RE: [openssl-users] Setting 5 year validity period.
Chris, Thanks.. Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Cleeland Sent: Tuesday, May 21, 2002 11:27 AM To: [EMAIL PROTECTED] Subject: Re: [openssl-users] Setting 5 year validity period. On Tue, 21 May 2002, Brandon Amundson wrote: > Is there something I could add to the following commands to change the > default time a CA is good for? The ones I created are good for only 30 > days. I would like to have them be good for 1825 days. > > "To create the CA.pem and privkey.pem" > openssl req -out CA.pem -new -x509 > > "To sign the server cert" > openssl x509 -req -in server.req -CA CA.pem -CAkey privkey.pem > -CAserial file.srl -out server.pem Add: -days 1825 in both command lines. -- Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris Principal Software Engineer, Object Computing, Inc., +1 314 579 0066 Support Me Supporting Cancer Survivors in Ride for the Roses 2002 >>>>>>>>>Donate at http://www.milodesigns.com/donate <<<<<<<<< __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Setting 5 year validity period.
Is there something I could add to the following commands to change the default time a CA is good for? The ones I created are good for only 30 days. I would like to have them be good for 1825 days. "To create the CA.pem and privkey.pem" openssl req -out CA.pem -new -x509 "To sign the server cert" openssl x509 -req -in server.req -CA CA.pem -CAkey privkey.pem -CAserial file.srl -out server.pem When I use the openssl.cnf file my server cert does not work with Netscape. Thanks in Advance, Brandon __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Error when using Netscape to access a https site
I am trying to access a secure site from my machine with Netscape 4* thru 6.2 and IE. When access the site with IE I get to it fine. When using Netscape, I get the following error. The certificate is not approved for the following application. I do not get an error that says I do not have a certificate to access the site. The server cert was generated with the following command. Openssl ca -policy policy_anything -out demo.cer -config /usr/local/ssl/openssl.cnf -infiles certreq.txt Everything looks like it comes across fine. I edited the demo.cer file and took out the excess jibberish that MS does not like and installed it as a server cert. Am I missing something? Has anyone seen the error on the 3rd line? Thanks.. Brandon Amundson BBN Technologies LAB: 703 284 8189 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: certificate creation example
Title: Message Howard, I found a pretty good write up for doing this. Here it is. Brandon SSL Certificates HOWTO Franck Martin Revision History Revision v0.1 2001-11-18 Revised by: fm A first hand approach on how to manage a certificate authority (CA), andissue or sign certificates to be used for secure web, secure e-mail, orsigning code and other usages. -Table of Contents1. Generalities 1.1. History 1.2. Introduction 1.3. What is SSL and what are Certificates? 1.4. What about S/Mime or other protocols? 2. Certificate Management 2.1. Installation 2.2. Create a Root Certification Authority Certificate. 2.3. Create a non root Certification Authority Certificate. 2.4. Install the CA root certificate as a Trusted Root Certificate 2.5. Certificate management 2.6. Securing Internet Protocols. 2.7. Securing E-mails. -Chapter 1. Generalities 1.1. History V0.1 - Franck Martin <[EMAIL PROTECTED]> Creation of the HOWTO- 1.2. Introduction Dear reader, like myself you have read intensively the man pages of theapplications of the [http://www.openssl.org/] OpenSSL project, and likemyself, you couldn't figure out where to start, and how to work securely withcertificates. Here is the answer to most of your questions. This HOWTO will also deal with non-linux applications, as there is no use toissue certificates if you can't use them... May be all applications won't belisted here, but please send me additional paragraphs and corrections. I canbe reached at the following address:[mailto: [EMAIL PROTECTED]][EMAIL PROTECTED].- 1.2.1. Disclaimer and Licence This document is distributed in the hope that it will be useful, but WITHOUTANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESSFOR A PARTICULAR PURPOSE. In short, if the advises given here break the security of your e-commerceapplication, then tough luck- it's never our fault. Sorry. Copyright (c) 2001 by Franck Martin and others from the openssl-users mailinglist under GFDL (the [http://www.gnu.org/] GNUFree Documentation License). Please freely copy and distribute (sell or give away) this document in anyformat. It's requested that corrections and/or comments be forwarded to thedocument maintainer. You may create a derivative work and distribute itprovided that you: 1. Send your derivative work (in the most suitable format such as sgml) to the LDP (Linux Documentation Project) or the like for posting on the Internet. If not the LDP, then let the LDP know where it is available. 2. License the derivative work with this same license or use GPL. Include a copyright notice and at least a pointer to the license used. 3. Give due credit to previous authors and major contributors. If you're considering making a derived work other than a translation, it's requested that you discuss your plans with the current maintainer. It is also requested that if you publish this HOWTO in hardcopy that you sendthe authors some samples for 'review purposes' :-). You may also want to sendsomething to cook my noodles ;-)- 1.2.2. Prior knowledge As indicated in the introduction, this documents is an hand-on HOWTO, and itis therefore required that you consult the man pages of the OpenSSL software,as well as to read security books to learn how your security could becompromised. As certificates are meant to increase the security of yourtransactions, it is VERY important that you understand all the securityimplications of your actions and what security OpenSSL does not provide.- 1.3. What is SSL and what are Certificates? The Secure Socket Layer protocol was created by Netscape to ensure securetransactions between web servers and browsers. The protocol use a thirdparty, a Certificate Authority (CA), to identify one end or both end of thetransactions. This is in short how does it work. 1. A browser request a secure page (usually https://). 2. The web server send its public key with its certificate. 3. The browser check that the certificate was issued by a trusted party (us-ally a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted. 4. The browser then use the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL re
RE: A quick question!
When you run CA.pl -newca this will be created for you. You can change demo to anything you want. Their may be another reference to demo in the CA.pl script, I cannot remember. If so, change it their also.. Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Zamangoer, Ferruh Sent: Thursday, April 04, 2002 8:30 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: A quick question! Hi All, can anybody tell when I have install OpenSSL I can see in my openssl.conf that there are the following settings : [ ca ] default_ca = CA_default# The default ca section [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs# Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database= $dir/index.txt# database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE= $dir/private/.rand# private random number file x509_extensions = usr_cert # The extentions to add to the cert etc... . . . . the directory ./demoCA doen't exist in my OpenSSL directory must I create this Directory or he certs-dir thanks for help regrards Ferruh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Openssl.cnf
I would like to create another CA on my system and use another openssl.cnf file so I can specify another location to store the new certs and also to use another policy. I am using ./CA.pl -newca to create the CA but it keeps referencing the /usr/local/ssl/openssl.cnf file. How can I tell CA.pl to use /usr/local/ssl/sopenssl.cnf for all certificates created with this CA? Also, what is SSLEAY_CONFIG and where is it defined? Any help would be appreciated. Thanks Brandon __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
cert-request.cgi
f ( $command_sign->expect(5, "commit\? \[y\/n\]")) {
print $command_sign "y\r\r";
}
sleep 2;
#
# Convert the signed cert to a pkcs12 certificate so Netscape and IE can
impo
rt.
# (and clean up some files)
`rm -f "./temp/$input{'email'}.pem"`;
`cat ./temp/$input{'email'}.key ./temp/$input{'email'}.pem.signed >>
./temp/$
input{'email'}.temp`;
sleep 3;
my $command_conv;
print "\r";
$command_conv = Expect->spawn("/usr/local/ssl/bin/openssl
pkcs12 -export -in
./temp/$input{'email'}.temp -out ./temp/$input{'email'}.p12 -name 'Your
Certific
ate for $input{'email'}' -certfile /usr/local/ssl/misc/yourCA/cacert.pem");
if ( $command_conv->expect(5, "pass phrase:")) {
print $command_conv "$input{'passwd'}\r";
}
if ( $command_conv->expect(5, "Export Password:")) {
print $command_conv "$input{'passwd'}\r";
}
if ( $command_conv->expect(5, "Export Password:")) {
print $command_conv "$input{'passwd'}\r";
}
#
`rm -f "./temp/$input{'email'}.key" "./temp/$input{'email'}.pem.signed"
"./te
mp/$input{'email'}.temp"`;
# E-mail [EMAIL PROTECTED] and tell him he has a cert to approve.
`echo '$input{'email'} has a certificate request.' | mail -s "certificate
req
uest" your-email\@address.here`;
print "\r";
print "\r\n";
}
else {
print &PrintHeader;
print &HtmlTop ("Generating Certificate Request...");
print "ERROR: You left a required field blank or your passwords didn't
match.
Please go back and correct.\n";
print <
Your name is: +$input{'name'}+
Your password is: ++
Your e-mail address is: +$input{'email'}+
Your Organization Unit is : +$organization_unit+
Your City is: +$input{'city'}+
Your State is: +$new_state+
Your Country is: +$input{'country'}+
ENDOFTEXT
}
# Close the document cleanly.
print "window.location=\"<A HREF="http://your.site.here\"">http://your.site.here\"</A>;";
print &HtmlBot;
}
Brandon Amundson
BBN Technologies
LAB: 703 284 8189
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Signing a server cert... And getting it to work...
ify return code: 21 (unable to verify the first certificate) Anymore idea's? I have tried everything I have received as a response thus far, and am truly appreciative of the responses I have received. Is the way I am requesting the cert to be signed correct? Could it be something in the openssl.cnf file that is not making the cert an actual server cert, although it is being accepted as one in IIS ? Thanks in Advance, Again.. Brandon Brandon Amundson BBN Technologies LAB: 703 284 8189 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Subject: Troubles Creating a Certificate for IIS
Subject: Troubles Creating a Certificate for IIS Currently our setup consists of a Linux web server running apache. Part of the site is restricted through the use of SSL and client certificates. We have a self-signed root certificate, created with OpenSSL, and a server certificate signed by our root certificate for the Linux machines. We then generate client certificates for users. We need to setup a new server running win2000 and IIS. We would like to create a server certificate for the new machine that accepts all the client certificates from the Linux machines, in addition to new client certificates generated on the IIS machine. Thus far we have been successful in creating a server certificate from the existing root certificate on the Linux web server. We have moved the certificate onto the IIS machine and installed is successfully. We've also added the root certificate to the list of trusted Certificate Authorities on the IIS machine. However, the IIS machine doesn't accept the client certificates generated for the original web server. I have read through the OpenSSL FAQ and when running the following command: openssl s_client -connect myhost:443 -prexit I don't see our CA in the list of accepted CA's. I have followed instructions I've received on this list, and when I actually VIEW the certificate store on the server, under Trusted Certificate Authorities, I see the CA that I installed. I used the following command to create the DER encoded certificate for installation on the IIS machine: openssl x509 -in ca.pem -outform DER -out ca.der I then used the Certificate Wizard on the IIS machine and installed the DER encoded certificate into the Trusted Certificate Authorities store. I'm unsure of what to do next, and any help would be greatly appreciated. Cheers, Brandon __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No certificates in client popup box.
I tried to do this; << how can you get your CA to appear in the list of acceptable ca names? The FAQ gives the reason for this and some more info. What it doesn't > say is how to add your CA to the trusted list of IIS. IIRC you can do > this via the certificate import wizard, something like clicking on the > "show physical stores" box and trusted root->local computer. You may > have to the reboot. You can check using s_client to see if your CA is > then sent (see FAQ). I do not have an option to show physical stores, that I can find.. Here is the output of the following command openssl s_client -connect 192.168.0.1:443 -prexit CONNECTED(0003) --- Certificate chain 0 s:/C=US/ST=Virginia/L=Arlington/O=BBN Technologies/OU=DAML/CN=xxx..org<<<<>>>> i:/C=US/ST=Virginia/L=Arlington/O=DARPA/OU=DAML/CN=xxx.xx.org/Email=thas [EMAIL PROTECTED]<<<<>>>> --- Server certificate -BEGIN CERTIFICATE- MIIDrDCCAxWgAwIBAgICANYwDQYJKoZIhvcNAQEEBQAwgYgxCzAJBgNVBAYTAlVT MREwDwYDVQQIEwhWaXJnaW5pYTESMBAGA1UEBxMJQXJsaW5ndG9uMQ4wDAYDVQQK EwVEQVJQQTENMAsGA1UECxMEREFNTDEVMBMGA1UEAxMMd3d3LmRhbWwub3JnMRww GgYJKoZIhvcNAQkBFg10aGFzaEBiYm4uY29tMB4XDTAyMDMwNzE1MjcwNloXDTA3 MDMwNjE1MjcwNlowdjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRIw EAYDVQQHEwlBcmxpbmd0b24xGTAXBgNVBAoTEEJCTiBUZWNobm9sb2dpZXMxDTAL BgNVBAsTBERBTUwxFjAUBgNVBAMTDTE5Mi4yMzMuNDkuMjcwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAOQHadKOAkDrMF9K4hwPvXt0UN7eLklhEcaZHb/H6aLK vR33eXNyeyfNaDYrxQbu/IZBSWjnbMGUer6Y1xnz+QtCfu1bF1G2c8lK+sb3Xb+B GwRJGJo8twh9HDWAcVSRr53sYUUPQNLcdH7SS+IAKBIvr7VPuPdurWJOj/1zi8Gp AgMBAAGjggE0MIIBMDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIEsDALBgNV HQ8EBAMCBeAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp ZmljYXRlMB0GA1UdDgQWBBTl5yV9Fy4QmAOfSyS5YEuBXkUJ2TCBtQYDVR0jBIGt MIGqgBQ2h6VlWKq11PvZuhUHGJBP/XH7lqGBjqSBizCBiDELMAkGA1UEBhMCVVMx ETAPBgNVBAgTCFZpcmdpbmlhMRIwEAYDVQQHEwlBcmxpbmd0b24xDjAMBgNVBAoT BURBUlBBMQ0wCwYDVQQLEwREQU1MMRUwEwYDVQQDEwx3d3cuZGFtbC5vcmcxHDAa BgkqhkiG9w0BCQEWDXRoYXNoQGJibi5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEA cwyqnF1sgtcqD93nCpNxE4jp0tIQZ0mM23dyC4ElXdgi+Ob0TJ2YkzZug5InBqsi c1gFU3iT36RAM0ty+XVCF9iBT007nZSsfDWlmKh5Syv1opE5qAM25JF4kGOUsG97 5yZgIRZSl94Xfi0dfKiPdsSrBBX7xzZfRco8OLZ01Wo= -END CERTIFICATE- subject=/C=US/ST=Virginia/L=Arlington/O=BBN Technologies/OU=DAML/CN=xxx..org issuer=/C=US/ST=Virginia/L=Arlington/O=DARPA/OU=DAML/CN=xxx..org/Email=t [EMAIL PROTECTED] --- Acceptable client certificate CA names /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Fr eemail [EMAIL PROTECTED] /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Pr emium [EMAIL PROTECTED] /C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Ba sic [EMAIL PROTECTED] /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/CN=GTE CyberTrust Root /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority --- SSL handshake has read 3471 bytes and written 318 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 Session-ID: 100215ABAC4B2DAF9DA307389E76CECCAB468CBDCA06820AE0966D0C8C36 Session-ID-ctx: Master-Key: 0B0F9E1C622CE7CF0090411AF59DFA53062DC2BDA1929B2E210204753FDFD6E6F60ADB54D6C4 BD38B4C85737C8AA62 D9 Key-Arg : None Start Time: 1015519547 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first ce Brandon Amundson BBN Technologies LAB: 703 284 8189 [EMAIL PROTECTED] __ OpenSSL Project
No certificates in popup dialog box.
I am trying to sign a server cert from IIS 5.0 with my CA (openssl) that runs on my linux webserver. I have successfully signed the cert and move it back into IIS but when I go to access the site, the certificate dialog box pops up but there are no available certificates. I would like to use pre-existing user certificates that I have issued for my other site because I am going to be letting the same people have access to the new site. Does anyone know if this is possible and what I am not doing correctly, (besides using MS)? I heard something about the v3 extensions being a possible cause. Any thoughts? Brandon Amundson [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Question Regarding MS server cert request
Hello. I currently have a CA (openssl) setup on my webserver and have over 300 certificates outstanding. I was asked to setup a demo on a Windows 2000 server that allows all of my current certificate users access. I generated the server certificate request on the MS Server and attempted to have it signed by my CA on my other WebServer (linux). I was able to get a signed server cert and moved that along with a copy of root cert back to the MS box. After importing them I was denied access using my user cert. Does anyone know if this is possible and how to do it? If so, how could I restrict access to certain parts of my demo based on the users cert? Any help would be greatly appreciated.. Thanks in Advance.. Brandon Amundson [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
