Re: Why does my browser give a warning about a mismatched hostname
Depending on the CA you use, you may be able to issue a certificate with CN=some-ILO-name,OU=... AND SubjectAlternativeName: IP:1.2.3.4 If the ILO configuration accepts that cert, then there is a good chance you browser would accept the cert for both https://some-ILO-name/; and https://1.2.3.4/; On 24-07-2010 16:19, michu162 wrote: So what i should do to avoid warnings? CN (some-iLO-2-Subsystem-Name) is included in certificate request, witch is automatically generated by device. I can't upload other certificate (with other CN) because i got alert that certificate doesn't match the request. Is possible to access device via IP without warnings? michu162 wrote: I generated the ssl request, I signed it in my CA (openssl) and uploaded signed certificate back to device. I generated also ca.der and uploaded it to my Internet browser. When I trying open ilo my browser give a warning about a mismatched hostname. I'm accessing this device via IP address. I don't want add this addresses to my DNS. In certificate request was: CN = some-iLO-2-Subsystem-Name OU = ISS O = Hewlett-Packard Development Company ST = Texas C = US In my CA certificate, witch I used to sign the request I've got: CN = in...@mycompany.com C = US ST = MyState L = myCity E = in...@mycompany.com OU = Infrastructure O = MyCompany SP zoo What should I do to connect to ilo without any warnings? To create my own CA i used: openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf To sign my certificate request i used: openssl ca -notext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem My OpenSSL configuration file: # # Establish working directory. dir= /etc/ssl [ ca ] default_ca= CA_default [ CA_default ] serial= $dir/serial database= $dir/index.txt new_certs_dir= $dir/certs certificate= $dir/cacert.pem private_key= $dir/private/cakey.pem default_days= 3650 default_md= md5 preserve= no email_in_dn= no nameopt= default_ca certopt= default_ca policy= policy_match [ policy_match ] countryName= optional stateOrProvinceName= optional organizationName= optional organizationalUnitName= optional commonName= supplied emailAddress= optional [ req ] default_bits= 1024# Size of keys default_keyfile= key.pem# name of generated keys default_md= md5# message digest algorithm string_mask= nombstr# permitted characters distinguished_name= req_distinguished_name req_extensions= v3_req [ req_distinguished_name ] # Variable namePrompt string #- -- 0.organizationName= Organization Name (company) organizationalUnitName= Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName= State or Province Name (full name) countryName= Country Name (2 letter code) countryName_min= 2 countryName_max= 2 commonName= Common Name (hostname, IP, or your name) commonName_max= 64 # Default values for the above, for consistency and less typing. # Variable nameValue # -- 0.organizationName_default= My Company localityName_default= My Town stateOrProvinceName_default= State or Providence countryName_default= US [ v3_ca ] basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier= keyid:always,issuer:always [ v3_req ] basicConstraints= CA:FALSE subjectKeyIdentifier= hash Can anyone help me? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PEM-DER-CSR-CRT
Ok, this one should be in the docs, but unfortunately, there is only a completely outdated note in there. For any PKI certificate there are 3 parts: 1. The secret private key, which only the relevant computer should know and which no-one else should be able to see or steal. This can be stored in hardware (at a price), in an encrypted PKCS12 file (extension .pfx or .p12) with the other two parts (mostly some Microsoft programs need this), in an encrypted DER format file (extension varies with the program) (rarely used) or in a PEM-encoded encrypted DER file (extension .key) (the most common for non-Microsoft products such as Apache). 2. The public key, which everybody will know. Most of the time this is simply included as a field inside the cert (part 3 below), only during the first steps of generating the cert may you temporarily need this as a on its own. This may be stored in DER format (rare) or PEM-encoded DER format (the usual). The file extension varies but is often .pub, .der or .pem. 3. The certificate, which contains the public key, the name of the server or person or company etc. that owns the matching private key, various other important information and a signature (by the same or a different public key) on all these facts. The certificate may be stored with the private key in a PKCS12 file (extension .pfx or .p12) with the other two parts (mostly some Microsoft programs need this), in an unencrypted DER file (extension .crt or .cer) (only Microsoft IIS needs this) or in an unencrypted PEM-encoded DER file (extension .crt or .cer) (everything else uses this). On 25-07-2010 00:49, Warron French wrote: I have been reading HOWTOs all over the internet trying to figure out how to generate a self-signed and/or CA (mine) signed certificate. What I can't understand is, WHY do I need an RSA key or certificate. I think it's a key. WHY do I need a PEM certificate, and why a DER certificate? No where on any website does it say WHEN to use one type of certificate or just a key? Apache httpd.conf files will reference both .key and .crt files in their syntax; isn't the .crt a PEM-encoded certificate file? If so, why not give it a more meaningful .pem extension instead. Can anyone clarify for me? I am trying not to chase my tail and want to learn this stuff on a deeper level. When do I know if I need to perform the openssl req and then openssl x509 commands and NOT the openssl rsa command. This is all very confusing and I see no simplified (non-doctoral) documentation on this material. Anyone have a book to suggest? Thanks to anyone that can respond. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
