Re: Windows Certificate Store Private Key
On Sat June 26 2010, Mohan Radhakrishnan wrote: > Hi, >Please ignore if this question belongs else where but it looks > like the OP is storing and retrieving SSL certificate from a Windows > store. I have been looking for ways to use the Windows store to secure > SSL certificates and keys and SFTP keys. > > Is windows or any other method recommended for storage of keys and > certificates not created by Windows ? We just cut a CD with the keys > and hand it over to the custodian as recommended by PCI but we want a > storage server. I know that RedHat has a PKI server but we already > have windows and the number of keys is less. > A good, widely used, general storage for sensitive information is TrueCrypt: http://www.truecrypt.org/ Available for the most common operating systems. Mike > Thanks, > Mohan > > On Thu, Jun 24, 2010 at 9:45 PM, Harshvir Sidhu wrote: > > Hey thanks all for the reply. > > Stephen: > > Yes i have to do client authentication, Is there some sample available > > that demonstrates how can i use capi engine for the same? Thanks. > > > > // Harshvir > > > > On Thu, Jun 24, 2010 at 7:29 AM, Dr. Stephen Henson > > wrote: > >> > >> On Wed, Jun 23, 2010, Harshvir Sidhu wrote: > >> > >> > Hi All, > >> > I am trying to read Certificates and Private Key from Windows > >> > Certificate Store and then using them in OpenSSL. I am able to read > >> > Certificates but i am having trouble with reading Private Key. Have > >> > anyone > >> > done this before, any pointers will be great. Thanks. > >> > > >> > >> Depends on what you want to do with the key. If you want to use it for > >> SSL/TLS > >> client authentication then you can use the CryptoAPI ENGINE to pick an > >> appropriate certficate and key and use them directly. You just have to set > >> the > >> SSL client authentication ENGINE to "capi". > >> > >> For other purposes you can load the private key from the capi ENGINE using > >> ENGINE_load_private_key(). The string you pass by default is a substring > >> of the > >> certificate name e.g. if it has CN=steve then "steve" will do. > >> > >> Steve. > >> -- > >> Dr Stephen N. Henson. OpenSSL project core developer. > >> Commercial tech support now available see: http://www.openssl.org > >> __ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing List openssl-us...@openssl.org > >> Automated List Manager majord...@openssl.org > > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows Certificate Store Private Key
Hi, Please ignore if this question belongs else where but it looks like the OP is storing and retrieving SSL certificate from a Windows store. I have been looking for ways to use the Windows store to secure SSL certificates and keys and SFTP keys. Is windows or any other method recommended for storage of keys and certificates not created by Windows ? We just cut a CD with the keys and hand it over to the custodian as recommended by PCI but we want a storage server. I know that RedHat has a PKI server but we already have windows and the number of keys is less. Thanks, Mohan On Thu, Jun 24, 2010 at 9:45 PM, Harshvir Sidhu wrote: > Hey thanks all for the reply. > Stephen: > Yes i have to do client authentication, Is there some sample available > that demonstrates how can i use capi engine for the same? Thanks. > > // Harshvir > > On Thu, Jun 24, 2010 at 7:29 AM, Dr. Stephen Henson > wrote: >> >> On Wed, Jun 23, 2010, Harshvir Sidhu wrote: >> >> > Hi All, >> > I am trying to read Certificates and Private Key from Windows >> > Certificate Store and then using them in OpenSSL. I am able to read >> > Certificates but i am having trouble with reading Private Key. Have >> > anyone >> > done this before, any pointers will be great. Thanks. >> > >> >> Depends on what you want to do with the key. If you want to use it for >> SSL/TLS >> client authentication then you can use the CryptoAPI ENGINE to pick an >> appropriate certficate and key and use them directly. You just have to set >> the >> SSL client authentication ENGINE to "capi". >> >> For other purposes you can load the private key from the capi ENGINE using >> ENGINE_load_private_key(). The string you pass by default is a substring >> of the >> certificate name e.g. if it has CN=steve then "steve" will do. >> >> Steve. >> -- >> Dr Stephen N. Henson. OpenSSL project core developer. >> Commercial tech support now available see: http://www.openssl.org >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: crash from curl with pkcs12 certs and threads
On Thu, Jun 24, 2010, Brian Makin wrote: > On Thu, 2010-06-24 at 15:22 +0200, Dr. Stephen Henson wrote: > > On Tue, Jun 22, 2010, Brian Makin wrote: > > > > > > > > > Can you check to see if PKCS12_PBE_add() is called multiple times using the > > debugger? It is only supposed to be called once before threads are started > > but > > a bug means if it is called more than once you get multiple table entries > > per > > PBE algorithm (instead of no-op or replacing) and the subsequent sort > > operations can result in a race condition. I'll look into fixing that. > > > > OpenSSL 1.0.0 doesn't have this problem because the builtin PBE algorithms > > are > > in a static table. > > It appears the PKCS12_PBE_add is called many times in my test program. > Please try the next snapshot or apply this patch and see if it fixes the problem: http://cvs.openssl.org/chngview?cn=19721 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
