RE: Converting own CA certificate to pkcs12
At 13:02 22.11.2002 +0100, you wrote: As far as I know there are only two ways for importing a CA certificate into Netscape browser: 1) Through an HTTP/HTTPs connection to a Web server hosting the CA certificate (using MIME type application/x-x509-ca-cert) 2) Importing it piggybacked in an user PKCS#12 (i.e., you import an user certificate and the CA certificate) I have never used PKCS#12 for importing CA certificates only .It bothers me to learn that it could be a proper usage of PKCS#12 format. I always thought about it as a means for moving certs and keys around with certain amount of confidentiality and integrity. It is kind of annoying that every PKI paper states the need for out-of-band initialization of CA certificates and Netscape/Mozilla browsers does not support common formats (IE uses PKCS#7 for example, much more suited to this purpose). Hope it helps Err, folks. I just took a ca.cer file with a normal DER-encoded CA certificate, chose "open file" in Mozilla 1.1 and I got a nice dialog box: "You've been asked to trust a new CA ( ) trust this CA to identify web sites ( ) trust this CA to identify email users ( ) trust this CA to identify software developers View file/OK/Cancel" What is your problem? Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I add 8-bit charset/unicode strings to certs?
At 11:42 14.11.2002 +1300, you wrote: On Wed, Nov 13, 2002 at 09:35:47AM +0100, Karl-Michael Werzowa wrote: > letters, etc. (If you use an Ö or Ä it may be easy, but what about > hungarian, slovak, croatian characters? How to type these? Do you know the > possible transcripts?) > The best way seems to be to have an ascii transcript and the full BMPString > in LDAP and certificates. Don't get me started! :-) As it is, we're talking about Microsoft Active Directory LDAP here - so I need to find out just what that is from a charset point of view. I mean, M$ make a big thing over Unicode - but the LDAP data certainly isn't Unicode. In fact, from what I can find off Google, LDAP (include AD) uses ISO-10646 - which is a superset of Unicode. Apparently all standard ASCII chars stay the same, and the rest are converted into the double-byte Unicode. However, I'm definitely getting ASCII-8bit chars out of LDAP - so I don't know what the hell's going on :-) -- Cheers Jason Haar LDAP normally uses UTF-8, which is a way to encode iso-10646 characters. 7bit ascii looks the same in utf-8 and ascii, but higher up the charset the encoding takes 2 (in case of a simple Ö) to 6 characters. And that works. I have a CA with an ö in its name, and I can fetch its CRL from LDAP without problems. One hint: Your LDAP server might behave differently depending on the client's version number. Do you use version 3? See RFC2553. Jörn (Guess why there is an ö in my CA certificate) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I add 8-bit charset/unicode strings to certs?
At 16:51 12.11.2002 +1300, you wrote: Now I went off and generated a cert for one "Frank Österberg" (that's an "O" with two dots on top), and when I "vi" the PEM afterwards I see "\xD6sterberg". Run your PEM through "openssl asn1parse -dump -in myfile.pem" That will display the encoding. Post the result (just your funny string, not the entire cert dump) here to get more help. Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I add 8-bit charset/unicode strings to certs?
At 16:51 12.11.2002 +1300, you wrote: Hi there I want to generate certs from our internal LDAP server. We have people from all over the world here, and so some of these entries have 8bit chars in their names (shock! horror!) Now I went off and generated a cert for one "Frank Österberg" (that's an "O" with two dots on top), and when I "vi" the PEM afterwards I see "\xD6sterberg". However, under Mozilla Import, the name shows up as "A?sterberg" (the A has two dots on top) - not the same thing. Is this an issue with the Unix (Linux BTW) system doing some ISO charset, but Openssl expecting unicode? If so, what is the correct way to do this? Thanks in advance for any help - my poor ASCII brain is feeling overwhelmed :-) -- Cheers Jason Haar You didn't exactly specify whether your problem is with LDAP or with Certificates. With certificates, Each RDN (that's a relative distinguished name, like C=DE) may can encoded in a number of encoding. C=DE would be probably PRINTABLE-STRING. Other popular ones are IA5/7bitASCII, T61/TELETEX, BMP/UCS-2 or UTF8. In T61, an Ö (0x00D6) would be 0xc8 0x4F. In BMP it would be 0x00 0xD6. In UTF8, it would be 0xc3 0x96. Problem is, I don't know any encoding that would translate an Ö (unicode 0x00D6) into \xD6. Really. the ANSI or Latin-1 or whatever you want to call it is not a featured charset in certificate encoding. So. Your certificate is wrong. With LDAP, charsets are even worse. Read some RFCs. ww.rfc-editor.org has a search engine, type "LDAP". To find out what encoding your "\xD6sterberg" is, check the two bytes before it. the 1st would be the type, then the length. Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: dummy question about PKCS#12
At 18:32 11.10.2002 +0200, you wrote: >hi! > > this is probably basic question. i'd like to know if there is any way >to obtain the public certificates inside a PKCS#12 without the need >of decrypt it. > > if the certificates are public it should be obvious to be able to >read them. is it possible? > > >regards, > > >aleix If the certificates are encrypted, you need to decrypt them. Sorry for stating the obvious. However: there is no need to encrypt them in the 1st place. A pkcs#12 file can contain the cert unecrypted and the key encrypted. openssl will encrypt the cert by default if you create a pkcs#12 file. As far as I know you can't generate half-encrypted ones without some programming. Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: supported string for certificate request ...
At 18:02 19.07.2002 +0900, [EMAIL PROTECTED] wrote: >$)C >Hello list, > >I'm quite new to openssl but here is a question I can't solve for myself. > >req_distinguished_name part of my configuration file is >C = KR >ST = seoul >L = seoul >O = telecom >OU = telecom >CN = H+1f5? # It's an Korean word >emailAddress = [EMAIL PROTECTED] > >I make certificate request using this configuration file, but I can't read >CN part in the > >certificate request. > >How can I solve it ? > >Soo. > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] The openssl can certainly handle unicode, it's just that the config files are not unicode. I have a 0.9.6b here, and in req.c, function add_DN_object() I can see: if (!X509_NAME_add_entry_by_NID(n,nid, MBSTRING_ASC, (unsigned char *) buf, -1,-1,0)) goto err; So, it will read nothing else but ASCII characters from the config file. If you want special characters, your best bet would be to use a UNICODE editor, and enter your korean string with that. Save as UTF8. Do not use any Microsoft MBCS stuff please. Then change the code to if (!X509_NAME_add_entry_by_NID(n,nid, MBSTRING_UTF8, (unsigned char *) buf, -1,-1,0)) goto err; and recompile. Your string will be encoded as BMP in the certificate request. Jörn Sierwald __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 1032 bits Modulus
At 10:09 10.05.2002 -0300, you wrote: >Hi all, > >I have a simple question: why the modulus is showed with 1032 bits and it >always has a 0 at the beginning? It does this way in OpenSSL but also on >browsers. > >Thank you for your help. > >Heber. > >modulus: > >00:e6:fa:c3:06:49:ac:95:c2:9e:bb:f6:04:dd:60: > >ff:f0:31:77:8a:e0:c5:14:e3:15:41:6a:17:96:1c: > >9d:06:8c:c8:08:ca:34:e5:c9:32:b9:2f:6b:ef:03: > >1b:bb:ed:88:4a:ce:e2:29:7f:a6:66:b5:b7:7e:e0: > >3b:85:16:0b:b9:c4:d2:29:5c:fc:5e:f3:be:d1:0e: > >ad:35:8f:77:19:06:cc:c9:b9:31:5f:c1:33:08:ca: > >3d:b5:52:47:70:67:a2:74:a4:81:04:33:24:06:a8: > >7d:c8:2d:f0:0a:84:dc:33:6a:b1:4b:1f:b1:36:40: > >cf:2f:0c:88:90:4f:9e:f4:0b > >publicExponent: 65537 (0x10001) A DER INTEGER value is encoded in a peculiar way. The first bit is the sign. So, if the value would start with e6:, it would be NEGATIVE! So, you need a 0 in front of it. Funny note: I have seen certificates with a negative public exponent. You really can get them wrong. Jörn ' __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Creating password-protected certs.
At 10:52 30.04.2002 +0200, you wrote: >In message <[EMAIL PROTECTED]> on Mon, 29 >Apr 2002 12:22:32 -0700 (PDT), Tim Jones <[EMAIL PROTECTED]> said: > >t0psecret> I'm trying to create password-protected client certs >t0psecret> with OpenSSL and ssl.ca-0.1.tar.gz. Is this what >t0psecret> "export password" refers to (when creating the key), >t0psecret> or is there another way? I'm not sure whether the >t0psecret> export password is a permanent password for the cert >t0psecret> or just a one-time password used to import the .p12 >t0psecret> file. >t0psecret> >t0psecret> If it's the former, it seems as though Window strips >t0psecret> this password when I import the cert, because I'm only >t0psecret> asked for it the one time when importing. Is there any >t0psecret> way around this? > >You're mixing up certificate and private key. The password will >protect the private key. The certificate is (or should be) filled >with public information only, and therefore doesn't require any >password protection. > >-- >Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] That reminds me of a question I once asked, but didn't get a reply: pkcs#12 files can contain encrypted certificates or unencrypted certificates. Since, like you notice, the cert doesn't require protection, why can't openssl generate pkcs#12 file with encrypted private key, but cleartext cert? Jörn Sierwald __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: J/Crypto 3.3 DER encoded certificate cannot be read by openssl-0.9.6b
At 16:34 15.04.2002 +0200, you wrote: >Hello, there! :) > >I've checked google in this but to no avail - so I'm asking here... >Hope its not a duplicate thread. > >Trying to read the attached DER form of a X509 certificate with >OpenSSL 0.9.6c and 0.9.6b yields the following error: > >paveltz@MORDOR ~ >$ openssl x509 -in ./1.der -inform DER >unable to load certificate >3212:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too >long:asn1_ >lib.c:139: > >I've tried to use the asn1parse utility but to no avail: >paveltz@MORDOR ~ >$ openssl asn1parse -inform DER -in ./1.der -dump > 0:d=0 hl=16 l=-991318795 cons: VISIBLESTRING >Error in encoding >3552:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too >long:asn1_ >lib.c:139: > >The certificate was produced by calling JCRYPTO_X509Certificate.toDER >method. > > >Any help ? :) Any information on how to debug further ? I'd debug the function that wrote the file. I have no idea what it is, but it is not a DER-encoded certificate. In fact, when looking at it with a hex editor it looks a bit like random data, I didn't run a statistical test, though. Did you encrypt it? Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Compatibility with Crypt::DES
At 11:46 04.04.2002 -0500, you wrote: >Hi, > >I'm trying to use the openssl libraries to decrypt text encrypted using >perl's Crypt::DES module without success. After failing using CBC, I've >switched to a simple 8 byte block encrypted with des_ecb_encrypt and this >still produces different cipher text. Which presumably means the problem >lies with the key ? Right you are, sir. > I take a hardcoded 8 byte key and use des_string_to_key >and then create a des_key_sched prior to doing the encryption. Err, why do you call des_string_to_key in the first place? It expects a zero-terminated string. And calls strlen() for it. Maybe you are not aware that you just put your 8 bytes in a des_cblock. With memcpy or something. >Does anyone have any suggestions or any experience of using perl / openssl >together just for DES as opposed to complete SSL communication ? > >thanks >Nick Roberts Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to add Postal code to a certificate request
At 14:25 04.04.2002 +0530, you wrote: >Hi, >I was able to add the postal code. But there is some problem with the Short >Name. What should be given for the short name? I have given ZIP and also >tried with PC. > >With the above values in the request, generation of certificate request is >fine. But when trying to enroll for a certificate in isakmp-test.ssh.fi >site, it is failing. >But when I put the Short name as OID.2.5.4.17 it accepted. > >What is the correct Short name and Long name for the postal code > >Regards >Suram There is no short name. Sorry. The OID has an ldap name "postalCode", but that's not really helpful when dealing with just certificates. You will have to live with the fact that all software will display your postal code as OID.2.5.4.17=24000 or something, with no proper name. Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to add Postal code to a certificate request
At 15:25 02.04.2002 +0530, you wrote: >Hi, >I have a doubt regarding the addition of postal code or PIN code or ZIP code >to the certificate request. > >How to add Postal code to a certificate request. I tried to search for an >NID for the postal code but could'nt found. > >What is the way to add the postal code to a certificate request?? > >Regards >Suram > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] Put it in an OID 2.5.4.17, "postal code". The postal code should also go into line 5 of the postal address, OID 2.5.4.16. Line 1 object's RDN Line 2 Street address or PO box Line 3 no default value Line 4 Physical Delivery Office Name, State or privince name Line 5 Postal Code Line 6 Country Name (from the DN) See Recommendation F.401 Use google to search for "2.5.4.17 postal code" Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Viewing the content of an X509 cert with V3 extensions
At 10:10 25.03.2002 -0500, you wrote: >I've created a cert that contains X509 extensions (I stored data in the >subject-alt name field). I'm looking for a utility that can dump the cert >(in ASCII) so that I can make sure all the expected values are there. Does >such a utility exist (that will also dump extensions) or do I need to write >one? > >Thanks! > >Craig openssl x509 -text -in cert.pem will do just that. Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: secure mailinglists
At 21:41 07.03.2002 +0100, you wrote: >Hi everybody, > >we have set up our own CA and generated for everybody >user certificates for secure communication. It really works >fine. > >The task: now we want to set up mailinglists (server side) >like "[EMAIL PROTECTED]" where some users of our company and >some from a customer should be able to write signed and >encryted emails and everybody on the list should be able to >read it. > >The question is how should this be done? The only solution I can >imagine is to generate a certificate for the list and send the p12-file >to everybody on the list. But does it really work with all mail >programs, because for example: user A send an encrypted mail to >[EMAIL PROTECTED] which is expanded to user B, but its not originally >encrypted for B... > >Whats the best way solving such a mailinglist problem? What is >your experience and solution? I am sure I not the only one beeing >confronted with such a task (hope :-). > >thanx for your help, >Damian Message senders encrypt the message with the public key of the mailinglist. The mailinglist server decrypts the message using the private key for the mailinglist and encrypts it again individually for every recipient. The problematic part is the signature, I guess. Would it be possible to keep the original signature? Or does the server have to check the sender's signature and sign it again with it's private key if the original signature is correct? The email programs would handle the encryption part nicely, but I fear that you cannot keep the original signature.. Jörn Sierwald __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: binding IP addresses to X.509 certificates for use with OpenSSL?
At 09:52 29.11.2001 +, you wrote: >Hi Guys, > >I have come accross an issue here, where some fellow designers want to >generate an x.509 certificate for use with OpenSSL, but they want to >specifically bind the generated cert to only be used with one individual >IP address. Is this possible? I have been doing a bit of reading up on >X.509 cert format, and I have yet to see any field or part of the cert, >which would contain an IP address value, or allow the cert to be used only >with a specific IP address. > >I had alsways thought that the cert was independent of the network >configuration of the machine it was being used on, but is this always the case? > >Cheers, > >Brian Yes, it is possible. If you have read the spec and missed it, the subjectAltName field is a X509 v3 extension, OID 2.5.29.17. You may store an IP address there. This is very useful for IPSec, the standard for encrypting IP packets. As IP packet are sent from one IP address to another, is makes very much sense to use the IP address as the primary identity for authentication. Using the subjectAltName seems to be far more popular than putting the IP address in the subjectDN, as CN. Jörn Sierwald __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]