell *openssl req -new -x509 -nodes -days 1000 \* *-key ca-key.pem ca-cert.pem* 2. Create server certificate shell *openssl req -newkey rsa:2048 -days 1000 \* *-nodes -keyout server-key.pem server-req.pem* shell *openssl x509 -req -in server-req.pem -days 1000 \* *-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 server-cert.pem* Now, the certificates get created without any error. But when i run openssl s_server i get following error : unable to load server certificate private key file 4174:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY Are the steps correct? Thanks, Kane
Re: Creating certificates
Why don't you use the ca command? On Tue, Aug 18, 2009 at 9:38 AM, Gerald Iakobinyi-Pich nutri...@gmail.comwrote: Hello, So I have played arround a little bit more yesterday, but with the same result. Attached are the the openssl.cnf I am using. The problem is the same, I do not know how to override the subject information from the config file (specified in the req_distinguished_name section), from the command line. And this is what I execute from the cmd line: openssl genrsa -des3 -out ..\demo_store\private\private_key_client.pem -passout pass:pass 1024 openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial Regards, Gerald On Mon, Aug 17, 2009 at 7:20 PM, Serge Fonville serge.fonvi...@gmail.comwrote: What does your openssl.cnf look like, since it is used in the req? On Mon, Aug 17, 2009 at 6:00 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hy, So my end goal is to have a CA, which I can use to sign certificates. I have set up a CA, that was not that hard. But now I want to create certificates signed by my CA, and I want to provide the subject from the command line. I don't want it to be read from the openssl.cnf. That is because I have to create more certificates, and I do not want to modify the opennssl.cnf, for each of them. I have tried to create certificates, signed by my CA, and the subject information was provided in the openssl.cnf file. That I have succeeded. Then I have tried to provide the subject information from the command line, and that I have failed. And I have verified the contents of the certificate, and the subject was not what I have specified in the command line, but what was found in the config file. So it looks to me like if this option: -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate is ignored, and like openssl tries to read this info from the config file, and I do not understand why :(. Regards, Gerald On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville serge.fonvi...@gmail.com wrote: Hi, I assume you have done a lot of googling and have read the docs extensively. First, what is your end goal? Since creating a certificate and having it signed by your own CA is not that difficult. What resources have you consulted. What have you already tried. Have you looked at the resulting certificate to verify its contents Regards, Serge Fonville On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with -subj in the first openssl req command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald
Re: Creating CA certificates
The request is signed with the ca private key. What command do you use when you start the s_server HTH Regards, Serge Fonville On Tue, Aug 18, 2009 at 10:38 AM, vishal saraswat vishalsaraswat...@gmail.com wrote: Hi, To my surprise. I tried the same steps and I am getting a similar kind of error. Please help me as well, if you get a solution. Thanks and regards, Vishal On Tue, Aug 18, 2009 at 1:32 AM, Abhishek Kane abhishek.k...@gmail.comwrote: Hi, I am using following steps to create Ca server certificate : 1. Create CA certificate shell *openssl genrsa 2048 ca-key.pem* shell *openssl req -new -x509 -nodes -days 1000 \* *-key ca-key.pem ca-cert.pem* 2. Create server certificate shell *openssl req -newkey rsa:2048 -days 1000 \* *-nodes -keyout server-key.pem server-req.pem* shell *openssl x509 -req -in server-req.pem -days 1000 \* *-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 server-cert.pem* Now, the certificates get created without any error. But when i run openssl s_server i get following error : unable to load server certificate private key file 4174:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY Are the steps correct? Thanks, Kane
Re: Creating CA certificates
I forgot, I used this as examples http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ Also, googling on openssl certificate authority seems to belp On Tue, Aug 18, 2009 at 10:51 AM, Serge Fonville serge.fonvi...@gmail.comwrote: The request is signed with the ca private key. What command do you use when you start the s_server HTH Regards, Serge Fonville On Tue, Aug 18, 2009 at 10:38 AM, vishal saraswat vishalsaraswat...@gmail.com wrote: Hi, To my surprise. I tried the same steps and I am getting a similar kind of error. Please help me as well, if you get a solution. Thanks and regards, Vishal On Tue, Aug 18, 2009 at 1:32 AM, Abhishek Kane abhishek.k...@gmail.comwrote: Hi, I am using following steps to create Ca server certificate : 1. Create CA certificate shell *openssl genrsa 2048 ca-key.pem* shell *openssl req -new -x509 -nodes -days 1000 \* *-key ca-key.pem ca-cert.pem* 2. Create server certificate shell *openssl req -newkey rsa:2048 -days 1000 \* *-nodes -keyout server-key.pem server-req.pem* shell *openssl x509 -req -in server-req.pem -days 1000 \* *-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 server-cert.pem* Now, the certificates get created without any error. But when i run openssl s_server i get following error : unable to load server certificate private key file 4174:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY Are the steps correct? Thanks, Kane
Re: Creating CA certificates
Hi Serge, I followed this link but landed into the same problem. I use the following commands to start the server and the client : Server: openssl s_server -accept *port number* -cert *certificate I create* Client: openssl s_client -connect localhost:*port number* I was wondering, do I need to do anything specific for client certificate. Thanks a lot, -Vishal On Tue, Aug 18, 2009 at 1:53 AM, Serge Fonville serge.fonvi...@gmail.comwrote: I forgot, I used this as examples http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ Also, googling on openssl certificate authority seems to belp On Tue, Aug 18, 2009 at 10:51 AM, Serge Fonville serge.fonvi...@gmail.com wrote: The request is signed with the ca private key. What command do you use when you start the s_server HTH Regards, Serge Fonville On Tue, Aug 18, 2009 at 10:38 AM, vishal saraswat vishalsaraswat...@gmail.com wrote: Hi, To my surprise. I tried the same steps and I am getting a similar kind of error. Please help me as well, if you get a solution. Thanks and regards, Vishal On Tue, Aug 18, 2009 at 1:32 AM, Abhishek Kane abhishek.k...@gmail.comwrote: Hi, I am using following steps to create Ca server certificate : 1. Create CA certificate shell *openssl genrsa 2048 ca-key.pem* shell *openssl req -new -x509 -nodes -days 1000 \* *-key ca-key.pem ca-cert.pem* 2. Create server certificate shell *openssl req -newkey rsa:2048 -days 1000 \* *-nodes -keyout server-key.pem server-req.pem* shell *openssl x509 -req -in server-req.pem -days 1000 \* *-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 server-cert.pem* Now, the certificates get created without any error. But when i run openssl s_server i get following error : unable to load server certificate private key file 4174:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY Are the steps correct? Thanks, Kane
Re: Creating CA certificates
You should also provide the server's private key to the openssl s_server command. From above, I see that your server's private key is server-key.pem, therefore your command should be something as, openssl s_server -accept *port number* -cert *certificate I create -key server-key.pem* * * Here server-key.pem would be your server's private key file. Thanks *Sandeep * On Tue, Aug 18, 2009 at 2:36 AM, vishal saraswat vishalsaraswat...@gmail.com wrote: Hi Serge, I followed this link but landed into the same problem. I use the following commands to start the server and the client : Server: openssl s_server -accept *port number* -cert *certificate I create* Client: openssl s_client -connect localhost:*port number* I was wondering, do I need to do anything specific for client certificate. Thanks a lot, -Vishal On Tue, Aug 18, 2009 at 1:53 AM, Serge Fonville serge.fonvi...@gmail.comwrote: I forgot, I used this as examples http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ Also, googling on openssl certificate authority seems to belp On Tue, Aug 18, 2009 at 10:51 AM, Serge Fonville serge.fonvi...@gmail.com wrote: The request is signed with the ca private key. What command do you use when you start the s_server HTH Regards, Serge Fonville On Tue, Aug 18, 2009 at 10:38 AM, vishal saraswat vishalsaraswat...@gmail.com wrote: Hi, To my surprise. I tried the same steps and I am getting a similar kind of error. Please help me as well, if you get a solution. Thanks and regards, Vishal On Tue, Aug 18, 2009 at 1:32 AM, Abhishek Kane abhishek.k...@gmail.com wrote: Hi, I am using following steps to create Ca server certificate : 1. Create CA certificate shell *openssl genrsa 2048 ca-key.pem* shell *openssl req -new -x509 -nodes -days 1000 \* *-key ca-key.pem ca-cert.pem* 2. Create server certificate shell *openssl req -newkey rsa:2048 -days 1000 \* *-nodes -keyout server-key.pem server-req.pem* shell *openssl x509 -req -in server-req.pem -days 1000 \* *-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 server-cert.pem* Now, the certificates get created without any error. But when i run openssl s_server i get following error : unable to load server certificate private key file 4174:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY Are the steps correct? Thanks, Kane
Re: Creating CA certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 vishal saraswat schrieb: | Hi Serge, Hello cishal, | I use the following commands to start the server and the client : | | Server: | openssl s_server -accept /port number/ -cert /certificate I create/ You do know that the server needs the private key and the certifivate to work ? You only set the certificate file name. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKio382iGqZUF3qPYRAnPmAJ4gQQvSBW0ATCqtguIkU26bBjYxbQCdHe+8 8UhhAYQqMkeSZi3JkvF0M7Y= =Gikv -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Creating certificates
On Tue, Aug 18, 2009, Gerald Iakobinyi-Pich wrote: Hello, So I have played arround a little bit more yesterday, but with the same result. Attached are the the openssl.cnf I am using. The problem is the same, I do not know how to override the subject information from the config file (specified in the req_distinguished_name section), from the command line. Well that configuration file has the values hard coded in the config file. You should either use a standard openssl.cnf which means you'll get prompted to enter the value or use the environment substitution method, see the manual pages for more details. The CA.pl script is much easier to use instead of random cookbooks. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Creating CA certificates
Thanks guys, All these comments helped a lot ! Things are working for me now. On Tue, Aug 18, 2009 at 4:48 PM, Goetz Babin-Ebell go...@shomitefo.dewrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 vishal saraswat schrieb: | Hi Serge, Hello cishal, | I use the following commands to start the server and the client : | | Server: | openssl s_server -accept /port number/ -cert /certificate I create/ You do know that the server needs the private key and the certifivate to work ? You only set the certificate file name. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKio382iGqZUF3qPYRAnPmAJ4gQQvSBW0ATCqtguIkU26bBjYxbQCdHe+8 8UhhAYQqMkeSZi3JkvF0M7Y= =Gikv -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- No defeat is final; until u stop fighting. - AGK
Re: Creating CA certificates
Hi all, I am sorry, I forgot to tell you that the final PEM I create is composed of key and certificate both. cat server_key.pem server server_cert.pem server.pem I read on some blogs that some server require both to be in one file that why to be on safer side I started following this practice. I hope its fine. Now I suppose that one a client is successfully connected it should return me code as 0 and an OK message. Right? But I get return value as 7(Certificate Signature Failure), 21(Unable to verify the first certificate.) Are we on the same pitch? Thanks a lot. -Vishal *p.s. - Can I connect multiple s_client to a single s_server ?* On Tue, Aug 18, 2009 at 4:18 AM, Goetz Babin-Ebell go...@shomitefo.dewrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 vishal saraswat schrieb: | Hi Serge, Hello cishal, | I use the following commands to start the server and the client : | | Server: | openssl s_server -accept /port number/ -cert /certificate I create/ You do know that the server needs the private key and the certifivate to work ? You only set the certificate file name. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKio382iGqZUF3qPYRAnPmAJ4gQQvSBW0ATCqtguIkU26bBjYxbQCdHe+8 8UhhAYQqMkeSZi3JkvF0M7Y= =Gikv -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Creating CA certificates
Well, I am also getting same verify error (7), but the connection does not break. On Tue, Aug 18, 2009 at 5:13 PM, vishal saraswat vishalsaraswat...@gmail.com wrote: Hi all, I am sorry, I forgot to tell you that the final PEM I create is composed of key and certificate both. cat server_key.pem server server_cert.pem server.pem I read on some blogs that some server require both to be in one file that why to be on safer side I started following this practice. I hope its fine. Now I suppose that one a client is successfully connected it should return me code as 0 and an OK message. Right? But I get return value as 7(Certificate Signature Failure), 21(Unable to verify the first certificate.) Are we on the same pitch? Thanks a lot. -Vishal *p.s. - Can I connect multiple s_client to a single s_server ?* On Tue, Aug 18, 2009 at 4:18 AM, Goetz Babin-Ebell go...@shomitefo.dewrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 vishal saraswat schrieb: | Hi Serge, Hello cishal, | I use the following commands to start the server and the client : | | Server: | openssl s_server -accept /port number/ -cert /certificate I create/ You do know that the server needs the private key and the certifivate to work ? You only set the certificate file name. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKio382iGqZUF3qPYRAnPmAJ4gQQvSBW0ATCqtguIkU26bBjYxbQCdHe+8 8UhhAYQqMkeSZi3JkvF0M7Y= =Gikv -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: FIPS 14-2 vs MD5
Remove --- En date de : Mar 18.8.09, David Schwartz dav...@webmaster.com a écrit : De: David Schwartz dav...@webmaster.com Objet: RE: FIPS 14-2 vs MD5 À: openssl-users@openssl.org Date: Mardi 18 Août 2009, 1h40 Roger No-Spam wrote: When building openssl in FIPS 140-2 mode, the MD5 algorithm is not available for use. There are, however, several RFCs that mandate the use of MD5. Would it be possible to partition a system into a FIPS 140-2 part (more security critical parts, e.g SSL) and one other part that can include support for RFCs that mandate MD5 (e.g. TCP MD5 checksum option, PPP CHAP, etc.). Would it be possible to FIPS 140-2 validate such a system? What would the requirements be regarding the partitioning? Simply disable all those things in FIPS mode. There is no requirement that your system be useful in FIPS mode, only that it be secure. That is what everyone else does. For example, the first Windows versions to support high-security modes disabled all networking devices and all removable media devices. Linux requires you to remove the power cord. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS 14-2 vs MD5
I could be wrong with this but I think it might be possible to use MD5 for the purpose of checksum (fancy). I also believe HMAC_MD5 part of SSL/TLS is acceptable. Regards, - Pandit From: David Schwartz dav...@webmaster.com To: openssl-users@openssl.org Sent: Monday, August 17, 2009 7:40:43 PM Subject: RE: FIPS 14-2 vs MD5 Roger No-Spam wrote: When building openssl in FIPS 140-2 mode, the MD5 algorithm is not available for use. There are, however, several RFCs that mandate the use of MD5. Would it be possible to partition a system into a FIPS 140-2 part (more security critical parts, e.g SSL) and one other part that can include support for RFCs that mandate MD5 (e.g. TCP MD5 checksum option, PPP CHAP, etc.). Would it be possible to FIPS 140-2 validate such a system? What would the requirements be regarding the partitioning? Simply disable all those things in FIPS mode. There is no requirement that your system be useful in FIPS mode, only that it be secure. That is what everyone else does. For example, the first Windows versions to support high-security modes disabled all networking devices and all removable media devices. Linux requires you to remove the power cord. DS __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Creating certificates
Hello, Yes, you are right. I can do it using the 'ca' command. Thanks for the hint. Gerald On Tue, Aug 18, 2009 at 11:48 AM, Serge Fonville serge.fonvi...@gmail.comwrote: Why don't you use the ca command? On Tue, Aug 18, 2009 at 9:38 AM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hello, So I have played arround a little bit more yesterday, but with the same result. Attached are the the openssl.cnf I am using. The problem is the same, I do not know how to override the subject information from the config file (specified in the req_distinguished_name section), from the command line. And this is what I execute from the cmd line: openssl genrsa -des3 -out ..\demo_store\private\private_key_client.pem -passout pass:pass 1024 openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial Regards, Gerald On Mon, Aug 17, 2009 at 7:20 PM, Serge Fonville serge.fonvi...@gmail.com wrote: What does your openssl.cnf look like, since it is used in the req? On Mon, Aug 17, 2009 at 6:00 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hy, So my end goal is to have a CA, which I can use to sign certificates. I have set up a CA, that was not that hard. But now I want to create certificates signed by my CA, and I want to provide the subject from the command line. I don't want it to be read from the openssl.cnf. That is because I have to create more certificates, and I do not want to modify the opennssl.cnf, for each of them. I have tried to create certificates, signed by my CA, and the subject information was provided in the openssl.cnf file. That I have succeeded. Then I have tried to provide the subject information from the command line, and that I have failed. And I have verified the contents of the certificate, and the subject was not what I have specified in the command line, but what was found in the config file. So it looks to me like if this option: -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate is ignored, and like openssl tries to read this info from the config file, and I do not understand why :(. Regards, Gerald On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville serge.fonvi...@gmail.com wrote: Hi, I assume you have done a lot of googling and have read the docs extensively. First, what is your end goal? Since creating a certificate and having it signed by your own CA is not that difficult. What resources have you consulted. What have you already tried. Have you looked at the resulting certificate to verify its contents Regards, Serge Fonville On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with -subj in the first openssl req command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald
Re: Creating CA certificates
Can you send the commands that you are using to run s_server and s_client? On Tue, Aug 18, 2009 at 4:43 AM, vishal saraswat vishalsaraswat...@gmail.com wrote: Hi all, I am sorry, I forgot to tell you that the final PEM I create is composed of key and certificate both. cat server_key.pem server server_cert.pem server.pem I read on some blogs that some server require both to be in one file that why to be on safer side I started following this practice. I hope its fine. Now I suppose that one a client is successfully connected it should return me code as 0 and an OK message. Right? But I get return value as 7(Certificate Signature Failure), 21(Unable to verify the first certificate.) Are we on the same pitch? Thanks a lot. -Vishal *p.s. - Can I connect multiple s_client to a single s_server ?* On Tue, Aug 18, 2009 at 4:18 AM, Goetz Babin-Ebell go...@shomitefo.dewrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 vishal saraswat schrieb: | Hi Serge, Hello cishal, | I use the following commands to start the server and the client : | | Server: | openssl s_server -accept /port number/ -cert /certificate I create/ You do know that the server needs the private key and the certifivate to work ? You only set the certificate file name. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKio382iGqZUF3qPYRAnPmAJ4gQQvSBW0ATCqtguIkU26bBjYxbQCdHe+8 8UhhAYQqMkeSZi3JkvF0M7Y= =Gikv -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Accessing unknown certificate extensions by OID
Dear list, another trial. ;) We need to validate the existence and value of an X.509 extension in a client certificate from within Apache/mod_ssl. The extension Admission is described by ISIS-MTT and has OID 1.3.36.8.3.3: AdmissionSyntax ::= SEQUENCE { admissionAuthority GeneralName OPTIONAL, contentsOfAdmissions SEQUENCE OF Admissions } Admissions ::= SEQUENCE { admissionAuthority [0] EXPLICIT GeneralName OPTIONAL, namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL, professionInfos SEQUENCE OF ProfessionInfo } NamingAuthority ::= SEQUENCE { namingAuthorityId OBJECT IDENTIFIER OPTIONAL, namingAuthorityUrl IA5String OPTIONAL, namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL} ProfessionInfo ::= SEQUENCE { namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL, professionItems SEQUENCE OF DirectoryString (SIZE(1..128)), professionOIDs SEQUENCE OF OBJECT IDENTIFIER OPTIONAL, registrationNumber PrintableString(SIZE(1..128)) OPTIONAL, addProfessionInfo OCTET STRING OPTIONAL } This does not exactly match what I found here: http://vijairaj.blogspot.com/2009/01/parsing-and-using-custom-extension-in.html, but is taken from the exact specifications we need to comply to. This extension is not known to our OpenSSL version (0.9.8d) and I don't think later versions do know it?! Furthermore, the suggested code at the abovementioned article does not really fit into mod_ssl and I am hesitating to customize OpenSSL itself as well now. It should be possible to read and parse the extension by using ASN1 functions without defining the whole extension for OpenSSL, as it can be displayed with it's OID and raw data by openssl asn1parse -in cert, I think? What I am looking for is a feasible approach to doing so from within mod_ssl. Any help appreciated! In other news: what I achieved already is validating the certificate's signing algorithm and keylength, it's ExtendedKeyUsage data, the signing algorithm and the producedAt date of the OCSP response from within mod_ssl - if anybody is interested... I also 'fixed' the receipt of the actual OCSP response, which failed, if their was an empty line read at the beginning of the response, maybe due to a lag in traffic... (not valid code style according to Apache/httpd, I guess :( ). Mit freundlichen Grüßen / Kind regards Natanael Mignon IT - beraten | planen | umsetzen | betreiben __ michael-wessel.de Informationstechnologie GmbH Krausenstraße 50 30171 Hannover Germany fon (+49) 511 260 911-0 (DW -13) fax (+49) 511 318 039-9 eMailn...@michael-wessel.de web www.michael-wessel.de Geschäftsführer: Michael Wessel Dipl. Phys. Amtsgericht Hannover HR B 59031 Alle Produktnamen und Firmennamen sind ggfs. eingetragene Warenzeichen und/oder Markennamen der jeweiligen Hersteller. Angebote freibleibend, Irrtümer und Druckfehler vorbehalten. Lieferung vorbehaltlich ausreichender Selbstbelieferung. © 2009 michael-wessel.de __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PEM_read is always returning null
Azlan wrote: Hello every one..I'm working with an application in which a module should read a pem certificate successfully.I've written 2 types of programs, but both are failing(PEM_read constantly returning null )..here are my codes.. #includestdio.h #include string.h #include openssl/crypto.h #include openssl/err.h #include openssl/bio.h #include openssl/evp.h #include openssl/objects.h #include openssl/x509.h #include openssl/pem.h int main( int argc,char *argv[]) { FILE *fp; X509 *x=X509_new(); if(x==NULL) printf(error\n); fp=fopen(argv[1],r); PEM_read_X509(fp,x,NULL,NULL); if(x==NULL) printf(error reading \n); else printf(reading success\n); fclose(fp); X509_free(x); return(0); } here is my second one..using bio do { X509 *x509Cert/*=X509_new(); result is same even if this statement is X509 *x509Cert = X509_new(); */ BIO *cert; if ((cert=BIO_new(BIO_s_file())) == NULL) { printf(Error Initializing BIO pointer); break; } if (BIO_read_filename(cert,argv[1]) = 0) { printf(Error opening file\n); break; } if (PEM_read_bio_X509(cert,x509Cert,NULL,NULL)!=NULL) { printf(\nReading from file success!\n); } }while(0); Both programs are returning NULL out of PEM_read. Even though i found similar post sabout PEM_read, none of them is solving my problem..please help me with this.. Thank you in advance. Sorry..I forgot to mention something.. In my first program,the result would be reading success..the problem is PEM_read_X509(fp,x,NULL,NULL) is not returning valid X509 into x(it's returning null..u can check by if(PEM_read_X509(fp,x,NULL,NULL)==NULL).Even after the call of function PEM_read; x has the previous value(X509_new() which is not null).Thats why out put is reading success. Please help me getting out of this. Thanks. -- View this message in context: http://www.nabble.com/PEM_read-is-always-returning-null-tp25022589p25023748.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
remove
[openssl verify] [lookup:unable to get issuer certificate]
Hello guys I have created three certificates: a root CA cert, a subRoot CA cert and one client cert using M2Crypto. When I try to verify the trust chain I receive 'unable to get issuer certificate' This are the steps I walked: # my certificates $ ls *.crt client.crt rootCA.crt subRootCA.crt # so far so good $ openssl verify -CAfile rootCA.crt subRootCA.crt subRootCA.crt: OK # this fails $ openssl verify -CAfile subRootCA.crt client.crt client.crt: /C=CH/ST=Zurich/L=Zurich City/O=Test CA/CN=Test Sub Certification Authority/OU=Information Technology/emailaddress=cont...@test.com error 2 at 1 depth lookup:unable to get issuer certificate # this one fails too $ openssl verify -CAfile rootCA.crt client.crt client.crt: /C=CH/ST=ZH/L=Zurich/O=My Company Inc./CN=webca.mycompany.com/OU=Information Technology/emailaddress=matthias.guent...@gmail.com error 20 at 0 depth lookup:unable to get local issuer certificate Can someone please shed some light on this? This are the test-certificates I have been using. $ cat rootCA.crt -BEGIN CERTIFICATE- MIIEWTCCA0GgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrzELMAkGA1UEBhMCQ0gx DzANBgNVBAgTBlp1cmljaDEUMBIGA1UEBxMLWnVyaWNoIENpdHkxEDAOBgNVBAoT B1Rlc3QgQ0ExJTAjBgNVBAMTHFRlc3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx HzAdBgNVBAsTFkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxHzAdBgkqhkiG9w0BCQEW EGNvbnRhY3RAdGVzdC5jb20wHhcNMDkwODE4MTgyMjQzWhcNMTAwODE4MTgyMjQz WjCBrzELMAkGA1UEBhMCQ0gxDzANBgNVBAgTBlp1cmljaDEUMBIGA1UEBxMLWnVy aWNoIENpdHkxEDAOBgNVBAoTB1Rlc3QgQ0ExJTAjBgNVBAMTHFRlc3QgQ2VydGlm aWNhdGlvbiBBdXRob3JpdHkxHzAdBgNVBAsTFkluZm9ybWF0aW9uIFRlY2hub2xv Z3kxHzAdBgkqhkiG9w0BCQEWEGNvbnRhY3RAdGVzdC5jb20wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC94n8exsNuvQKZXs1HVNgjRfwCZX0cQtQRytXE 5igqIby59zzNyfb3TiREN9SuHunQ5B/vXJjSQeqBfjxsFEqUYQ3ElOEmi6GNXaJk lVVJ0WWzNinLUgZHXOE2EZmwucHYQY1o7BQICIXuyatX9Drj0NkAuNGumsvxi4Nq 6Svxv61IGINhbEOO+ZyaPEu3ihCANEhUPKx44FMjKlEU5GEZyIekFhjn0uYsiB2h 1CcJgPfOXng6hyCJE4Eo/pwvVNUaovkKc31a8nk8FMGNZ7kc7i50GlkpVWeAyCvL FyTBnE+JsdLu2mh6c2XgjDvMKF+Hmy1PVkDCoXZ7sP52haHbAgMBAAGjfjB8MAwG A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8v d2ViY2EuZG9tYWluLmNvbS9yb290LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAg08/ mpOTAB4fDrGzgOB5qG/oxRmEhlVhyuQUdQAW9vMAY1OSFuLS2QcMZsFq1wQWa7Rt wyOUVvBVVGl8xmk4FQmHlWlkLjg3jaE0NuDR22YGoP0k4BCwdfn9v3ohWGzr/INI UHXUhKuZGF+MGqYtxvdZvQ8ufvUolrTlqpVaiWcKqszhz7xNwtwNZ+sKsiK7IuBA ByI+PI7aYIff4qqTeCWcokvJ1B9amaKHE61QiT6Ham/N2kIdY71KmSarT4M4V71+ FjXB8EJg6VXGdkdybbTkVHHQvB4H16wfqwOqTVscVRgg8yOoI1NXMi0t9sr64AYc zH4a8dfRAfwekpUtDQ== -END CERTIFICATE- $ cat subRootCA.crt -BEGIN CERTIFICATE- MIIEYTCCA0mgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBrzELMAkGA1UEBhMCQ0gx DzANBgNVBAgTBlp1cmljaDEUMBIGA1UEBxMLWnVyaWNoIENpdHkxEDAOBgNVBAoT B1Rlc3QgQ0ExJTAjBgNVBAMTHFRlc3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx HzAdBgNVBAsTFkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxHzAdBgkqhkiG9w0BCQEW EGNvbnRhY3RAdGVzdC5jb20wHhcNMDkwODE4MTgyMjQ0WhcNMTAwODE4MTgyMjQ0 WjCBszELMAkGA1UEBhMCQ0gxDzANBgNVBAgTBlp1cmljaDEUMBIGA1UEBxMLWnVy aWNoIENpdHkxEDAOBgNVBAoTB1Rlc3QgQ0ExKTAnBgNVBAMTIFRlc3QgU3ViIENl cnRpZmljYXRpb24gQXV0aG9yaXR5MR8wHQYDVQQLExZJbmZvcm1hdGlvbiBUZWNo bm9sb2d5MR8wHQYJKoZIhvcNAQkBFhBjb250YWN0QHRlc3QuY29tMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5BNZqYH7fGISW2+w1X1XeznqsN1hhyvC 3DX1Ef+bNIIxS52EKZ6Dtr+AjRS76D18X/+Z/04iL7wIB2VaAEYHv9YGJVacp/ic 5jDltPqFaktSsiUBvoUyOevL1wwly/zNFj/tpOlqw5UCBO4xR/OVDZ3zwMxrG1ty 99J1vUZU6E+37cdGfAA7VYx6c2hU0gnB2lG3JS5vkYcQoRdeTB065M1rS/NEvQvO 381mzn6Q6y6t1TOS55eyB5Z87eTNl06wSwmMf61cx6R3T4fPVeMo7Ci8nDnMad0O cS5daZz3tpF3zFyFtfVUYJEHdw0i8xuNs7xcA/BqiqyyZSD1A0sOWwIDAQABo4GB MH8wDwYDVR0TBAgwBgEB/wIBBTALBgNVHQ8EBAMCAQYwLAYJYIZIAYb4QgENBB8W HU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMDEGA1UdHwQqMCgwJqAkoCKG IGh0dHA6Ly93ZWJjYS5kb21haW4uY29tL3Jvb3QuY3JsMA0GCSqGSIb3DQEBBQUA A4IBAQBfhkmsBVCrjiXkM5NqQZMjmRxMARpI0G3xO7LBAiAgxmQ2YJzbeY8AsvnC cjCL37LV4T26RJpiCrC8jjBCg4tkXEsodNXmhRJTVbkiAtbyHggWsJDi2+r5SELk VCxPEGLBFBqF8ebsChl7BRqdkYfwqbSCByxkaUin67Qu2+kmozCGshk5I6l+OUop mGyRgHTwIifAYcfifEiLGDpeyY5TezF1Z8fDWh1+AWm2ZFMPAu/sfOCsRmqF94Dq FEmTND09StozUlYfHo4ituXlZ/kigWLyfzTTUH1Xl+q2iHP/4WDCbODrNv1VeHQH X4m45I7MKpYcCg4tvw7G8mmW6zu9 -END CERTIFICATE- $ cat client.crt -BEGIN CERTIFICATE- MIIEWzCCA0OgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBszELMAkGA1UEBhMCQ0gx DzANBgNVBAgTBlp1cmljaDEUMBIGA1UEBxMLWnVyaWNoIENpdHkxEDAOBgNVBAoT B1Rlc3QgQ0ExKTAnBgNVBAMTIFRlc3QgU3ViIENlcnRpZmljYXRpb24gQXV0aG9y aXR5MR8wHQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MR8wHQYJKoZIhvcN AQkBFhBjb250YWN0QHRlc3QuY29tMB4XDTA5MDgxODE4MjI0NFoXDTEwMDgxODE4 MjI0NFowgbAxCzAJBgNVBAYTAkNIMQswCQYDVQQIEwJaSDEPMA0GA1UEBxMGWnVy aWNoMRgwFgYDVQQKEw9NeSBDb21wYW55IEluYy4xHDAaBgNVBAMTE3dlYmNhLm15 Y29tcGFueS5jb20xHzAdBgNVBAsTFkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxKjAo BgkqhkiG9w0BCQEWG21hdHRoaWFzLmd1ZW50ZXJ0QGdtYWlsLmNvbTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRQgcoGvEoXex5i1vuuiNBsdz1kEi1/ CR5qv/M4RCF00HJ4/FM9IdwtEqguDgFNSxw2/SDpoMlFEGnzcQysv1ya0/1/ahph
Getting spc and pvk file from pfx file
Hello, I have installed Win32OpenSSL-0_9_7m.exe. am unable to proceed further on how to extract the spc and pvk files from the pfx file I have. It would be of great help if any suggestions are provided; I don't see any utility listed for OpenSSL in my programs list as well. Where should I enter the command line openssl To extract spc and pvk files Thanks Naren
Re: FIPS 14-2 vs MD5
No, you are not allowed to use MD5 for a checksum. The only reason TLS skates around it (and can use MD5 internally) is because TLS defines its PRF as an XOR of 5 rounds of MD5 against 4 rounds of SHA-1, and SHA-1 is still secure enough. -Kyle H On Tue, Aug 18, 2009 at 5:42 AM, Pandit Panburanappanb...@yahoo.com wrote: I could be wrong with this but I think it might be possible to use MD5 for the purpose of checksum (fancy). I also believe HMAC_MD5 part of SSL/TLS is acceptable. Regards, - Pandit From: David Schwartz dav...@webmaster.com To: openssl-users@openssl.org Sent: Monday, August 17, 2009 7:40:43 PM Subject: RE: FIPS 14-2 vs MD5 Roger No-Spam wrote: When building openssl in FIPS 140-2 mode, the MD5 algorithm is not available for use. There are, however, several RFCs that mandate the use of MD5. Would it be possible to partition a system into a FIPS 140-2 part (more security critical parts, e.g SSL) and one other part that can include support for RFCs that mandate MD5 (e.g. TCP MD5 checksum option, PPP CHAP, etc.). Would it be possible to FIPS 140-2 validate such a system? What would the requirements be regarding the partitioning? Simply disable all those things in FIPS mode. There is no requirement that your system be useful in FIPS mode, only that it be secure. That is what everyone else does. For example, the first Windows versions to support high-security modes disabled all networking devices and all removable media devices. Linux requires you to remove the power cord. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org