Re: Convert a Windows CA to a Linux CA
Hi, Stefano, In theory answer is YES, but in practice is much more easier to create new CA on linux, configure to support such OIDs and start to issue certificates. Old CA will be needed to issue CRL until all issued certificate will be expired. BR, Dmitrij [EMAIL PROTECTED] wrote: Hello all, actually I'm using a windows server for a CA authority to issue primary certificates for applications. These certificates are issued with a specific OID: 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 Can I migrate my CA to Linux, moving the already issued certificates and using linux tu create certs with that OID ? Thanks Stefano __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: extracting CRL location from a certificate
Hi, Jure, It seems that your certificate does not have URI CDP. Try another one. If you want, I can email you one for test. BR, Dmitrij Jure Vrscaj wrote: Hi, I'd like to extract the CRL location from a certificate, using this command: openssl x509 -text -in cert.pem But the only information I get is this: X509v3 CRL Distribution Points: DirName:/C=si/O=state-institutions/OU=sigen-ca/CN=CRL1 Is there a way to output more info? (I think the CRL URI is there, in the cert). regards, Jure __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to extract signature from public key using openssl?
Hi Janet, For that moment I doesn't have access to openssl to test it, but try this one: $ openssl rsa -in certificate.pem -pubout -noout -text Unfortunately, -pubout command can't write output to a file (i.e. with -out). Regards, Dmitrij Janet N wrote: Hi Kyle, Thanks for the prompt response. But I think my problem is my project doesn't want to produce the public key from openssl rsa command, because we need to get the public key in the rsa PEM format at the time when we issued the certificate and upload it to our production database. And the CA doesn't have a copy of the user private key to generate this openssl rsa public key. So we need somehow to be able to get the rsa public key from the user certificate. Have any ideas? The command openssl rsa -pubin -in rsa.public -noout -text will only work if I generte the rsa public key using by private key. Thanks, Janet On 5/3/07, *Kyle Hamilton* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: My apologies: $ openssl rsa -pubin -in rsa.public -noout -text -Kyle H On 5/3/07, Kyle Hamilton [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: The CA doesn't generate the public key in your certificate. You generate it, and you send it to the CA to be bound to your identity -- the CA uses its private key to sign the certificate, and the verifier already has the CA's public key to verify with. Without the public key in your certificate matching the private key in your private key file, you cannot prove that you have the correct private key to the key in the certificate. What this means is that the public key output from your openssl rsa command is the same data that you would get if you extracted the public key from the certificate. You don't need to extract it from the certificate. Use: $ openssl rsa -in rsa.public -noout -text to verify that it is the same. -Kyle H On 5/3/07, Janet N [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, I have a certificate in pem format issued to me by a CA, and a private key which I generated. Since I need to do domain key signing (dkim), I was asked to use the followng openssl command to generate the public key: $ openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM Since I've already gotten a public key from the CA is there anyway that I can extract the info in my public key to produce the same result as the above openssl command? The following is what I need to get out from my public key (openssl x509 -in public.key -nnout), for ex: Modulus (1024 bit): 00:a0:f3:2a:3a:ac:38:6c:36:2c:14:7d:54:77:ec: 78:05:e1:b5:aa:a0:6d:77:35:df:57:2d:3f:99:d1: 52:f3:0a:45:89:64:e7:73:18:d4:27:9e:6e:ee:8e: 84:3c:81:bc:5e:0e:f2:28:f5:11:b9:23:77:99:b5: e0:70:0f:dd:4d:7f:a3:ff:13:d9:6f:25:00:cb:d9: 09:f3:e0:45:c7:fc:25:56:f4:37:84:7e:f6:35:50: 93:7d:91:ce:aa:e8:a9:18:10:f5:ac:b2:f5:6f:94: 33:a9:da:c9:5b:10:a6:42:26:d6:8f:bd:5b:86:08: 0a:9f:6a:9b:3c:27:41:63:39 Exponent: 65537 (0x10001) Thanks any help is much appreciated. -- -Kyle H -- -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org mailto:openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Seeking advice on document
Hi Stephen, Maybe your question will be more succesful in Ubuntu newsgroup/forum? OpenSSL is not related neither to Ubuntu, neither Apache2 :o) It is not problem for me to answer offtopic question, but unfortunately I'm not using Ubuntu. Just trying to suggest better help source :o) Best regards, Dmitrij -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephen Liu Sent: Friday, November 24, 2006 6:24 AM To: openssl-users@openssl.org Subject: Seeking advice on document Hi folks, Ubuntu-6.06.1-LAMP-server-amd64 Apache2 SSL I'm installing/config a web/apache2 server for experiment/testing and encountering difficulty on googling document. Either the document found is out off day or not for Ubuntu. I found following document; Apache 2 with SSL/TLS: Step-by-Step, Part 1 http://www.securityfocus.com/infocus/1818 Apache 2 with SSL/TLS: Step-by-Step, Part 2 http://www.securityfocus.com/infocus/1820 Please advise whether they are document for setup SSL/TLS on Apache2? TIA. B.R. Stephen Send instant messages to your online friends http://uk.messenger.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: N00B needs csr/key help
Hi Aaron, There is no need to generate now another one key set - you can remove des3 encryption from your existing RSA keys. Try this openssl rsa command: openssl rsa -in key.pem -out keyout.pem keyout.pem will be clean from any passphrases :) Regards, Dmitrij -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Martinez Sent: Wednesday, November 01, 2006 11:01 PM To: openssl-users@openssl.org Subject: N00B needs csr/key help I am trying to get my copy of pure-ftpd running with a signed certificate and having a horrible time. I had to send them a csr so i did the following: openssl genrsa -des3 -out ftp.mydomain.com.key 1024 openssl req -new -key ftp.mydomain.com.key -out ftp.mydomain.com.csr I got the key signed from godaddy (it was cheap, anyone have any ideas on their service?) (also they use an intermediate key, does everyone now? I don't even know if pureftpd can use an intermediate key) and so i put the necessary files on my ftp machine and fired it up. There is a problem however, i see this in the log: Oct 31 17:19:33 ftp pure-ftpd: ([EMAIL PROTECTED]) [ERROR] SSL/TLS [/etc/pure/private/pure-ftpd.pem]: error:0906406D:PEM routines:DEF_CALLBACK:problems getting password I assume since i used des3 generating the key, that is why it's looking for a password. For ssl enabled web and ftp servers is it commonplace to create the private key without encryption? Does anyone have an idea about this error? I was also wondering, if i were to do the same as above only include the --passout file:/some/directory/path/file like such: openssl genrsa -passout file:/etc/pure/pasfile -des3 -out ftp.mydomain.com.key 1024 that generates the key just fine without me having to type in the password, but does the key then know to read from that file as well when it's being used? If so, would that also mean that when pureftpd is looking for the password, the password file is hardcoded soemhow into the key and it would be found? I would just try these things, but of course i have to go through the whole process of generating a new csr and getting new keys every time i do that from godaddy. Thanks in advance. Aaron __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Re[2]: What does PEM mean?
Ty che, prikalyvaeshsia? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of генерал Пурпоз Sent: Thursday, August 10, 2006 2:44 PM To: Hugo de Paix de Coeur Subject: Re[2]: What does PEM mean? Hello Hugo, Thursday, August 10, 2006, 12:55:09 PM, you wrote: Privacy Enhanced Mail This is a base64 encoded format, for mailing, or other purposes... And what is DER then? Thank you in advance. -- Best regards, Tony mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: extending a PKCS12 certificate
IMHO Attribute Certificates (AC) must be issued not by CA's, but by other institutions (if I remember correctly this is stated in RFC3181). PKC (public key cert.) in this situation is like passport and AC is like visa. If you are planning to use AC for authentification, then only you must manage AC issuance and revocation process. So, you need not a certificates from cert. providers, but AC infrastructure solution. Give some attention to openPERMIS or PERMIS projects, probably this helps. Regards, Dmitrij -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mouse Sent: Friday, August 04, 2006 5:10 PM To: openssl-users@openssl.org Subject: RE: extending a PKCS12 certificate It doesn't makes much sense to add attributes to certs if values of those attributes can't be verified. Attribute Certificate seems the right way to go (thanks, Vijay!). The question is - do our mainstream CA's (such as VeriSign, etc.) support Attribute Certificate? Tnx! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer Sent: Friday, August 04, 2006 10:00 To: openssl-users@openssl.org Subject: RE: extending a PKCS12 certificate Hi Gerd, It will. But as Dmitrij already pointed out that there are Attribute Certificates. Those attributes are not part of the signed data, so they can be change (but also by anybody). But inside a PKCS there are at least safe and for internal use, it might work. (But you do not want to send login information that maybe stored in a public certificate send to the outside world, so for my understanding, it will no longer be a public certificate, would it?) So long, --sk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Freitag, 4. August 2006 17:24 To: openssl-users@openssl.org Subject: RE: extending a PKCS12 certificate Hello Sascha, wouldn't this invalidate the digest and therefor the entire certificate? If changing the arbitrary data does not invalidate the certificate, it must not be part of the digest, but then everybody would be able to change it. And just adding the arbitrary data to the PKCS12 file would not make those data more trustworthy either. If this is possible at all. With kind regards Gerd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer Sent: Friday, August 04, 2006 2:11 PM To: openssl-users@openssl.org Subject: RE: extending a PKCS12 certificate As far as i know, PKCS12 is just a combination of your private key and the public certificate. So, it should be possible to extract the certificate, make the changes and pack it together with the private key again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Olen Sent: Freitag, 4. August 2006 15:31 To: openssl-users@openssl.org Subject: extending a PKCS12 certificate Hello all, I would like to ask a question about PKCS12 certificates. Is it possible to extend a PKCS12 certificate with arbitral data? I would like to extend a given certificate with user data (such as login and password) in such a way that the output certificate is still a valid certificate. If so, can this be done with OpenSSL? How do I extract the extensions? Thanks in advance. Kind regards, Theodore _ Meer ruimte nodig? Maak nu je eigen Space http://spaces.msn.nl/ __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: extending a PKCS12 certificate
It seems like you are talking about Attribute Certificate, but openssl doesn't support them. Unfortunately. :o( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Olen Sent: Friday, August 04, 2006 2:31 PM To: openssl-users@openssl.org Subject: extending a PKCS12 certificate Hello all, I would like to ask a question about PKCS12 certificates. Is it possible to extend a PKCS12 certificate with arbitral data? I would like to extend a given certificate with user data (such as login and password) in such a way that the output certificate is still a valid certificate. If so, can this be done with OpenSSL? How do I extract the extensions? Thanks in advance. Kind regards, Theodore _ Meer ruimte nodig? Maak nu je eigen Space http://spaces.msn.nl/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Too long organizationName (O=...)
Hi guys, I have one little annoying problem (no, not a Frog) - I need to issue certificate to organization, which name is more than 64 char long. I beleave there is must be mechanism for such situation, but for now i'm only know, that RFC defines 4 octets with 64 chars for organizationName. The problem is that I'm do not know how to implement this in openssl. I have generated CSR with DN like this: [EMAIL PROTECTED],CN=Test CN,OU=Test Unit, O=Very very very long+O=Organization name,C=LT But after I try to issue certificate with such DN, I get certificate with only last O= value (Organization name). Maybe it is needed to set something in openssl.conf? Please help. Regards, Dmitrij P.S. I'm not programmer, i'm just user of openssl (config file, command line). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Too long organizationName (O=...)
I'm not sure about the meaning of schema, but I can issue certificate with two (maybe more) O= fields. But they will be separated by comma, so it will look like different companies is defined, but I need to split one company name to two O= fields in such way, in which all other software will understand, what this is one fields, one meaning. I have seen config docs (from openssl website) and have found mentioned only solution with comma between O=. But I think I need plus sign between them. Or maybe somebody knows another trick how to define logn (64 char) organization name in certificate? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Salz Sent: Friday, July 21, 2006 2:59 PM To: openssl-users@openssl.org Subject: Re: Too long organizationName (O=...) [EMAIL PROTECTED],CN=Test CN,OU=Test Unit, O=Very very very long+O=Organization name,C=LT Are you sure that the schema allows for multiple values for the O RDN? I know multiple OU RDN's are allowed; you might look at the config docs to see how that's set up. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: another test
reply -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chen Talos Sent: Saturday, March 04, 2006 2:41 PM To: openssl-users@openssl.org Subject: another test Any kind man please just reply once to test my new mail filter rule. Thanks for any help. _ 享用世界上最大的电子邮件系统— MSN Hotmail。 http://www.hotmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
WTLS / x9.68 certificates
Hello guys, I'm started to dig into mobile PKI and have stated, what openssl does not support WTLS / x9.68 standards. Don't want to invent another one bicycle, so can somebody point me to any available solution to generate WTLS or (better) x9.68 certificate? Thanks in advance. Regards, Dmitrij __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]