RE: Converting PEM file to PKCS12 or PFX for the MacOS (Not Mac OSx)...
Hi
Wally.
Pleasure, did it work?
Well
although I understand your plight towards other people (since I've been and
sometimes am on the same boat), I also understand why some times people don't respond.
Either
could be:
1. too
busy or away
2. Too
busy but still time to answer one or two, but since the subject said MacOs and
they have a different OS, they ignored it.
3.
Don't know
4. You
weren't specific enough (which wasn't the case)
5.
They felt that your question was something you could figure out yourself by
either reading the docs a bit more or searching the web... usually people want
to see that you have made some effort of at least attempting to solve the
problem.
take
care
Jose
-Original Message-From: Auteria Wally Winzer Jr.
[mailto:[EMAIL PROTECTED]]Sent: 28 October 2002
10:31To: [EMAIL PROTECTED]Cc: Auteria Wally
Winzer Jr.Subject: Re: Converting PEM file to PKCS12 or PFX for the
MacOS (Not Mac OSx)...
thanks jose for your response. you're the only one
that took the time to do so. everyone else just sent me read
receipts.
wally
- Original Message -----
From:
Jose
Correia (J)
To: [EMAIL PROTECTED]
Sent: Sunday, October 27, 2002
23:42
Subject: RE: Converting PEM file to
PKCS12 or PFX for the MacOS (Not Mac OSx)...
Hi
there
I
would think the command used by openssl is the same, irrespective of OS
used?? Something like this would work for a
PEM certificate:
openssl pkcs12 -export -in someCert.crt -inkey someCert.key
-out someCert.p12
Regards
Jose
-Original Message-From: Auteria Wally Winzer Jr.
[mailto:[EMAIL PROTECTED]]Sent: 25 October 2002
16:27To: [EMAIL PROTECTED]Cc: Auteria Wally
Winzer Jr.Subject: Converting PEM file to PKCS12 or PFX for the
MacOS (Not Mac OSx)...
has anyone converted pem files into pkcs12, pfx, or der
format explicitly for the MacOS versions 8.5 and above?
i have 3 macs that needs CA's loaded. if anyone
has done this by all means give me the lowdown.
i really appreciate everyone's efforts in solving this
major issue, one being the CEO!
thanks!
wally winzer
jr.
RE: Converting PEM file to PKCS12 or PFX for the MacOS (Not Mac OSx)...
Hi there I would think the command used by openssl is the same, irrespective of OS used?? Something like this would work for a PEM certificate: openssl pkcs12 -export -in someCert.crt -inkey someCert.key -out someCert.p12 Regards Jose -Original Message-From: Auteria Wally Winzer Jr. [mailto:[EMAIL PROTECTED]]Sent: 25 October 2002 16:27To: [EMAIL PROTECTED]Cc: Auteria Wally Winzer Jr.Subject: Converting PEM file to PKCS12 or PFX for the MacOS (Not Mac OSx)... has anyone converted pem files into pkcs12, pfx, or der format explicitly for the MacOS versions 8.5 and above? i have 3 macs that needs CA's loaded. if anyone has done this by all means give me the lowdown. i really appreciate everyone's efforts in solving this major issue, one being the CEO! thanks! wally winzer jr.
RE: CSR / CA Issued Certificate
ram
Files\\Javasoft\\jre\\1.3.1\\lib\\security\\jssecacerts");
System.setProperty("javax.net.ssl.keyStore", "C:\\Program
Files\\Javasoft\\jre\\1.3.1\\lib\\security\\jsseclientcerts");
I used Innovate's HTTPClient after this, in which I set the SSL Socket
factory after I initialized the SSLContext.
2. If the client certificate and the CA certificate are meant for
browser use, then the client certificate has to be first generated
using openssl (just like we did our server certificate), signed and
then converted to pkcs12 format. So something like this would work:
· Generate a certificate request.
perl CA.pl -newreq
Fill in the client certificate details (all of them),
something like:
Country Name (2 letter code) [AU]:ZA
State or Province Name (full name) [Some-State]:WP
Locality Name (eg, city) []:Cape Town
Organization Name (eg, company) [Internet Widgits Pty
Ltd]:telkom
Organizational Unit Name (eg, section) []:users
Common Name (eg, YOUR name) []:Jose
Email Address []:[EMAIL PROTECTED]
Sign the request:
perl CA.pl -sign
· Extract the key into a separate file:
openssl rsa < newreq.pem > newkey.pem
· Rename the three files for convenience:
mv newcert.pem client2.crt
mv newreq.pem client2.req
mv newkey.pem client2.key
· Now convert it to PKCS12 format:
openssl pkcs12 -export -in client2.crt -inkey server.key -out
client2.p12
· Convert the CA certificate into PKCS12 format as well:
openssl pkcs12 -export -in demoCA/cacert.pem -inkey
/demoCA/private/ca.key -out cacert.p12
· Now import these on to the client's browser (first import the
CA one).
And that's about it. Btw I used jdk 1.3.1 with JSSE 1.0.3
Cheers
Jose
-Original Message-
From: Fisk, Kevin [mailto:[EMAIL PROTECTED]]
Sent: 15 October 2002 17:55
To: [EMAIL PROTECTED]
Cc: Moffet, Scott
Subject: RE: CSR / CA Issued Certificate
Please ... how did you do it?
-Original Message-
From: Jose Correia (J) [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 15, 2002 12:26 AM
To: [EMAIL PROTECTED]
Subject: RE: CSR / CA Issued Certificate
Hi Kevin
I have successfully used client certificate signed by my own CA using
JSSE... let me know if you are interested in knowing how...
Cheers
Jose
-Original Message-
From: Fisk, Kevin [mailto:[EMAIL PROTECTED]]
Sent: 15 October 2002 02:01
To: [EMAIL PROTECTED]
Subject: CSR / CA Issued Certificate
I've been using OpenSSL a great deal, though this is going to come out
sounding a lot like a newbie question.
I need to generate a CSR so I can order a Verisign certificate. Our
server currently uses a self signed cert and key pair for the server.
If I order a Verisign certificate, it is the digital cert only. Is
the server's key the key I generate for the CSR?
The self-signed cert would be fine, however, JSSE refuses to connect
with the server because it is not a trusted certificate. Am I on the
right track?
Kevin
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: new release of mod_authz_ldap
The module is still not available at: http://authzldap.othello.ch/download.html Regards Jose Correia -Original Message- From: Andreas Mueller [mailto:[EMAIL PROTECTED]] Sent: 10 October 2002 10:59 To: [EMAIL PROTECTED] Subject: new release of mod_authz_ldap Since the OpenSSL users list has been used for questions about mod_authz_ldap (a X.509 certificate verification module for mod_ssl) in the past, and in particular availabilty for apache 2 was a recuring theme, I dare to abuse the list to announce that the promised release 0.22, featuring apache 2 support was just released. Please see http://authzldap.othello.ch for details. Mit herzlichem Gruss Andreas Mueller -- Dr. Andreas Mueller, Beratung und Entwicklung CH-8852 Altendorf Switzerland Tel: +41 55 4621483 Fax: +41 55 4621485 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Apache 2.0.39 + ssl + ldap with client certificate authentication
Hi Vadim The patch allows for both certificate and basic authentication. Check http://authzldap.othello.ch/howto.html for two examples on how to use it. Do be aware that at the moment it's only mean for Apache 1.3.x. I did see a posting by the author himself on this list yesterday, saying he was adding support for Apache 2 fairly soon. W.r.t : "What kind of LDAP lookup works best with X509_NAME_oneline()-style names?" do check the howto's. The certificate authentication can be done against the certificate subject or serial number. W.r.t: "Should the LDAP tree be somewhat special?" It does have to implement a few objects as shown in the howto but its fairly simple. I used Openldap as my ldap server and it worked nicely. Cheers Jose -Original Message- From: Vadim Fedukovich [mailto:[EMAIL PROTECTED]] Sent: 02 October 2002 17:41 To: [EMAIL PROTECTED] Subject: Re: Apache 2.0.39 + ssl + ldap with client certificate authentication Hi Jose, would you please outline how exactly one could use this patch? What kind of LDAP lookup works best with X509_NAME_oneline()-style names? Should the LDAP tree be somewhat special? thank you and sorry for off-topic, Vadim On Wed, Oct 02, 2002 at 08:50:36AM +0200, Jose Correia (J) wrote: > Hi Sarah > > Take a look at http://authzldap.othello.ch/index.html > > I've used it successfully. > > Cheers > Jose > > > -Original Message- > From: Sarath Chandra M [mailto:[EMAIL PROTECTED]] > Sent: 29 September 2002 11:17 > To: [EMAIL PROTECTED] > Subject: Apache 2.0.39 + ssl + ldap with client certificate > authentication > > > > Dear group, > Has anybody tried doing ldap client certificate authentication for an > apache > 2.0.39 ssl server ? > > Our environment is : > RedHat linux 7.1 kernel 2.4.x > apache 2.0.39 (inc. mod_ssl) > openssl-engine-0.9.6g > openldap (on a different redhat linux server) > > The apache website has a verisign server certificate, a self-signed CA > certificate and all clients have > certificates in the ldap server signed by this CA. > > When clients present their certificate to browse the Apache secure > site, > Apache should check the > existence of their certificate in the LDAP server and also the > validity of > the contents of the certificate presented. > > Kindly provide some direction to any solution or resources related to > this > issue. > > Any help would be highly appreciated. > > TIA > Sarath > > > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Validity period of certificates
You mean how to create a certificate using openssl? -Original Message- From: Radboud Platvoet [mailto:[EMAIL PROTECTED]] Sent: 02 October 2002 13:52 To: [EMAIL PROTECTED] Subject: RE: Validity period of certificates In order for me to use these macros, I first need to load an X509 structure with my certificate (located in a .pem file). Does anybody know how to do this? Thanks, Radboud -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Vijo Cherian Sent: Friday, September 27, 2002 10:27 PM To: [EMAIL PROTECTED] Subject: Re: Validity period of certificates X509_get_notBefore() X509_get_notAfter() are your friends. make sure you dont use that key/cert in any production systems. vijo. On Fri, Sep 27, 2002 at 03:39:07PM +0200, Radboud Platvoet wrote: > Thanks guys, > > That works great. However, I would really like to do it with a call from my > C code and not in the shell. > > -Radboud > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Michiels Olivier > Sent: Friday, September 27, 2002 3:04 PM > To: [EMAIL PROTECTED] > Subject: Re: Validity period of certificates > > > Hi, > take the BEGIN CERTIFICATE to the END CERTIFICATE part, put it in a file, > then do : openssl x509 -in yourfile -text. > You will see the start and the end date at the beginning of the response. > > Hope this help, > > Michiels Olivier > > Radboud Platvoet wrote: > > >Hi everyone, > > > >I would like to know if there is a way to find out for what period a > >certificate is valid (ie: the start and end date). > > > >This is the certificate from which I like to determine the validity period: > > > >-BEGIN RSA PRIVATE KEY- > >MIICXQIBAAKBgQDHbmDreHdsfXmdgiveojbx2hVrJPvzxzQ0Ug6g0KxOYUVSSLbs > >xBCW5PGQEn6a++AI6SMt13MTidpUJZmiPiOB2/D7Lg1YMJNQgJ8VfpzWESvgtQCV > >6txwVWz0gGSnmJ8EkLhaY0t57PhrEqM2RpZKgiBl08bueXCazblhWpyvOQIDAQAB > >AoGAB33wCiiGY/76uJ4RQ9XYNpG4yEOla20KWwTSI9xy/KbO0d6FcLOU4/ZJ1N28 > >/9mCexM3DRvQ6OT+3LZk5SFsd/1dOEi+P5rhIOAe/0VReiS5oIlhqr6lhOF4/WHp > >OZwglVDuB1U+zqX3fb6exkBlfcg8nv/iaI7GrxRl+ib9bWECQQD3crtg8DkLXT1o > >zwqgNyobPQgv0TJaCHAIub/XVjN2jkTU6HJPrPh6RUBTPAx/pW5CSuxGqcRDRgan > >RP6Zqu8NAkEAzlLSauaZhGGQXROxaac8Q7v423e/CTXKwCHAhkOIlKHBcq2Qzvo6 > >PrHzAKYVsOx5fwMZATe86Kz8OeSgoCFV3QJATILFPWwJt2HVIxshhfiIpHNynJZq > >ozwIqCoHD2Yv83B6B/r3nXs2OVhAU3w1wSI9vXG9LPxBGywD0qSatJkN4QJBAMoR > >MUVDLU0KpHGUDOhVwl7wJO0EnRNvHHAJXl3gnE49EZG3zR/4z7yBWWXkQ1AweVlc > >dkvMA/a5HJmygWHy4/0CQQCybDrUXfLGmfCL3R95fc3/XfHF+VodnfZoWY09hjQO > >wYPK/0sAatyAW4I9ks0XCoWbPBJEOueX5TAixPhh0pkn > >-END RSA PRIVATE KEY- > >-BEGIN CERTIFICATE- > >MIICkzCCAfygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCTkwx > >FTATBgNVBAgTDFp1aWQgSG9sbGFuZDESMBAGA1UEBxMJUm90dGVyZGFtMRMwEQYD > >VQQKEwpEaWdpdm94IEJWMSEwHwYDVQQLExhSZXNlYXJjaCBhbmQgRGV2ZWxvcG1l > >bnQxETAPBgNVBAMTCFMyU2VydmVyMB4XDTAyMDkyNzA3MzM1NFoXDTAzMDkyNzA3 > >MzM1NFowgYMxCzAJBgNVBAYTAk5MMRUwEwYDVQQIEwxadWlkIEhvbGxhbmQxEjAQ > >BgNVBAcTCVJvdHRlcmRhbTETMBEGA1UEChMKRGlnaXZveCBCVjEhMB8GA1UECxMY > >UmVzZWFyY2ggYW5kIERldmVsb3BtZW50MREwDwYDVQQDEwhTMlNlcnZlcjCBnzAN > >BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx25g63h3bH15nYIr3qI28doVayT788c0 > >NFIOoNCsTmFFUki27MQQluTxkBJ+mvvgCOkjLddzE4naVCWZoj4jgdvw+y4NWDCT > >UICfFX6c1hEr4LUAlerccFVs9IBkp5ifBJC4WmNLeez4axKjNkaWSoIgZdPG7nlw > >ms25YVqcrzkCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEB > >BAUAA4GBAA4al9nd/lph0P+RKoOfDPZXLFf1kfU7dHJIrXR5F9HvhVuVNyFLNyTO > >JXq8M/mcPM9eGNEfOwdGjHZCM91pduauvTZ6rqUOHIDV5oQdqVsCEMdZa5t2aTS+ > >g+ffMr6+aAm+ax3eU3/5tk1T2RkVOsIFEYCymiaMcXsVCFUvi/Pn > >-END CERTIFICATE- > > > >Any help is greatly appreciated! > > > >Thanks, > >Radboud > > > >_ _ > >OpenSSL Project http://www.openssl.org > >User Support Mailing List [EMAIL PROTECTED] > >Automated List Manager [EMAIL PROTECTED] > > > > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- vijo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project h
RE: Validity period of certificates
Try openssl x509 -in thiscert -noout -dates do a man x509 for more info. Cheers Jose -Original Message- From: Radboud Platvoet [mailto:[EMAIL PROTECTED]] Sent: 27 September 2002 14:43 To: [EMAIL PROTECTED] Subject: Validity period of certificates Hi everyone, I would like to know if there is a way to find out for what period a certificate is valid (ie: the start and end date). This is the certificate from which I like to determine the validity period: -BEGIN RSA PRIVATE KEY- MIICXQIBAAKBgQDHbmDreHdsfXmdgiveojbx2hVrJPvzxzQ0Ug6g0KxOYUVSSLbs xBCW5PGQEn6a++AI6SMt13MTidpUJZmiPiOB2/D7Lg1YMJNQgJ8VfpzWESvgtQCV 6txwVWz0gGSnmJ8EkLhaY0t57PhrEqM2RpZKgiBl08bueXCazblhWpyvOQIDAQAB AoGAB33wCiiGY/76uJ4RQ9XYNpG4yEOla20KWwTSI9xy/KbO0d6FcLOU4/ZJ1N28 /9mCexM3DRvQ6OT+3LZk5SFsd/1dOEi+P5rhIOAe/0VReiS5oIlhqr6lhOF4/WHp OZwglVDuB1U+zqX3fb6exkBlfcg8nv/iaI7GrxRl+ib9bWECQQD3crtg8DkLXT1o zwqgNyobPQgv0TJaCHAIub/XVjN2jkTU6HJPrPh6RUBTPAx/pW5CSuxGqcRDRgan RP6Zqu8NAkEAzlLSauaZhGGQXROxaac8Q7v423e/CTXKwCHAhkOIlKHBcq2Qzvo6 PrHzAKYVsOx5fwMZATe86Kz8OeSgoCFV3QJATILFPWwJt2HVIxshhfiIpHNynJZq ozwIqCoHD2Yv83B6B/r3nXs2OVhAU3w1wSI9vXG9LPxBGywD0qSatJkN4QJBAMoR MUVDLU0KpHGUDOhVwl7wJO0EnRNvHHAJXl3gnE49EZG3zR/4z7yBWWXkQ1AweVlc dkvMA/a5HJmygWHy4/0CQQCybDrUXfLGmfCL3R95fc3/XfHF+VodnfZoWY09hjQO wYPK/0sAatyAW4I9ks0XCoWbPBJEOueX5TAixPhh0pkn -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- MIICkzCCAfygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCTkwx FTATBgNVBAgTDFp1aWQgSG9sbGFuZDESMBAGA1UEBxMJUm90dGVyZGFtMRMwEQYD VQQKEwpEaWdpdm94IEJWMSEwHwYDVQQLExhSZXNlYXJjaCBhbmQgRGV2ZWxvcG1l bnQxETAPBgNVBAMTCFMyU2VydmVyMB4XDTAyMDkyNzA3MzM1NFoXDTAzMDkyNzA3 MzM1NFowgYMxCzAJBgNVBAYTAk5MMRUwEwYDVQQIEwxadWlkIEhvbGxhbmQxEjAQ BgNVBAcTCVJvdHRlcmRhbTETMBEGA1UEChMKRGlnaXZveCBCVjEhMB8GA1UECxMY UmVzZWFyY2ggYW5kIERldmVsb3BtZW50MREwDwYDVQQDEwhTMlNlcnZlcjCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx25g63h3bH15nYIr3qI28doVayT788c0 NFIOoNCsTmFFUki27MQQluTxkBJ+mvvgCOkjLddzE4naVCWZoj4jgdvw+y4NWDCT UICfFX6c1hEr4LUAlerccFVs9IBkp5ifBJC4WmNLeez4axKjNkaWSoIgZdPG7nlw ms25YVqcrzkCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEB BAUAA4GBAA4al9nd/lph0P+RKoOfDPZXLFf1kfU7dHJIrXR5F9HvhVuVNyFLNyTO JXq8M/mcPM9eGNEfOwdGjHZCM91pduauvTZ6rqUOHIDV5oQdqVsCEMdZa5t2aTS+ g+ffMr6+aAm+ax3eU3/5tk1T2RkVOsIFEYCymiaMcXsVCFUvi/Pn -END CERTIFICATE- Any help is greatly appreciated! Thanks, Radboud __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Multiple server certificates
To my knwoledge no, as Apache only allows you to specify one server certificate and key. -Original Message- From: Xperex Tim [mailto:[EMAIL PROTECTED]] Sent: 27 September 2002 03:20 To: openssl Subject: Multiple server certificates With client authentication, the server sends a list of acceptable CA's to the client in the Certificate Request, so a client may have multiple identities and choose an appropriate one. Is there something similar for the usual server authentication? I.e. can a server have multiple certificates and either present them all or present the one that the client can accept? I haven't found any such capability so far. Thanks, Tim __ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: how to generate a DSA certificate?
Hi Touria Take a look at: http://resin.csoft.net/~resin/cgi-bin/man.cgi?section=8&topic=ssl where it says: GENERATING DSA SERVER CERTIFICATES Alternatively if you do a search using google or some other search engine using keywords like: "generating DSA certificates with openssl" you would find others too. Regards Jose -Original Message- From: Touria Zaddaoui [mailto:[EMAIL PROTECTED]] Sent: 21 September 2002 13:36 To: [EMAIL PROTECTED] Subject: how to generate a DSA certificate? hello everybody, this is the problem i have with generating a dsa certificate: after generating a CA private keys & certificate, i do the following command to generate a DSA certificate signed by the already generated CA credentials: 1- openssl dsaparam -out dsap.pem 512 2-openssl req -new -nodes -out req1.pem -keyout priv.pem -config open_test.cnf -newkey dsa:dsap.pem //open_test.cnf is the configuration file that contains client information 3-openssl x509 -req -CA cacert.pem -CAkey cakey.pem -in req1.pem -out cert.pem -CAcreateserial -passin pass:default -days 12 -trustout but when i display certificate contents i get that the certificate was signed using md5withRSA and not DSA as expected. i hope someone can help me solve it out thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: apache with client certificates
Thanks Paul, I'm busy looking at PureTLS as a solution. -Original Message- From: Paul L. Allen [mailto:[EMAIL PROTECTED]] Sent: 18 September 2002 19:53 To: [EMAIL PROTECTED] Subject: Re: apache with client certificates "Jose Correia (J)" wrote: > > [...] > On my Java side I'm using JSSE 1.0.3 together with Innovation's > HTTPClient like: That's probably your problem. I tried to get a Java/JSSE client to do client-side authentication with a C/OpenSSL server recently and couldn't get it to work. I posted a query here and on our local Java newsgroup and got zero responses from anybody who had client-side authentication working with a JSSE client talking to any sort of OpenSSL-based server. Eric Rescorla suggested that I look at the PureTLS package that he wrote under contract for Claymore Systems. I did, and it works. A Google search will point you to PureTLS. It doesn't compile under JDK 1.4, but you can build it under 1.3 and then use it with other code built with 1.4. That's what we did, and we're now busy solving the customer's problem rather than trying to make our code work. > [...] > --- "Jose Correia (J)" <[EMAIL PROTECTED]> wrote: > > Hi all > > > > Is anyone aware of Apache version 1.3.20 having problems with client > > authentication?? > > [...] Apache is not likely the problem, unless there's a configuration error. You can verify this by watching a connection attempt with ssldump. If you see Apache requesting a client cert, but the client doesn't send one, the problem is likely with the client. Good luck! Paul Allen -- Boeing Phantom Works \ Paul L. Allen, (425) 865-3297 Math & Computing Technology \ [EMAIL PROTECTED] POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: apache with client certificates
Actually how does Apache know about the client certificate that the
client has got?? Does it compare who signed the client certificate
with the CA it has in SSLCACertificateFile?
Thanks anyone.
Regards
Jose
-Original Message-
From: Jose Correia (J)
Sent: 18 September 2002 14:52
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: apache with client certificates
Hi all
I'm actually now getting in ssl_engine.log:
[18/Sep/2002 14:41:57 32739] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]
Any ideas? I don't understand how it can say "No CAs known to server
for verification" (although only a hint) if I am specifying:
SSLCACertificateFile /jose/CA2/demoCA/cacert.pem
in my httpd.conf...
Thanks
Jose
-Original Message-
From: Jose Correia (J)
Sent: 18 September 2002 08:30
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: apache with client certificates
Hi there
I set the depth to 1 and I do have my cache set to:
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
Still not working...
Argghhh, this is so frustrating... any other ideas?
Did you put your CA into the local .keystore or in C:\Program
Files\JavaSoft\JRE\1.3.1\lib\security\cacerts??
On my Java side I'm using JSSE 1.0.3 together with Innovation's
HTTPClient like:
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
SSLContext sc = SSLContext.getInstance("SSL");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509");
KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );
KeyStore ks = KeyStore.getInstance( "JKS") ;
char[] passphrase = "whatever".toCharArray();
ks.load(new FileInputStream("C:\\Documents and
Settings\\correij\\.keystore"), passphrase);
tmf.init(ks);
kmf.init(ks, passphrase);
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
HTTPConnection con = new HTTPConnection("https", urlString, -1);
con.setDefaultSSLSocketFactory(sc.getSocketFactory());
HTTPResponse response = con.Get("/test/servlet/ldapb2bservlet");
InputStream content = (InputStream)response.getInputStream();
Any other ideas, thanks...
-Original Message-
From: Xperex Tim [mailto:[EMAIL PROTECTED]]
Sent: 18 September 2002 01:07
To: [EMAIL PROTECTED]
Subject: Re: apache with client certificates
I am using Apache 1.3.26 with OpenSSL 0.9.6c and client authentication
works for me. I have
SSLVerifyDepth set to 1 and specified an SSLSessionCache but otherwise
my setup is roughly the
same as yours.
--- "Jose Correia (J)" <[EMAIL PROTECTED]> wrote:
> Hi all
>
> Is anyone aware of Apache version 1.3.20 having problems with client
> authentication??
>
> I've created my own CA created using openssl (vs 0.9.6a). I then
> created and signed my server certificate with the CA using openssl.
> (apache is on a RH Linux 6.2 machine)
>
> I then created a client public key using Java's keytool (from my
> Win2000 client machine). I then took this key and signed it with my
CA
> using openssl which I duly converted into DER format. I then
imported
> my CA's certificate in my JSSE keystore plus the now created client
> certificate which replaces the previous public key.
>
> In my Apache I mention these:
> SSLCertificateFile /jose/CA2/server.crt
> SSLCertificateKeyFile /jose/CA2/server.key
> SSLCACertificateFile /jose/CA2/demoCA/cacert.pem
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> When I connect, I'm getting the following on ssl_engine.log
>
> "[17/Sep/2002 15:20:22 28388] [error] SSL handshake failed (server
> 155.239.48.43:443, client 165.148.59.202) (OpenSSL library error
> follows)
> [17/Sep/2002 15:20:22 28388] [error] OpenSSL: error:14094416:SSL
> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown"
>
> and from my Java client I'm getting:
>
> "main, SEND SSL v3.1 ALERT: fatal, description =
certificate_unknown
> main, WRITE: SSL v3.1 Alert, length = 2
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated"
>
> Hence my confusion since I know my client certificate was signed by
> the CA mentioned in apache httpd.conf... :-(
>
> Anyone got a clue? I've searched extensevily...
>
> Thanks a lot
> Jose Correia
>
__
> OpenSSL Project
http://www.openssl.org
> User Support Mailing List
[EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]
__
Do you Yahoo!?
Yahoo!
RE: apache with client certificates
Hi all
I'm actually now getting in ssl_engine.log:
[18/Sep/2002 14:41:57 32739] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]
Any ideas? I don't understand how it can say "No CAs known to server
for verification" (although only a hint) if I am specifying:
SSLCACertificateFile /jose/CA2/demoCA/cacert.pem
in my httpd.conf...
Thanks
Jose
-Original Message-
From: Jose Correia (J)
Sent: 18 September 2002 08:30
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: apache with client certificates
Hi there
I set the depth to 1 and I do have my cache set to:
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
Still not working...
Argghhh, this is so frustrating... any other ideas?
Did you put your CA into the local .keystore or in C:\Program
Files\JavaSoft\JRE\1.3.1\lib\security\cacerts??
On my Java side I'm using JSSE 1.0.3 together with Innovation's
HTTPClient like:
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
SSLContext sc = SSLContext.getInstance("SSL");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509");
KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );
KeyStore ks = KeyStore.getInstance( "JKS") ;
char[] passphrase = "whatever".toCharArray();
ks.load(new FileInputStream("C:\\Documents and
Settings\\correij\\.keystore"), passphrase);
tmf.init(ks);
kmf.init(ks, passphrase);
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
HTTPConnection con = new HTTPConnection("https", urlString, -1);
con.setDefaultSSLSocketFactory(sc.getSocketFactory());
HTTPResponse response = con.Get("/test/servlet/ldapb2bservlet");
InputStream content = (InputStream)response.getInputStream();
Any other ideas, thanks...
-Original Message-
From: Xperex Tim [mailto:[EMAIL PROTECTED]]
Sent: 18 September 2002 01:07
To: [EMAIL PROTECTED]
Subject: Re: apache with client certificates
I am using Apache 1.3.26 with OpenSSL 0.9.6c and client authentication
works for me. I have
SSLVerifyDepth set to 1 and specified an SSLSessionCache but otherwise
my setup is roughly the
same as yours.
--- "Jose Correia (J)" <[EMAIL PROTECTED]> wrote:
> Hi all
>
> Is anyone aware of Apache version 1.3.20 having problems with client
> authentication??
>
> I've created my own CA created using openssl (vs 0.9.6a). I then
> created and signed my server certificate with the CA using openssl.
> (apache is on a RH Linux 6.2 machine)
>
> I then created a client public key using Java's keytool (from my
> Win2000 client machine). I then took this key and signed it with my
CA
> using openssl which I duly converted into DER format. I then
imported
> my CA's certificate in my JSSE keystore plus the now created client
> certificate which replaces the previous public key.
>
> In my Apache I mention these:
> SSLCertificateFile /jose/CA2/server.crt
> SSLCertificateKeyFile /jose/CA2/server.key
> SSLCACertificateFile /jose/CA2/demoCA/cacert.pem
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> When I connect, I'm getting the following on ssl_engine.log
>
> "[17/Sep/2002 15:20:22 28388] [error] SSL handshake failed (server
> 155.239.48.43:443, client 165.148.59.202) (OpenSSL library error
> follows)
> [17/Sep/2002 15:20:22 28388] [error] OpenSSL: error:14094416:SSL
> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown"
>
> and from my Java client I'm getting:
>
> "main, SEND SSL v3.1 ALERT: fatal, description =
certificate_unknown
> main, WRITE: SSL v3.1 Alert, length = 2
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated"
>
> Hence my confusion since I know my client certificate was signed by
> the CA mentioned in apache httpd.conf... :-(
>
> Anyone got a clue? I've searched extensevily...
>
> Thanks a lot
> Jose Correia
>
__
> OpenSSL Project
http://www.openssl.org
> User Support Mailing List
[EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]
__
Do you Yahoo!?
Yahoo! News - Today's headlines
http://news.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project
RE: apache with client certificates
Hi there
I set the depth to 1 and I do have my cache set to:
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
Still not working...
Argghhh, this is so frustrating... any other ideas?
Did you put your CA into the local .keystore or in C:\Program
Files\JavaSoft\JRE\1.3.1\lib\security\cacerts??
On my Java side I'm using JSSE 1.0.3 together with Innovation's
HTTPClient like:
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
SSLContext sc = SSLContext.getInstance("SSL");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509");
KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );
KeyStore ks = KeyStore.getInstance( "JKS") ;
char[] passphrase = "whatever".toCharArray();
ks.load(new FileInputStream("C:\\Documents and
Settings\\correij\\.keystore"), passphrase);
tmf.init(ks);
kmf.init(ks, passphrase);
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
HTTPConnection con = new HTTPConnection("https", urlString, -1);
con.setDefaultSSLSocketFactory(sc.getSocketFactory());
HTTPResponse response = con.Get("/test/servlet/ldapb2bservlet");
InputStream content = (InputStream)response.getInputStream();
Any other ideas, thanks...
-Original Message-
From: Xperex Tim [mailto:[EMAIL PROTECTED]]
Sent: 18 September 2002 01:07
To: [EMAIL PROTECTED]
Subject: Re: apache with client certificates
I am using Apache 1.3.26 with OpenSSL 0.9.6c and client authentication
works for me. I have
SSLVerifyDepth set to 1 and specified an SSLSessionCache but otherwise
my setup is roughly the
same as yours.
--- "Jose Correia (J)" <[EMAIL PROTECTED]> wrote:
> Hi all
>
> Is anyone aware of Apache version 1.3.20 having problems with client
> authentication??
>
> I've created my own CA created using openssl (vs 0.9.6a). I then
> created and signed my server certificate with the CA using openssl.
> (apache is on a RH Linux 6.2 machine)
>
> I then created a client public key using Java's keytool (from my
> Win2000 client machine). I then took this key and signed it with my
CA
> using openssl which I duly converted into DER format. I then
imported
> my CA's certificate in my JSSE keystore plus the now created client
> certificate which replaces the previous public key.
>
> In my Apache I mention these:
> SSLCertificateFile /jose/CA2/server.crt
> SSLCertificateKeyFile /jose/CA2/server.key
> SSLCACertificateFile /jose/CA2/demoCA/cacert.pem
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> When I connect, I'm getting the following on ssl_engine.log
>
> "[17/Sep/2002 15:20:22 28388] [error] SSL handshake failed (server
> 155.239.48.43:443, client 165.148.59.202) (OpenSSL library error
> follows)
> [17/Sep/2002 15:20:22 28388] [error] OpenSSL: error:14094416:SSL
> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown"
>
> and from my Java client I'm getting:
>
> "main, SEND SSL v3.1 ALERT: fatal, description =
certificate_unknown
> main, WRITE: SSL v3.1 Alert, length = 2
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated"
>
> Hence my confusion since I know my client certificate was signed by
> the CA mentioned in apache httpd.conf... :-(
>
> Anyone got a clue? I've searched extensevily...
>
> Thanks a lot
> Jose Correia
>
__
> OpenSSL Project
http://www.openssl.org
> User Support Mailing List
[EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]
__
Do you Yahoo!?
Yahoo! News - Today's headlines
http://news.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
signing request question
Hi all I've created my own CA. I then proceeded in generating a new request which I duly signed. My question is how do I make the CA return a chain of certificates (starting with itself as the root and ending with this certificate) instead of just returning the certificate itself? I've searched the man pages and can't seem to find out anything there. Thanks a lot Jose Correia -- --- This e-mail and its attachments may contain information that is confidential and that may be subject to legal privilege and copyright. If you are not the intended recipient you may not peruse, use, disclose, distribute, copy or retain this message. If you have received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and return and thereafter destroy the original message. Please note that e-mails are subject to viruses, data corruption, delay, interception and unauthorised amendment, and that the sender does not accept liability for any damages that may be incurred as a result of communication by e-mail. No employee or intermediary is authorised to conclude a binding agreement on behalf of the sender by e-mail without express written confirmation by a duly authorised representative of the sender. By transmitting this e-mail message over the Internet the sender does not intend to allow the contents hereof to become part of the public domain, and the confidential nature of the contents shall not be altered or diminished from by such transmission. -- --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
someone in the UK phone Andy pls
and tell him to phone someone at his company to disable his auto-response thingy. Otherwise we are going to end up with hundreds of these things...!! Thanks Jose -- --- This e-mail and its attachments may contain information that is confidential and that may be subject to legal privilege and copyright. If you are not the intended recipient you may not peruse, use, disclose, distribute, copy or retain this message. If you have received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and return and thereafter destroy the original message. Please note that e-mails are subject to viruses, data corruption, delay, interception and unauthorised amendment, and that the sender does not accept liability for any damages that may be incurred as a result of communication by e-mail. No employee or intermediary is authorised to conclude a binding agreement on behalf of the sender by e-mail without express written confirmation by a duly authorised representative of the sender. By transmitting this e-mail message over the Internet the sender does not intend to allow the contents hereof to become part of the public domain, and the confidential nature of the contents shall not be altered or diminished from by such transmission. -- --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
"make certificate" question
i all I'm trying to generate my fake client certificate for test purposes. For this I'm using the "make certificate" command under apache (which is tied to openssl via modssl). I have a question in the process, when I reach STEP 3 it tells me: "STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt] Certificate Version (1 or 3) [3]: Signature ok subject=/O=telkom/OU=users/CN=Jose Getting CA Private Key Verify: matching certificate & key modulus read RSA key Verify: matching certificate signature ../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil [EMAIL PROTECTED] error 10 at 1 depth lookup:Certificate has expired OK" Does this mean my server.crt wasn't signed by the CA SnakeOil because it has expired?? Thanks in advance Jose Correia __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
