Re: I can't believe how much this sucks
Thomas: You make very good suggestions. Of them all (aside from the use of tact in approaching the developers :-) ), I think that easy-to-follow code examples would improve the openSSL experience more than anything else you identify. These examples could even provide a natural context for the cookbook usage examples, and then we'd achieve two of your objectives. I can recall situations where I had to incorporate a cartographic calculation in code I was writing, e.g., compute a signature, and was unable to find any examples, and the man pages were a poor starting point. They are good for learning the individual library procedures, but they aren't good for pulling them together to create a working software module. (In fact, when I needed to learn how to compute a signature, I downloaded the openVPN source code and read it.) So, what is a list of easy-to-follow code examples? Here are some suggestions: 1.) read private key and a message from a file: encrypt message with private key, write encrypted buffer to (another) file. 2.) read cert and private key, read file, compute signature, etc. 3.) read file, read signature, read ca certs, validate signature. 4.) Example 3 + check CRL. 5.) Example 3 + check with OCSP responder. ??? I'm sure there are a LOT of CA related examples that would help, because I find the creation of a CA to be one of the more painful exercises. On Sun, Nov 18, 2012 at 11:19 PM, Thomas J. Hruska shineli...@shininglightpro.com wrote: On 11/13/2012 11:34 AM, Sanford Staab wrote: I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server. Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link for one of the 900k+ hits on a google search of “openssl+docs+suck” for how much hell you guys are putting people through trying to figure out this tool) openssl is used all over the world by tons of people (so I feel dumb having problems here – but I know from Google I am not alone.) but it is just unbelievable to me that the docs remain so terse and useless for so many years. I have sent email to this alias previously asking how I can help with this. It seems to me there should be an openssl docs forum where content from this eventually finds its way into the online docs themselves. A tool is only as good as people are able to use it. The OpenSSL dev team consists of fairly old-school *NIX folks. It is a low-level library and certificate generation and manipulation tool that has gained significant notoriety for its reliability, stability, and security. The primary documentation is manpages. This is an outdated method of documenting software and, as I've found, the primary source of many complaints. In this regard, it is time to move on. I can't remember the last time I had to fire up 'man'. I'm much more apt to just run a Google search. Given my experience with end-users of this product, I've come to the conclusion that there are three distinct forms of documentation needed for OpenSSL: - API documentation. This is already fairly complete but hard to find everything and needs someone to go over it and update it. Areas that are entirely missing need to be fleshed out. It is also time to consider an alternative format to the traditional manpage. - Cookbook usage examples. 'openssl' command-line commands to accomplish common tasks in a cookbook format. I can point people to third-party sites (madboa comes to mind). However this sort of thing should really be on the OpenSSL website. - Complete, easy-to-follow code examples for a variety of common programming tasks. There are the test programs, but I view those more for testing the library for consistency against itself than demonstration on how to code against the library. There's a difference. The OpenSSL website should always have the definitive collection in a copy-and-paste ready format. Also, OpenSSL is used within a variety of programming languages. Examples and integration by language would be ideal. Pick the top three to five languages that cause the most churn on this list (C# comes to mind as #1). It is approaching six months since the last OpenSSL update. We're probably due for a new set of source releases any time now. So now is the ideal time to talk it up about getting better documentation on the dev team's schedule while they begin the planning stages of the next release. If you succeed at this, you'll be my hero of the month because I've been wanting this for ages. You might want to approach the devs though with a little more respect/tact. Saying the documentation sucks is a great way to get ignored. Their time is valuable. --
Question about exporting user certificate files to .pfx
I have created a CA and an intermediate CA. I use the intermediate CA to create self-signed s/mime certificates for end users which works fine. I need to be able to create .pfx files form those end user certificates and include the CA chain into the pfx file. Currently the command I use to export the user certificates to .pfx is as follows: openssl pkcs12 -export -out someone.pfx -inkey someone.key -in someone.crt -passout:somepassword This works fine but when i import the .pfx file into my windows sytem, the certificate chain is not there and I have no way of trusting the certificate. How would I go about including the certificate chain into the pfx file? thanks in advance. smime.p7s Description: S/MIME Cryptographic Signature
RE: I can't believe how much this sucks
It tends to be a shortcoming of many, many types of software documentation that it is feature-oriented rather than task-oriented. That is, it does a good job of saying this switch does this, that parm specfies that and a poor job of answering the question I want to accomplish X. What the heck do I do? Examples are good, but they are not the only, and perhaps not the best, way of presenting task-oriented documentation. (The trouble with an example is one sometimes finds oneself asking do I HAVE to do it that way, or did that writer just CHOOSE to do it that way?) Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John Zavgren Sent: Monday, November 19, 2012 6:45 AM To: openssl-users@openssl.org Subject: Re: I can't believe how much this sucks Thomas: You make very good suggestions. Of them all (aside from the use of tact in approaching the developers :-) ), I think that easy-to-follow code examples would improve the openSSL experience more than anything else you identify. These examples could even provide a natural context for the cookbook usage examples, and then we'd achieve two of your objectives. I can recall situations where I had to incorporate a cartographic calculation in code I was writing, e.g., compute a signature, and was unable to find any examples, and the man pages were a poor starting point. They are good for learning the individual library procedures, but they aren't good for pulling them together to create a working software module. (In fact, when I needed to learn how to compute a signature, I downloaded the openVPN source code and read it.) So, what is a list of easy-to-follow code examples? Here are some suggestions: 1.) read private key and a message from a file: encrypt message with private key, write encrypted buffer to (another) file. 2.) read cert and private key, read file, compute signature, etc. 3.) read file, read signature, read ca certs, validate signature. 4.) Example 3 + check CRL. 5.) Example 3 + check with OCSP responder. ??? I'm sure there are a LOT of CA related examples that would help, because I find the creation of a CA to be one of the more painful exercises. On Sun, Nov 18, 2012 at 11:19 PM, Thomas J. Hruska shineli...@shininglightpro.com wrote: On 11/13/2012 11:34 AM, Sanford Staab wrote: I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server. Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link for one of the 900k+ hits on a google search of openssl+docs+suck for how much hell you guys are putting people through trying to figure out this tool) openssl is used all over the world by tons of people (so I feel dumb having problems here - but I know from Google I am not alone.) but it is just unbelievable to me that the docs remain so terse and useless for so many years. I have sent email to this alias previously asking how I can help with this. It seems to me there should be an openssl docs forum where content from this eventually finds its way into the online docs themselves. A tool is only as good as people are able to use it. The OpenSSL dev team consists of fairly old-school *NIX folks. It is a low-level library and certificate generation and manipulation tool that has gained significant notoriety for its reliability, stability, and security. The primary documentation is manpages. This is an outdated method of documenting software and, as I've found, the primary source of many complaints. In this regard, it is time to move on. I can't remember the last time I had to fire up 'man'. I'm much more apt to just run a Google search. Given my experience with end-users of this product, I've come to the conclusion that there are three distinct forms of documentation needed for OpenSSL: - API documentation. This is already fairly complete but hard to find everything and needs someone to go over it and update it. Areas that are entirely missing need to be fleshed out. It is also time to consider an alternative format to the traditional manpage. - Cookbook usage examples. 'openssl' command-line commands to accomplish common tasks in a cookbook format. I can point people to third-party sites (madboa comes to mind). However this sort of thing should really be on the OpenSSL website. - Complete, easy-to-follow code examples for a variety of common programming tasks. There are the test programs, but I view those more for testing the library for consistency against itself than demonstration on how to code against the library. There's a difference. The OpenSSL website should always have the definitive collection in a copy-and-paste ready format.
Re: Question about exporting user certificate files to .pfx
On Mon, Nov 19, 2012, Deeztek.com Support wrote: I have created a CA and an intermediate CA. I use the intermediate CA to create self-signed s/mime certificates for end users which works fine. I need to be able to create .pfx files form those end user certificates and include the CA chain into the pfx file. Currently the command I use to export the user certificates to .pfx is as follows: openssl pkcs12 -export -out someone.pfx -inkey someone.key -in someone.crt -passout:somepassword This works fine but when i import the .pfx file into my windows sytem, the certificate chain is not there and I have no way of trusting the certificate. How would I go about including the certificate chain into the pfx file? Concatenate the CA certificate together and use the -certfile option. See: http://www.openssl.org/docs/apps/pkcs12.html#FILE_CREATION_OPTIONS Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question about exporting user certificate files to .pfx
On Mon, Nov 19, 2012, Deeztek.com Support wrote: Sorry, I'm not sure what you mean by concentrate the CA certificate together. Join the root and intermediate CAs together in one file e.g. like this under Linux: cat intermediateca.pem root.pem cacerts.pem Then pass -certfile cacerts.pem to the pkcs12 command. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question about exporting user certificate files to .pfx
Nevermind the last message, you said *concatenate* the CA certificate together. So, this is what i did: Root cert: cat ca.crt cachain.pem Int-ca cert: cat int-ca.crt cachain.pem Ran the following but it didn't work: openssl pkcs12 -export -out someone.pfx -inkey someone.key -in someone.crt -certfile cachain.pem -passout:somepassword On 11/19/2012 10:02 AM, Dr. Stephen Henson wrote: On Mon, Nov 19, 2012, Deeztek.com Support wrote: I have created a CA and an intermediate CA. I use the intermediate CA to create self-signed s/mime certificates for end users which works fine. I need to be able to create .pfx files form those end user certificates and include the CA chain into the pfx file. Currently the command I use to export the user certificates to .pfx is as follows: openssl pkcs12 -export -out someone.pfx -inkey someone.key -in someone.crt -passout:somepassword This works fine but when i import the .pfx file into my windows sytem, the certificate chain is not there and I have no way of trusting the certificate. How would I go about including the certificate chain into the pfx file? Concatenate the CA certificate together and use the -certfile option. See: http://www.openssl.org/docs/apps/pkcs12.html#FILE_CREATION_OPTIONS Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Deeztek.com Support http://www.deeztek.com smime.p7s Description: S/MIME Cryptographic Signature
Re: Question about exporting user certificate files to .pfx
On Mon, Nov 19, 2012, Deeztek.com Support wrote: Nevermind the last message, you said *concatenate* the CA certificate together. So, this is what i did: Root cert: cat ca.crt cachain.pem Int-ca cert: cat int-ca.crt cachain.pem Ran the following but it didn't work: openssl pkcs12 -export -out someone.pfx -inkey someone.key -in someone.crt -certfile cachain.pem -passout:somepassword What do you mean didn't work? Did you get an error message from the command, did the import fail or the certificate chain is still not visible under Windows? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
On Mon, Nov 19, 2012 at 9:45 AM, John Zavgren j...@zavgren.com wrote: Thomas: You make very good suggestions. Of them all (aside from the use of tact in approaching the developers :-) ), I think that easy-to-follow code examples would improve the openSSL experience more than anything else you identify. These examples could even provide a natural context for the cookbook usage examples, and then we'd achieve two of your objectives. I can recall situations where I had to incorporate a cartographic calculation in code I was writing, e.g., compute a signature, and was unable to find any examples, and the man pages were a poor starting point. They are good for learning the individual library procedures, but they aren't good for pulling them together to create a working software module. (In fact, when I needed to learn how to compute a signature, I downloaded the openVPN source code and read it.) So, what is a list of easy-to-follow code examples? Here are some suggestions: 1.) read private key and a message from a file: encrypt message with private key, write encrypted buffer to (another) file. 2.) read cert and private key, read file, compute signature, etc. 3.) read file, read signature, read ca certs, validate signature. 4.) Example 3 + check CRL. 5.) Example 3 + check with OCSP responder. ??? I'm sure there are a LOT of CA related examples that would help, because I find the creation of a CA to be one of the more painful exercises. I concur. But I'd take it a step further. To take C/C++ programming, as an example. It is one thing to learn to write decent code, but quite another to write 'secure' code. I have several references that assume a better than average knowledge of C and C++, and focusses on good and bad coding practices that relate to writing secure code. All of the code, good and bad, in these rferences is legal C or C++, but some of it represents an opportunity for bad guys to hack the application for whatever purpose. Similarly, I would suggest that your easy to follow examples include several variants of each use case, and followed by illustrations of coding practice that are possible withthe library but ill advised because they compromise security acompanied by examples of how to support the same requirement without compromising security. I would suggest that this is especially important for a library like openssl since it will only be used in applications in which one of the main requirements is security, and using it badly seems likely to make the application using it less secure than it would be without use of a library like it. Cheers Ted
Re: Question about exporting user certificate files to .pfx
I meant, I run the command, I get no error, no pfx file is created and I simply get the openssl help command: Usage: pkcs12 [options] where options are -export output PKCS12 file -chainadd certificate chain -inkey file private key if not infile What do you mean didn't work? Did you get an error message from the command, did the import fail or the certificate chain is still not visible under Windows? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Deeztek.com Support http://www.deeztek.com smime.p7s Description: S/MIME Cryptographic Signature
Re: Question about exporting user certificate files to .pfx
On Mon, Nov 19, 2012, Deeztek.com Support wrote: Nevermind the last message, you said *concatenate* the CA certificate together. So, this is what i did: Root cert: cat ca.crt cachain.pem Int-ca cert: cat int-ca.crt cachain.pem Ran the following but it didn't work: openssl pkcs12 -export -out someone.pfx -inkey someone.key -in someone.crt -certfile cachain.pem -passout:somepassword If you used that exact command the -possout syntax is incorrect. It should be -passout pass:somepassword Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question about exporting user certificate files to .pfx
I fixed the command and it created the end user .pfx file. It imported successfully into windows but I get this message when I looked at the certification chain for the intermediate ca: This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate. Any idea why I would get this? or would it affect anything? On 11/19/2012 10:47 AM, Dr. Stephen Henson wrote: On Mon, Nov 19, 2012, Deeztek.com Support wrote: Nevermind the last message, you said *concatenate* the CA certificate together. So, this is what i did: Root cert: cat ca.crt cachain.pem Int-ca cert: cat int-ca.crt cachain.pem Ran the following but it didn't work: openssl pkcs12 -export -out someone.pfx -inkey someone.key -in someone.crt -certfile cachain.pem -passout:somepassword If you used that exact command the -possout syntax is incorrect. It should be -passout pass:somepassword Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Deeztek.com Support http://www.deeztek.com smime.p7s Description: S/MIME Cryptographic Signature
Re: Question about exporting user certificate files to .pfx
On Mon, Nov 19, 2012 at 10:53 AM, Deeztek.com Support supp...@deeztek.com wrote: I fixed the command and it created the end user .pfx file. It imported successfully into windows but I get this message when I looked at the certification chain for the intermediate ca: This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate. Any idea why I would get this? or would it affect anything? http://lmgtfy.com/?q=This+certification+authority+is+not+allowed+to+issue+certificates+or+cannot+be+used+as+an+end-entity+certificate. On 11/19/2012 10:47 AM, Dr. Stephen Henson wrote: On Mon, Nov 19, 2012, Deeztek.com Support wrote: Nevermind the last message, you said *concatenate* the CA certificate together. So, this is what i did: Root cert: cat ca.crt cachain.pem Int-ca cert: cat int-ca.crt cachain.pem Ran the following but it didn't work: openssl pkcs12 -export -out someone.pfx -inkey someone.key -in someone.crt -certfile cachain.pem -passout:somepassword If you used that exact command the -possout syntax is incorrect. It should be -passout pass:somepassword __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
On 11/19/2012 5:19 AM, Thomas J. Hruska wrote: On 11/13/2012 11:34 AM, Sanford Staab wrote: I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server. Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link for one of the 900k+ hits on a google search of “openssl+docs+suck” for how much hell you guys are putting people through trying to figure out this tool) openssl is used all over the world by tons of people (so I feel dumb having problems here – but I know from Google I am not alone.) but it is just unbelievable to me that the docs remain so terse and useless for so many years. I have sent email to this alias previously asking how I can help with this. It seems to me there should be an openssl docs forum where content from this eventually finds its way into the online docs themselves. A tool is only as good as people are able to use it. The OpenSSL dev team consists of fairly old-school *NIX folks. It is a low-level library and certificate generation and manipulation tool that has gained significant notoriety for its reliability, stability, and security. The primary documentation is manpages. This is an outdated method of documenting software and, as I've found, the primary source of many complaints. In this regard, it is time to move on. I can't remember the last time I had to fire up 'man'. I'm much more apt to just run a Google search. Actually, the primary format is the Perl POD format, which can be readily compiled to multiple formats, including manpages (which I prefer when coding on POSIX-like systems), HTML pages and a few others. It would be nice if: 1. The documentation collection on openssl.org is automatically kept in sync with the latest release tarball. 2. There are alternate areas on openssl.org holding the latest in each of the still maintained older release series (such as 0.9.8 and 1.0.0) and the latest development head. 3. There was an extra option in the non-POSIX build scripts for building an indexed and cross linked folder of HTML docs, perhaps the same script used for the automated web site updating 4. There was an extra option in the Win32/Win64 build scripts which package the HTML pages into a properly indexed .chm file. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Question about exporting user certificate files to .pfx
Can you post here the certificate chain? Not the private key, only the certificates, from the root down to the end-entity. -- Erwann ABALEA - Ca se fait pas du tout d'avoir donné toutes les adresses email des votants C bon pour les spammers ça ! [suit la liste intégrale des votants mal quotée] -+- AN in Guide du Neuneu Usenet : bien suivre sa logique -+- Le 19/11/2012 16:53, Deeztek.com Support a écrit : I fixed the command and it created the end user .pfx file. It imported successfully into windows but I get this message when I looked at the certification chain for the intermediate ca: This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate. Any idea why I would get this? or would it affect anything? On 11/19/2012 10:47 AM, Dr. Stephen Henson wrote: On Mon, Nov 19, 2012, Deeztek.com Support wrote: Nevermind the last message, you said *concatenate* the CA certificate together. So, this is what i did: Root cert: cat ca.crt cachain.pem Int-ca cert: cat int-ca.crt cachain.pem Ran the following but it didn't work: openssl pkcs12 -export -out someone.pfx -inkey someone.key -in someone.crt -certfile cachain.pem -passout:somepassword If you used that exact command the -possout syntax is incorrect. It should be -passout pass:somepassword Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
Am 19.11.2012 15:45, schrieb John Zavgren: So, what is a list of easy-to-follow code examples? Here are some suggestions: 1.) read private key and a message from a file: encrypt message with private key, write encrypted buffer to (another) file. 2.) read cert and private key, read file, compute signature, etc. 3.) read file, read signature, read ca certs, validate signature. 4.) Example 3 + check CRL. 5.) Example 3 + check with OCSP responder. ??? I'm sure there are a LOT of CA related examples that would help, because I find the creation of a CA to be one of the more painful exercises. Well, many of these things are covered at least partially by the OpenSSL book from Viega et al. The book is somewhat outdated/incomplete but still my first reference when i have to implement a new cryptography related task with OpenSSL. Best regards, Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: add hash signature as part of the stream on which this hash is based on
On 10/27/2012 06:30 PM, Michael Zintakis wrote: Maybe a bit daft of me to ask this, but is it possible to calculate a hash on a stream of bytes where the resulting hash is considered to be part of that stream? In other words, lets assume that I have a stream which is, say, 64 bytes long in total, consisting of 48 bytes of payload, plus 16-byte for the hash and that hash has been calculated based on the *entire* stream (payload+hash) of 64 bytes. Would that be possible to produce with openssl or is this a bit of a chicken-and-egg scenario? Thanks! __ By its nature, a hash completely changes if just a bit of the original content is modified, that also includes appending anything to it. Any change will make the difference unpredictable. My guess is that if you could write a hash working the way you say, it would be vulnerable to all sorts of cryptographic attacks: give up! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: add hash signature as part of the stream on which this hash is based on
On Mon, Nov 19, 2012 at 9:24 AM, lists li...@rustichelli.net wrote: By its nature, a hash completely changes if just a bit of the original content is modified By design, a cryptographic hash function (on average) changes half the output bits when a single bit in the input is inverted. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Question about exporting user certificate files to .pfx
I'm assuming this is what you want. This is the contents of my chain file: -BEGIN CERTIFICATE- MIIFlDCCA3ygAwIBAgIJAJsm0MjspJZLMA0GCSqGSIb3DQEBBQUAMDoxGDAWBgNV BAMTD2NhMy5kZWV6dGVrLmNvbTEeMBwGCSqGSIb3DQEJARYPY2EzQGRlZXp0ZWsu Y29tMB4XDTEyMTExNzIzMDA1MVoXDTE3MTExNzIzMDA1MVowOjEYMBYGA1UEAxMP Y2EzLmRlZXp0ZWsuY29tMR4wHAYJKoZIhvcNAQkBFg9jYTNAZGVlenRlay5jb20w ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDgzL8AMMsGK8O/G5wE/PZF pxDgKbUK8FzfSUDDhsj8wdCXrYa7vCWpklx9P8RIOolLyXV2TZIDX71ixF0JW9HS 6wCrQthfziAh+1iTEAFZq0anJQXYd5kLSxuaBAK+j/A30wJ15a9F4N0ACmfldX1h Z92MCCdemhuGkUxDS5YspXj3n6aezGrDhML76scK2KVcnY26gOSMd09M30RBbOHy ECOKjN06jGpce5ouwKqNbHDNnVKRzsPy6o/3Njp1Fotk7FbGieoNcbjfjQIgTYYa eWY3NQHEG5AZrAlf8KH7dO9SBMHQuM/DJsiBIok9Qcfh+GOjdL8YC7GIbf6gRBp7 NrKg9EpUOuHiij15Ephnr37zvAJfpBqXKXKT/4A/81qGWwgffQxsf5e2yg9327Zm cZpWBoT7Ge4L8YcgaHU+FLfhJPwZc4UB78pmcAarZ7ypa3ETub3bfaUoz2laCkUD xnlt94Ck2CbFtfjuLCO1vBxj0w8+Jm4zVCbFCIIAxJH/eaxwLuCx5E/30J4p8Wk+ ul7eB7EtKrJNRltZde/b7IX9HWBDaQ8WbkXlIZn+EJwCDGX8RtTYlBN7fLloJHwe X/Y2WlaZt6qYE2G7O0GETW6pdMtwlQ6UOjqL6PqqJjSFXUiSEn8xwF24U+ytWUpB RmO1fSOeumWTpQh30IKL5QIDAQABo4GcMIGZMB0GA1UdDgQWBBTtxw+0FwmnT9H9 fQh6vKkBYdPawTBqBgNVHSMEYzBhgBTtxw+0FwmnT9H9fQh6vKkBYdPawaE+pDww OjEYMBYGA1UEAxMPY2EzLmRlZXp0ZWsuY29tMR4wHAYJKoZIhvcNAQkBFg9jYTNA ZGVlenRlay5jb22CCQCbJtDI7KSWSzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB BQUAA4ICAQCg2z3eBEs8I8Lo1d+940YUTyjsAm6qmPs0R8NfqRXtmSKrw+KUQj77 t1uSaS5FOPsn95QGhSbOcKjyQ3vQOwS1fMThJLg/qgHsHQoDmZQWP0RBeG6P+FCR stKjYO3kjUEbO8nXVLC330X3SdBjmM4KqqG3q8HO9XKDmPcRlU7ruP4F/3PDOIzS DnmhuHb5FSx7pEawj4f1tU/vc5tMPQQOOdRqjFENk7lU+020U8hPUHgIAhA/Dmdx GlLobFY6NsSZBsvdbB6JnUQcV0iyoVqCob9aeySHY4L398XRrhX3TfN5LjXnyvbQ aQKn1oKCwM3bGvWI1lsJHCduJAmHA4DBxL9TEAvg1fLAaR2mr/lGUEOynDMFhWwm QK22ccQKj5W3mBJOeTngdbCInxqGhBSQs1avx+MDQw0znUNpxmc2HEpL+BybhfPM oHNy3FjiyCj4PlMB10Uoew3LYBAWukUk4qDZYpMJeVgCbV0e12tWkuFYAHmZZSSF aaxTPPxQkSef0NI+lww3ozpEu2OQBJuzeIhHokq44fpuQYAfdsFlbMXVq9RYYNyj mdJtZDqO3uRpMpklOp2acpKx6MpVhNFNWkQ0TJ7K8x6rW7L/BgLAIThMU6KiGIXY VSjVBAcgfCJGH/rHJyOIA/xL3QrfAGMrdWaupIVgLWtBZvOrbOpLMQ== -END CERTIFICATE- -BEGIN CERTIFICATE- MIIE8DCCAtgCAQEwDQYJKoZIhvcNAQEFBQAwOjEYMBYGA1UEAxMPY2EzLmRlZXp0 ZWsuY29tMR4wHAYJKoZIhvcNAQkBFg9jYTNAZGVlenRlay5jb20wHhcNMTIxMTE5 MTI1NjM0WhcNMTcxMTE4MTI1NjM0WjBCMRwwGgYDVQQDExNpbnQtY2EzLmRlZXp0 ZWsuY29tMSIwIAYJKoZIhvcNAQkBFhNpbnQtY2EzQGRlZXp0ZWsuY29tMIICIjAN BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsTwKBHiFZQBfhV8EiQ8Kq1ivq9Ou FoSWU/VEionIlAdzZK0WpQrtEprbugldGVe/yQcQqgMyKDsNq4MBNBmkRbS9CM2x Mc0fl+7ne0uS2N/aCLBMdDwONpfGDBKuiiK2DS52iFe8VbOas9aOim06LEjN+iZv PhtP+tQW5s8poe1xUHNykit24fht5v0ikqqBI/ac9yhV1sfmTdyM9gAe/BPs2TFT +9inxIE00pcIsDZ6odiqzU1QSPuW0NJaQbyIzdptoqXZwEYzsdKV2GWBQ+CpZZMm EZdAfKsGvlvU+f2O1nm6lKyL7dIdEV3x1l7Q2iFGLkC/zSKozs1CJzGLGkVZ0VTA 5LOv37SfZZC8IJ6zykIp8siZUlN/u6gMI7Qjnk38YP9GkLPDMvMqrbfHGZtCP2Aj qPg4UBKa7umTh0M4rCn8gj6Urh32n/m+WcU1vHjefLmhly//IdmWBQ+navcnq1e1 vXt/1qHTj2ynMoASLXg2k4jOFFldf3vvwgGfkGJDmdD34ANczpV9o7VOgC3Qd+k3 jAbG8tOmNXFsOIuSlbYfFzg1ijaXBgCmhbAkh81BbLU/MZd1jWwzI8MRggZZANMK xaQpu0VSP5oW5e76sX/MQnuS0ihwLkAWhLfe/2Y59BdGwC0Rxat7u8BIQ90uPlaj rGlItlOBTwPK3GECAwEAATANBgkqhkiG9w0BAQUFAAOCAgEAE4x82QOaE2I16a/f IZvMiTc7UaJ8amWylZrQLYG0ZfdhwcJHyOel9sN/Cu0XVjtFJTdKIhBT73ryDq9v SlnmOuEt0SqmeQhgwVusvd7RfgNIvPqRPw/gCaeNz1qct/3Qigy9DbQ1vb1e/3lI MBZqeGTXgnBsXrIoSgzDdohU/nQcMdKRH/Iins+qh4J8G4zqpkB1v/3Uylz/3GUQ XCfj/tcJev/r6ONaVY5dsZe2XkVIJlc7YkevWOiact5x2XqVgDLTUyrnru3iilHY Xf74UYFVgbIBqmr+8oQ9tZLQuFBxRrJ33xx/TbZAqXXSTd5CTWSJZx9z4j6XiZZr qyqa/PzDKTmMju4Y/KIUgIgYsl9cA0LVmEX9a/Ec+XKgXIbvA8FvA4RAM+zsVsZ+ UW5JNW/wqAs3zKxhyHd4PHj1MdNJI7vEh8GhnbYW9SkwjYdCgYBzjpG/krgq7b7H yq/31Jz/d7xlwtZ/6FQ7bDV+qtNQ28QjbmB184C3VO+0hywGZWNf7sjJhZEkUYce IH5FCzF141l8ys2E+G04vxeYWHkTJuBChRMnFKnsSKjHn6/P7cVEQacy3002G2ZX wzXrL6Hmgzr3O7I8RwlkbDMYmbaROiBoKB2DhlBKXxVAgD8Fsp8AOj6wxLBXjg/V LMJHeiywxLvyFl6uPSjjMjTzcXk= -END CERTIFICATE- On 11/19/2012 11:26 AM, Erwann Abalea wrote: Can you post here the certificate chain? Not the private key, only the certificates, from the root down to the end-entity. -- Deeztek.com Support http://www.deeztek.com smime.p7s Description: S/MIME Cryptographic Signature
Re: [openssl-users] Re: Question about exporting user certificate files to .pfx
Thanks. The first certificate is your root CA, the second one is a version 1 certificate that can't be used as a CA (it would be insecure to allow it). If your end-user certificate is issued by this second certificate, then the error message is normal. -- Erwann ABALEA - anatomie: ablation chirurgicale du canard Le 19/11/2012 18:48, Deeztek.com Support a écrit : I'm assuming this is what you want. This is the contents of my chain file: -BEGIN CERTIFICATE- MIIFlDCCA3ygAwIBAgIJAJsm0MjspJZLMA0GCSqGSIb3DQEBBQUAMDoxGDAWBgNV [...] VSjVBAcgfCJGH/rHJyOIA/xL3QrfAGMrdWaupIVgLWtBZvOrbOpLMQ== -END CERTIFICATE- -BEGIN CERTIFICATE- MIIE8DCCAtgCAQEwDQYJKoZIhvcNAQEFBQAwOjEYMBYGA1UEAxMPY2EzLmRlZXp0 [...] LMJHeiywxLvyFl6uPSjjMjTzcXk= -END CERTIFICATE- On 11/19/2012 11:26 AM, Erwann Abalea wrote: Can you post here the certificate chain? Not the private key, only the certificates, from the root down to the end-entity. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Question about exporting user certificate files to .pfx
Maybe I got something wrong creating the intermediate CA which is supposed to be the 2nd certificate. This is what I did to create the intermediate CA. Maybe I missed something? Generated Intermediate CA key: openssl genrsa -out ia.key 4096 Generated Intermediate CA Certificate Request: openssl req -new -key ia.key -out ia.csr Processed Intermediate CA request and signed by the CA: openssl x509 -req -days 1825 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt Concatenate the CA and the intermediate CA certificates together: Root cert: cat ca.crt cachain.pem Int-ca cert: cat int-ca.crt cachain.pem On 11/19/2012 1:41 PM, Erwann Abalea wrote: Thanks. The first certificate is your root CA, the second one is a version 1 certificate that can't be used as a CA (it would be insecure to allow it). If your end-user certificate is issued by this second certificate, then the error message is normal. -- Deeztek.com Support http://www.deeztek.com smime.p7s Description: S/MIME Cryptographic Signature
Re: [openssl-users] Re: Question about exporting user certificate files to .pfx
Answers inline. -- Erwann ABALEA - Un forum peut répondre à plusieurs besoins à la fois Ici, le groupe des débutants dépasse en nombre le groupe des utilisateur middle-class ce qui provoque inévitablement des tensions. -+- EF - Guide du Neuneu d'Usenet - La lutte des middle classes -+- Le 19/11/2012 19:47, Deeztek.com Support a écrit : Maybe I got something wrong creating the intermediate CA which is supposed to be the 2nd certificate. This is what I did to create the intermediate CA. Maybe I missed something? Generated Intermediate CA key: openssl genrsa -out ia.key 4096 Generated Intermediate CA Certificate Request: openssl req -new -key ia.key -out ia.csr Processed Intermediate CA request and signed by the CA: openssl x509 -req -days 1825 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt There's no mention of the extensions you put in your intermediate certificate. It may have magically worked, if the openssl configuration file had been properly filled. The default configuration file doesn't set any extension when you create a certificate with openssl x509, whence version 1. You should get better CA scripts, or build your own set after reading your openssl.cnf file and other associated documentation. man req man x509 man ca man x509v3_config When I need a junk CA, I personaly use openssl req to create the root, and openssl ca for all other certificates (intermediate CAs or end-entities). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Question about exporting user certificate files to .pfx
On Mon, Nov 19, 2012, Erwann Abalea wrote: You should get better CA scripts, or build your own set after reading your openssl.cnf file and other associated documentation. man req man x509 man ca man x509v3_config When I need a junk CA, I personaly use openssl req to create the root, and openssl ca for all other certificates (intermediate CAs or end-entities). There is also a simple perl script that does this called CA.pl, see: http://www.openssl.org/docs/apps/CA.pl.html It includes an option to sign a CA certificate using appropriate extensions. It's fine for test CAs but for more advanced usage you need to check the relevant documentation of the utilities. This question crops up so often it is in the FAQ: http://www.openssl.org/support/faq.html#USER3 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org