Making Private CA
Hello, I am making my own private CA, using the CA.pl scripts provided under the apps directory of OpenSSL release. I run ./CA.pl -newca It asks for filename, and I enter without giving any. I am prompted for PEM pass phase. I enter some. After which, I get the following error unable to find 'distinguished_name' in config problems making Certificate Request 28979:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:324: Please note that I had copied the openssl.cnf to the same directory that of CA.pl but didn't modify any of the contents of openssl.cnf. - rsr. Namaste, R S Chandrasekhar [EMAIL PROTECTED] ISD : 091-080-2051166 Telnet : 847-1166 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Manufacturing Certs
Hello All, I have to generate a new cert, for which I am making use of X509_new(). This returns a certificate which is not generated from a root certificate. Its a standalone cert. I want to generate a new cert dynamically, making use of a root certificate (a CA cert). Could one give me the function call, which does that. thanks rsr. Namaste, R S Chandrasekhar [EMAIL PROTECTED] ISD : 091-080-2051166 Telnet : 847-1166 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
are server certs different from client certs
Hi all, I have created a certificate using the following sequence of calls : X509_new() RSA_generate_key() X509_set_version(cert,3) ASN1_INTEGER_set(X509_get_serialNumber(cert),0) X509_gmtime_adj(X509_get_notBefore(cert),0); X509_gmtime_adj(X509_get_notAfter(cert),45); X509_set_pubkey(cert,pk) X509_set_issuer_name() X509_set_subject_name() X509_sign() It had created a certificate and a private key. Thus created certificate is working fine when registered with a server (ie., server is presenting the certificate and communication goes through fine). Instead, the same certificate registered with a client, does not work. The server mandated to authenticate the client, throws up an error : 25199:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:1989: And the client too throws up an error : 25195:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:514: Could we infer anything from these. Thanks in advance for any help. - rsr. Namaste, R S Chandrasekhar [EMAIL PROTECTED] ISD : 091-080-2051166 Telnet : 847-1166 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: are server certs different from client certs
Dear Ebell All, Indeed what you said is true. I copied the newly created self signed cert to the bundle of CA lists the server would accept, and the connection goes through fine. Now, then I am to make my own private CA and then create a certificate signed by my private CA. Then the problem would be solved, for me. I know how to create a private CA (using the CA.sh -newca in the apps directory of OpenSSL). What I am not aware is how to generate a certificate signed by my Private CA in a C language program. Could one suggest how this is done. Thanks again rsr. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gotz Babin-Ebell Sent: Wednesday, February 12, 2003 10:38 PM To: [EMAIL PROTECTED] Subject: Re: are server certs different from client certs Hello, Chandrasekhar R S wrote: Hi all, I have created a certificate using the following sequence of calls : X509_new() RSA_generate_key() X509_set_version(cert,3) ASN1_INTEGER_set(X509_get_serialNumber(cert),0) X509_gmtime_adj(X509_get_notBefore(cert),0); X509_gmtime_adj(X509_get_notAfter(cert),45); X509_set_pubkey(cert,pk) X509_set_issuer_name() X509_set_subject_name() X509_sign() I assume: self signed certificate ? Thus created certificate is working fine when registered with a server (ie., server is presenting the certificate and communication goes through fine). Instead, the same certificate registered with a client, does not work. The server mandated to authenticate the client, throws up an error : 25199:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:1989: The server sends a list of trusted CA certs or client authentication. If the client cert is self signed, it is not in this list so it is not accepted as a valid client certificate. Self signed certificates as end entity certificates are a quick hack. You should (almost) always work with an (official or own) CA. Bye Goetz -- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Tunneling Client Certs
It seems I have not explained myself ably. I completly understand that Private Keys should and would never be sent across. But assume that you are going through a proxy using SSL. And the proxy has no capability to verify the certs. That capablity is vested with a server that sits behind the proxy(I call it the Backend server). Now all I want is to get the cert presented by the client, to be passed on by the proxy, to the backend server. Usually prox'ies, replicate a connection they receive. ie., they will initiate a new connection to the Backend Server, for every connection they receive from the client. Thus we have two seperate SSL connections between the client and the backend server. One from client to the proxy and the other from proxy to the backend server. In succint, the question is how to use the cert presented by the client in the SSL connection between proxy and the backend server. thanks to all of you, rsr. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Helm Sent: Monday, February 10, 2003 1:55 AM To: [EMAIL PROTECTED] Subject: Re: Tunneling Client Certs I have the following scenario - Client Cert -- Tunnel Server - Tunnel Client -- Backend server. The requirement is to pass the Client Cert to the Backend server. If you could do that then anyone who had access to a certificate (for example the recipent of signed email) could impersonate the sender or You may want to look at how Globus deals with a similar problem for grids; see: http://www-fp.globus.org/security/ and http://www.ietf.org/internet-drafts/draft-ietf-pkix-proxy-03.txt __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Tunneling Client Certs
I have posted a similar message earlier. Hoping to convey self better and get some help this time around. I have the following scenario - Client Cert -- Tunnel Server - Tunnel Client -- Backend server. The requirement is to pass the Client Cert to the Backend server. I could extract the Client Cert at the Tunnel Server. Tunnel Server and Tunnel client reside in the same program on a machine, hence Tunnel Server can pass on Client Cert to Tunnel Client without much ado. Now in the my Tunnel Client program, I use SSL_use_certificate(ctx, X509*). The X509* pointer contains the Client Cert which the Tunnel Server has just extracted. But then I dont have the private key for the Client Cert at the Tunnel Client. Hence I could not do a SSL_CTX_use_PrivateKey(ctx,...) at the Tunnel Client. My question is, Is it possible to just give a Cert for an SSL connection (like giving SSL_use_certificate()) without a corresponding SSL_use_PrivateKey(..) call made, and expect SSL to somehow generate its own keys but take our certificate? with thanks rsr. Namaste, R S Chandrasekhar [EMAIL PROTECTED] ISD : 091-080-2051166 Telnet : 847-1166 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Client authentication
I am to authenticate a client using his certificate. In my server program, I use SSL_CTX_set_verity(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0) to mandate that client cert should be present. If present, I use SSL_get_peer_certificate(ssl) to retrieve the client cert. In my client program, I use : SSL_CTX_use_certificate_file(CTX,CERTF,SSL_FILETYPE_PEM) SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) calls to load a cert and a key into the client. This is from the documentation I found, from Eric Rescorla's An introduction to OpenSSL programming notes. But, everytime, I run the client and the server, the server complains that client hasn't presented a cert. Is something else, needs to be done to get a client cert to the server. I am using openssl-0.9.7 on HPUX (Unix) systems. thankful for any help in this regard. Namaste, R S Chandrasekhar [EMAIL PROTECTED] ISD : 091-080-2051166 Telnet : 847-1166 Phone : 2052427 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Proxy'ing client certs
Hello Vadim, Localized Scenario : Proxy Client -- Backend Server 5. The requirement is, Proxy Client should be presenting CLIENT CERT to the backend server. Yes, it can present it somehow RSR : I am in search of this somehow. Could it be this way - If it is possible to seperate public key from certificate, then it should be possible for registering CLIENT CERT with Proxy Client in its communication with Backend Server. with thanks rsr. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Proxy'ing client certs
I have already posted the following on the lists under Proxy'ing client certs thread. Could not see the posting, hence re-posting. - My understanding had been the following : Client Proxy Server -- Proxy Client Server produces a consumes presents aCan only recv CA signed the ProxyClient Cert ProxyClient Cert Client Cert Client Cert ProxyClient Cert is not the same as Client Cert. Though the Proxy Server is in receipt of the Client Cert, it cannot represent the same in the SSL connection between ProxyClient - Server. The requirement is to make the Proxy faithfully forward the Client Cert to the Server. Vadim, suggested that CONNECT method of HTTP can be used to setup TCP connections first and run SSL next. Proxy could forward SSL traffic. It had been difficult to understand the solution. It seems to me that we need to set up a TCP connection via the proxy server first and add SSL to it later. I am not aware of how to do this. Could one help me further. Namaste, R S Chandrasekhar [EMAIL PROTECTED] ISD : 091-080-2051166 Telnet : 847-1166 Phone : 2052427 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Proxy'ing client certs
I have the following scenario - client-Proxy - server. SSLClient - SSLServer | SSLClient - SSL Server. It is my intent to pass on the clients certificate to the server for verification and acceptance. Since, the connection is via a proxy, the clients certificate could reach upto the proxy only and not beyond, to the server. I believe, that the proxy should not be able to use the clients cert in its connection with the server, as the client certificate is tightly coupled with its public key. I have visited the redhat's Stronghold webpage and their proxy server seems to be capable of doing just this. Is anyone aware of the technique employed. Namaste, R S Chandrasekhar [EMAIL PROTECTED] ISD : 091-080-2051166 Telnet : 847-1166 Phone : 2052427 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]