revoking a root certificate.
Is it possible to revoke a root certificate? I am having problems with this as my database (index.txt complains about the serial number being invalid. Cheers Evan Get your own zoom email - click here - http://www.zoom.co.uk/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Root certificate Revocation bug (serial number)
Hi Guys, Heres one for you. When you create the root certificate with openssl it is given a serial number of 0. Every other root signed certificate (peer certs) is given a serial number of 0X where X is the next certificate number e.g. 01. The certificates signed by root can be revoked and I have sucessfully done this. When I came to revoke the Root certificate Openssl ca says that teh serial number is invalid because it is one digit, that digit being 0, which is assigned to the root certificate by Openssl! Therefore I cannot successfully revoke the root certificate! Is there away to get Openssl to create the certificate with a 00 serial number or is there another way to revoke the root certificate. I am currently using: openssl ca -revoke cert.pem -config ca.cfg for revoking the cert. please HELP! cheers Evan Get your own zoom email - click here - http://www.zoom.co.uk/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No Subject
Hi, I need to load a certificate from disk so I can check to see if it validity before time is in the future. I've been trying to use PEM_read_X509 but it crashes. Anyone got any examples that show how to successfully load a certificate from disk and view its contents. I can't find anything. Cheers Evan Get your own zoom email - click here - http://www.zoom.co.uk/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CRL generation help
This is the Postfix program at host speedy.server.zoom.co.uk. I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. For further assistance, please contact [EMAIL PROTECTED] If you do so, please include this problem report. You can delete your own text from the message returned below. The Postfix program [EMAIL PROTECTED]: host en5.engelschall.com [129.132.7.153] said: 550 [EMAIL PROTECTED]... User unknown Hi, I am doing the following to create a certificate revocation list. 1) openssl ca -revoke server.pem -config myca.cfg to revoke the certificate. 2) openssl ca -gencrl -config myca.cfg -out myca/crl/crl.pem to create the CRL. Even if a swap the order around the following ALWAYS happens. When I view the CRL it states that there are no revoked certificates yet the index files have changed and seem to have revoked it or prepared to revoke it. What am i missing from this sequence? anyone have a clue about CRLs? Help! thanks Evan Get your own zoom email - click here - http://www.zoom.co.uk/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
help with certs!!
Hi, These are the steps I am using to create a CA and then sign a certificate. openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -config openssl.cnf then i follow the prompts. after cacert.pem is created a copy the private key into democa/private and cacert.pem into democa/. then i do openssl ca -ss_cert cacert.pem -out cacert2.pem -config openssl.cnf once completed i copy cacert2.pem over cacert because its signed now right? next i do openssl req -newkey rsa:1024 -keyout skey.pem -out ser.pem - config openssl.cnf and follow th prompts then i sign it. openssl ca -in ser.pem -out server.pem -config openssl.cnf have i created the CA correctly? do I know have a CA root certificate I can use for my trusted CA list? do I have a valid server certificate that can be sent for my client application to verify against the trusted CA certificate? thanks for the continued support guys Evan Get your own zoom email - click here - http://www.zoom.co.uk/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How do you view the contents of a CRL?
How do I view the contents of a CRL? I need to be able to see what certificates have been revoked. Evan Get your own zoom email - click here - http://www.zoom.co.uk/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CRL text view output help (more CRL help!!)
Hello again, Heres what im doing to revoke a cert and create a CRL:- Openssl ca -revoke server.pem -config ca.cfg : to revoke the certificate Openssl ca -gencrl -config ca.cfg -out ca/crl/crl.pem - crldays 1 : to create the CRL Now This is the output I get when I run the command , openssl crl -in crl.pem -text -nout :- Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: /C=US/O=XYZ Corp./OU=Research Dept./CN=XYZ Authority Last Update: Jan 14 12:27:42 2001 GMT Next Update: Jan 14 16:27:42 2002 GMT No Revoked Certificates. Signature Algorithm: md5WithRSAEncryption blah blah blah My question is regrads to the No Revoked Certificates. Section of the output, does this mean I haven't revoked any certificates? If so have I mixed up the order of the revoking the certificate? How would I get at the subject information stored inside the CRL? Thanks for your continued help guys Evan Get your own zoom email - click here - http://www.zoom.co.uk/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_CTX_set_verify_locations CAPATH help
Hi, I'm was wondering if anyone could help with this. I want to keep a store of CA certificates in one directory and I was under the impression that the CAPATH variable allows for this. However the certificates in the directory are never loaded. Theres a mention of using a hash tool but im unsure of this could someone provide more information on the CAPATH and what I have to do for it to load multiple trusted certificates. Evan Get your own zoom email - click here - http://www.zoom.co.uk/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
creating a CA and signing a server cert steps (please verify).
Hi, These are the steps I am using to create a CA and then sign a certificate. openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -config openssl.cnf then i follow the prompts. after cacert.pem is created a copy the private key into democa/private and cacert.pem into democa/. then i do openssl ca -ss_cert cacert.pem -out cacert2.pem -config openssl.cnf once completed i copy cacert2.pem over cacert because its signed now right? next i do openssl req -newkey rsa:1024 -keyout skey.pem -out ser.pem - config openssl.cnf and follow th prompts then i sign it. openssl ca -in ser.pem -out server.pem -config openssl.cnf have i created the CA correctly? do I know have a CA root certificate I can use for my trusted CA list? do I have a valid server certificate that can be sent for my client application to verify against the trusted CA certificate? thanks for the continued support guys Evan Get your own zoom email - click here - http://www.zoom.co.uk/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
More help on server certificate verification
Hi again, I have finally managed to get the trusted certificate to load into the application but now I am getting errors about the certificate chain being to long. The server only sends its certificate and the client loads the Root CA cert to verify the server certificate. As I stated before im using the verify_callback function taken straight from the man page for SSL_CTX_set_verify and this is the routine that complains about the verify depth. When I check the verification results with SSL_get_verify_result(ssl) it fails (obviously). The certificate depth is the depth to recurse down the cert chain correct? My previous mail has my test code so If you need to look at what i'm doing check that. thanks for your help guys! Evan Get your own zoom email - click here - http://www.zoom.co.uk/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate verification help
Hi, I am having trouble with verifying the server certificate that is sent during the SSL handshake. I looke through verify.c to get an Idea but the lack of comments and docs on the X509_* stuff aint helping. So far I have loaded the root CA certificate using X509_LOOKUP_load_file. then I try to do the following scert = SSL_get_peer_certificate (link); X509_STORE_CTX_init(csc,cert_store,scert,NULL); when I run X509_verify_cert(csc) it just returns 0. I know I have missed something somewhere but what I don't know. someone HELP! thanks Evan Get your own zoom email - click here - http://www.zoom.co.uk/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]