RE: intermediate CA configuration
Please send me your extensions file, CA cert/Key and the CSR you are using for your intermediate. I am assuming that what you have so far is for testing purposes. Otherwise, I would not ask for the CA key (obviously). Send them to me as a zip file and I'll take a look. Don. [EMAIL PROTECTED] Donald E. Bynum Director, Architecture Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mallika Sent: Friday, September 21, 2007 1:39 AM To: openssl-users@openssl.org Subject: RE: intermediate CA configuration I have given the command openssl x509 -req -days 365 -in intermediate.csr -CA root.certkey -CAcreateserial -out intermediate.crt -extensions usr_cert -extfile /etc/sll/openssl.cnf after creating the root CA, the root.certkey is having key and crt files.Is this command enough for creating the intermediate CA. if i create a user certificate with this intermediate CA.In SSL authentication it is giving error 24,Unknown CA. In client machine i installed all the certificates root CA and Intermediate CA and client certificate.It is showing clear hierarchy.ROOTintermediate.client. i copied the root and intermediate certificates in /etc/ssl/certs and did c_rehash.BUT with the intermediate client certificate ,client could able to authenticate and showing the ERROR 24 and UNKNOWN CA.if i provide any other root ca , the client can be able to authenticate with that root CA client certificate.please help me... Bynum, Don wrote: This should be good for most purposes. Note the basicConstraints attribute of pathlen. Unlike the root CA which has no pathlen, the intermediate has a pathlen of 0. ### subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always crlDistributionPoints=URI:http://crl1.somedomain.com/IntCA.crl,URI:http: //crl2.somedomain.com/IntCA.crl basicConstraints = critical, CA:true,pathlen:0 keyUsage=critical, keyCertSign,cRLSign extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping nsCertType = server, client certificatePolicies=ia5org,@polsect1 [polsect1] policyIdentifier = 1.3.6.1.4.1.0.1.2.1.2.1 CPS=http://www.somedomain.com/legal/cps-intCA.pdf ### Donald E. Bynum Director, Architecture Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mallika Sent: Thursday, September 20, 2007 4:06 AM To: openssl-users@openssl.org Subject: intermediate CA configuration i want to create intermediate CA from root CA by using openssl.cnf. how to configure openssl.cnf file for creating intermediate ca which contains all attributes like root ca which is having obj signing,certificate revocation...can any body help me -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a12 79 2609 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a1281 0885 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: intermediate CA configuration
This should be good for most purposes. Note the basicConstraints attribute of pathlen. Unlike the root CA which has no pathlen, the intermediate has a pathlen of 0. ### subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always crlDistributionPoints=URI:http://crl1.somedomain.com/IntCA.crl,URI:http: //crl2.somedomain.com/IntCA.crl basicConstraints = critical, CA:true,pathlen:0 keyUsage=critical, keyCertSign,cRLSign extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping nsCertType = server, client certificatePolicies=ia5org,@polsect1 [polsect1] policyIdentifier = 1.3.6.1.4.1.0.1.2.1.2.1 CPS=http://www.somedomain.com/legal/cps-intCA.pdf ### Donald E. Bynum Director, Architecture Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mallika Sent: Thursday, September 20, 2007 4:06 AM To: openssl-users@openssl.org Subject: intermediate CA configuration i want to create intermediate CA from root CA by using openssl.cnf. how to configure openssl.cnf file for creating intermediate ca which contains all attributes like root ca which is having obj signing,certificate revocation...can any body help me -- View this message in context: http://www.nabble.com/intermediate-CA-configuration-tf4485967.html#a1279 2609 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: [openssl-users] Bad CRL being generated - Help
I have now excluded the issuer from both the end entity cert and the crl. So only keyid is being injected. The result is the same, both IE and FF report an error that the crl is invalid. Here is what I am using in the extensions config file for the crl: [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = $dir# Where everything is kept database = $dir/index.txt # database index file. crlnumber = $dir/crlnum unique_subject = no [ crl_ext ] authorityKeyIdentifier=keyid:always Here is what I have in the extensions for the cert: subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always crlDistributionPoints=URI:http://crl1.networksolutions.com/SiteSafeSSL.c rl,URI:http://crl2.networksolutions.com/SiteSafeSSL.crl basicConstraints = critical, CA:false keyUsage=critical, digitalSignature, keyEncipherment extendedKeyUsage=serverAuth, clientAuth nsCertType = server, client certificatePolicies=ia5org,@polsect1 [polsect1] policyIdentifier = 1.3.6.1.4.1.782.1.2.1.19.1 CPS=http://www.networksolutions.com/legal/SSL-legal-repository-cps-SiteS afe.jsp Again here is the URL for the crl and test site: http://crl1.networksolutions.com/SiteSafeSSL.crl http://crl1.networksolutions.com/SiteSafeSSL.crl https://www.netsol-test-site-4.com https://www.netsol-test-site-4.com I am really hoping that I am missing something really simple here. Any help with this would be much appreciated. Regards, Don Donald E. Bynum Director, Architecture Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bynum, Don Sent: Saturday, September 15, 2007 3:54 PM To: openssl-users@openssl.org Subject: RE: [openssl-users] Bad CRL being generated - Help That is an interesting and accurate observation. i agree that the issuer and authority should be the same, that I can fix. Another question though: if i had not included the issuer in the cert or in the CRL, i.e. only have the authority keyid present (which are the same in the CRL and the cert) do you think that the problem would still have been there? Regards, Don Bynum Donald E. Bynum Director, Architecture Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com From: [EMAIL PROTECTED] on behalf of Erwann ABALEA Sent: Sat 9/15/2007 14:37 To: openssl-users@openssl.org Subject: Re: [openssl-users] Bad CRL being generated - Help Bonsoir, Hodie XVII Kal. Oct. MMVII est, Bynum, Don scripsit: i have been setting up a CA and have one hurdle which I cannot figure out. I have geberated a CRL (currently with no revoked certs). It is regerenced in the CRL Distribution Points extension of the end entity certs. I can open the CRL with IE by browsing to the CRL URI. I can import it into Firefox. However, when browsing to a site (IE or FF) with a cert from the CA of the CRL, I get an error saying that the CRL is invalid. You can see this for yourself : [1]http://crl1.networksolutions.com/SiteSafeSSL.crl A test site for this is at [2]https://www.netsol-test-site-4.com https://www.netsol-test-site-4.com/ Taken from the CRL: Issuer: /CN=SiteSafe SSL/O=Network Solutions LLC/C=US CRL extensions: X509v3 Authority Key Identifier: keyid:2A:CB:BC:20:CE:C6:DF:9A:1C:AD:A5:C6:38:86:BB:5C:01:32:A6:B4 DirName:/C=US/O=Network Solutions LLC/CN=SiteSafe serial:0A The Issuer and authorityKeyIdentifier/DirName should point to the same authority, i.e. should have the same exact name. Order is important, and it's reversed, here. I think that usual software don't use the DirName and/or serial part of the authorityKeyIdentifier extension, only the keyId (and in fact, I made some tests a few months ago, Firefox didn't follow the keyId, when IE did). So I assume that the validating software uses the Issuer field of the CRL to check if it has been signed by the same CA. My guess is that the real name of your CA is the one we can see in the extension, not the one set in the Issuer field. Could you check it? -- Erwann ABALEA [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org http://www.openssl.org/ User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] netsollogo.gif
Bad CRL being generated - Help
i have been setting up a CA and have one hurdle which I cannot figure out. I have geberated a CRL (currently with no revoked certs). It is regerenced in the CRL Distribution Points extension of the end entity certs. I can open the CRL with IE by browsing to the CRL URI. I can import it into Firefox. However, when browsing to a site (IE or FF) with a cert from the CA of the CRL, I get an error saying that the CRL is invalid. You can see this for yourself : http://crl1.networksolutions.com/SiteSafeSSL.crl A test site for this is at https://www.netsol-test-site-4.com I can give you the CA cert if you wish so that you can complete the chain. What is wrong with the CRL such that it is deemed invalid? Regards, Don Bynum Donald E. Bynum Director, Architecture Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com
RE: [openssl-users] Bad CRL being generated - Help
That is an interesting and accurate observation. i agree that the issuer and authority should be the same, that I can fix. Another question though: if i had not included the issuer in the cert or in the CRL, i.e. only have the authority keyid present (which are the same in the CRL and the cert) do you think that the problem would still have been there? Regards, Don Bynum Donald E. Bynum Director, Architecture Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com From: [EMAIL PROTECTED] on behalf of Erwann ABALEA Sent: Sat 9/15/2007 14:37 To: openssl-users@openssl.org Subject: Re: [openssl-users] Bad CRL being generated - Help Bonsoir, Hodie XVII Kal. Oct. MMVII est, Bynum, Don scripsit: i have been setting up a CA and have one hurdle which I cannot figure out. I have geberated a CRL (currently with no revoked certs). It is regerenced in the CRL Distribution Points extension of the end entity certs. I can open the CRL with IE by browsing to the CRL URI. I can import it into Firefox. However, when browsing to a site (IE or FF) with a cert from the CA of the CRL, I get an error saying that the CRL is invalid. You can see this for yourself : [1]http://crl1.networksolutions.com/SiteSafeSSL.crl A test site for this is at [2]https://www.netsol-test-site-4.com https://www.netsol-test-site-4.com/ Taken from the CRL: Issuer: /CN=SiteSafe SSL/O=Network Solutions LLC/C=US CRL extensions: X509v3 Authority Key Identifier: keyid:2A:CB:BC:20:CE:C6:DF:9A:1C:AD:A5:C6:38:86:BB:5C:01:32:A6:B4 DirName:/C=US/O=Network Solutions LLC/CN=SiteSafe serial:0A The Issuer and authorityKeyIdentifier/DirName should point to the same authority, i.e. should have the same exact name. Order is important, and it's reversed, here. I think that usual software don't use the DirName and/or serial part of the authorityKeyIdentifier extension, only the keyId (and in fact, I made some tests a few months ago, Firefox didn't follow the keyId, when IE did). So I assume that the validating software uses the Issuer field of the CRL to check if it has been signed by the same CA. My guess is that the real name of your CA is the one we can see in the extension, not the one set in the Issuer field. Could you check it? -- Erwann ABALEA [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org http://www.openssl.org/ User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] winmail.dat
Friendly Name in CA cert
I want to embed a friendly name in a self signed Root CA cert. I cannot seem to find the correct element in the config file to set this. Anyone know how to do this? Don Bynum
RE: Friendly Name in CA cert
So, when I see a Friendly Name in the CA certs in a Trusted Root Store (in any browser for example), how did the friendly name get there? A PKCS#12 file always includes the private key, right? The private keys of Trusted Root CA certs are certainly not submitted to the browser vendor. Regards, Don. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Friday, August 24, 2007 9:14 AM To: openssl-users@openssl.org Subject: Re: Friendly Name in CA cert On Fri, Aug 24, 2007, Bynum, Don wrote: I want to embed a friendly name in a self signed Root CA cert. I cannot seem to find the correct element in the config file to set this. Anyone know how to do this? There isn't a DN component or extension called friendly name. It is only an attribute in PKCS#12 files. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
CSR Contents
I am tring to embed postal address information into a CSR. I can successfully get postalCode and streetAddress to work. My problem is that I was under the impression that the OIDs for streetAddress1, streetAddress2 and streetAddress3 were also available along with postOfficebox. However, I get an error when I try and include any of these in the config file which is passed to the req command. Any ideas? Donald E. BynumDirector, Architecture IntegrationO: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com
x509 -modulus output to a file
I would expect the following: openssl x509 -modulus -noout -in mycert.crt -out mymod.txt to output the modulus to the specified "out" file just like all other x509 commands with -out specified. It does not. Anybody know how to get the modulus sent to a file? openssl x509 -modulus -noout -in mycert.crtmymod.txt works but is no good from a shell command in a program. Thanks, Don. Donald E. Bynum Donald E. Bynum Director, Architecture Integration [EMAIL PROTECTED] Network Solutionsoffice: 1-703-668-5616 13200 Woodland Park Drive fax:1-703-668-5899 Herndon, VA 21071-3025 mobile: 1-301-367-2072
openssl equivalent of sgcinst.exe
I have a chained cert (from Verisign). What I want is to break out just the domain cert. I can use sgcinst.exe to do exactly this, but would prefer to use openssl if possible. Is there a way of breaking up a cert chain using openssl? thanks, don bynum Donald E. BynumDirector, Architecture IntegrationO: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com