Re: Desperate, commands to make an intermediate CA?
Hello. First thx for the quick answer. The commands that I had been using are Openssl commands directly no perl scripts: Creation of root CA: openssl req -new -x509 -days 10095 -out cacert.pem -key cakey.pem -config ./openssl.cnf openssl x509 -inform PEM -outform DER -in cacert.pem -out cacert.der (IE ready root certificate). Creation of a user-server certificate for testing pourposes: openssl genrsa -rand ./private/.rand.dat -des3 1024 test.key openssl req -new -config ./openssl.cnf -key test.key -out test.csr openssl ca -config ./openssl.cnf -in trasto.csr -out trasto.pem Till here everything works. Creation of the SubCA. 1.- I had created a new openssl cofiguration file called openssl2.cnf, and I had add the following lines to [ v3_ca ], the rest of the file is identical to the original: basicConstraints=CA:TRUE,pathlen:5 keyUsage = cRLSign, keyCertSign,nonRepudiation, digitalSignature, keyEncipherment 2.- Generation of the new subca in a diferent directory: openssl genrsa -rand ./private/.rand.dat -des3 2048 -out cakey2.pem openssl req -new -extensions v3_ca -days 3650 -out cacert2.pem -key ./cakey2.pem -config ./openssl2.cnf openssl ca -config ./openssl.cnf -in cacert2.csr -out cacert2.pem openssl ca -config ./openssl2.cnf -in ./cacert2.csr -out cacert2.pem -keyfile ./cakey.pem -cert ./cacert.pem (this last 2 are the root CA key-cert) openssl x509 -inform PEM -outform DER -in cacert2.pem -out cacert2.der Now I could import this .der certificate in my browser-certs repository, and I could see it as a intermediate CA, and the root CA certificate in the correct windows repository. But with this way I had to spread two certificates for the customers. And I was wondering if there is a way to spread only one file with the two certificates, already browsing the mailing lists I had found that pasting the root CA Cert and subCa cert directly with 'cat file1 file2 file3 ' or others similars methods it would works, but not for me :(. After that I had transform the PEM format to DER format and I had imported the file in a browser, but only see to be installed subCA certificate and it is not validated, because it is missing the root cacert. If cat method works, It is mandatory the order??? The root CA certificate begins with the literal: '=Begin Certi...' and the sub CA with Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1 a. It is a potential problem? Thanks in advance. At 17:48 05/04/2006, Dr. Stephen Henson wrote: On Wed, Apr 05, 2006, Francisco Javier Martinez Martinez wrote: Hello world. I am getting crazy I can't find the solution. Could anyone be so kind of show me clues, examples, config files in order to make an intermediate CA? My scenario: I issue certificates with openssl line commands. I had issue a selfsigned CA root certificate and I could issue cert for servers,. etc, but i could not issue and sign a certficate to work as intermediate CA, it always issue me a server certificate.çç You don't say which commands so it isn't easy to say which option you should use. If you use CA.pl then the -signCA option will work. Otherwise you need to specify the configuration section v3_ca when you sign the request. Steve.
Desperate, commands to make an intermediate CA?
Hello world. I am getting crazy I can't find the solution. Could anyone be so kind of show me clues, examples, config files in order to make an intermediate CA? My scenario: I issue certificates with openssl line commands. I had issue a selfsigned CA root certificate and I could issue cert for servers,. etc, but i could not issue and sign a certficate to work as intermediate CA, it always issue me a server certificate.çç TIA. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Upgrading to the lastest version, what happends with my Apache-Mod_SSL?
Hello. I want to upgrade the OpenSSL to the 0.9.6j version to get ride of the two last vulnerabilities found in the previous versions of OpenSSL. The system is RedHat 7.x running Apache 1.3.27 with mod_ssl, both compiled with APACI method (configure, make make install), an my question is: It is necessary once I had upgraded the OpenSSL to recompile my Apache so the mod_ssl could be linked to the new libraries of the OpenSSL or only with upgrading the openssl is the work done? Thanks in advance. Regards. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Upgrading to the lastest version, what happends with my Apach e-Mod_SSL?
Sorry for disturbing you, but I was in a mistake with the version of Linux, my client had a Redhat 6.2 I had realized this because there is not libssl.so.0.9.6xx in the files system, there is /usr/local/ssl/lib/libssl.a instead, this may indicate that the openssl is not built in share mode?, The openssl and the apache was compiled, this last with mod_ssl between other modules using APACI format (configure and make). Would you please be so kind of tell me if I had to recompile the apache once the openssl has been compiled? Thanks in advance and regards. At 10:48 12/06/2003 +0100, you wrote: If I had a Euro for each time this question gets asked... The openssl FAQ details that fact the Red Hat 7.x (onwards) uses backported versions. That is, if you have installed the Red Hat update to your version (either manually or using Red Hat Network at rhn.redhat.com) you are protected from currently known vulnerabilities. The current supported openssl versions for Red Hat are: openssl-0.9.6-16 - 7.1 openssl-0.9.6b-32.7 - 7.2, 7.3 openssl-0.9.6b-33 - 8.0 openssl-0.9.7a-5 - 9.0 Of course, there is nothing to stop you building a separate version in a different directory. Unless you need to use patent restricted code there'll be no need. If you haven't built against one of these versions, you'll either need to recompile or use the Red Hat supplied mod_ssl package. Whichever you choose is up to you. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution isn't true just because the majority of people think it is. -Original Message- From: Francisco Javier Martinez Martinez [mailto:[EMAIL PROTECTED] Sent: 12 June 2003 08:01 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Upgrading to the lastest version, what happends with my Apache-Mod_SSL? Hello. I want to upgrade the OpenSSL to the 0.9.6j version to get ride of the two last vulnerabilities found in the previous versions of OpenSSL. The system is RedHat 7.x running Apache 1.3.27 with mod_ssl, both compiled with APACI method (configure, make make install), an my question is: It is necessary once I had upgraded the OpenSSL to recompile my Apache so the mod_ssl could be linked to the new libraries of the OpenSSL or only with upgrading the openssl is the work done? Thanks in advance. Regards. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
