Problem: SSL-Certs for MS-Servers, if intermediate CA?
Hi, Experts, Is there a solution for the issue of misunderstanding concerning the authorityKeyIdentifier? (i.e. misunderstanding between MS and the rest of the world, including openSSL) Best regards, Michael -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Multiple CRL Distribution Points ?
Hi, Stephane! Use crlDistributionPoints=@crl_section [crl_section] URI.1=. URI.2=. URI.3=. Best regards, Michael Am 2002-11-28 15:24 Uhr schrieb Stephane Spahni unter [EMAIL PROTECTED]: Hello, I am trying to generate a certificate with two CRL Distribution points. But the problem is that I generate two SEQUENCE instead of one containing the two distribution points. How could I do it correctly ? Do I need to encode all the stuff at hand ? Thanks ! Stephane PS: The reason why I want to use two CRL DP is that I want to provide the CRL in both DER and BASE64 formats. -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Combine certificates into chain
Yes, this we use as well. Using LDAP for the authentication, including certs, allows to forget the CRL-stuff, if you need it for authentication on a server or portal. And, compared to CRLs, it is much more real time. Am 2002-11-25 7:53 Uhr schrieb Jimi Thompson unter [EMAIL PROTECTED]: ... Indeed - a fact that never fails to astound me. We were looking at buying a reverse-proxy that would allow us to make available some of our internal Web apps from the Internet, which the requirement that a valid SSL client cert be presented first. In order to control which client certs were valid, we have to relying on CRL so that we can (e.g.) revoke a client cert when someone's laptop is stolen. *NONE* of the commercial offerings we looked at supported CRLs... I can't believe they could claim to support HTTPS and especially client certs without also supporting CRL. But they are still plugging their products... Jason, There is actually a somewhat unwieldly work around for this using an extended LDAP schema. It goes something like this. Use LDAP authentication but extend the LDAP schema to include the certificate. If the authentication request doesn't match the cert in the schema, you don't get to play. It's the closest I've been able to come to actually getting a working CRL. I agree that it is ridiculous that the commercial products don't perform better, but we live in a world where people run Windows firewalls. Consumers are willing to accept crap. What can I say My best advice is to cook up your own home grown solution and then complain loudly to everyone who will listen. The mailing list you will likely want to join and do your carping on is [EMAIL PROTECTED] Work is in progress on the new and improved PKI standard. Become part of the solution. HTH, Jimi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OT: how to make OpenSSL certs for M$ IAS EAP-TLS?
Hi, Jason! Am 2002-11-18 23:19 Uhr schrieb Jason Haar unter [EMAIL PROTECTED]: ... Wow - OK I didn't have authorityInfoAccess, and I didn't use -keysig. Does that disable funtionality of the cert in any way? I want to generate server certs that can be used by Apache/IIS and EAP-TLS, and client certs that allow users to do S/MIME, and EAP-TLS - does the -keysig break any of that? MS-Backgrounds: When using the MS-Crypto API (which I never did,just googled it), you need to set xenroll.KeySpec either as AT_SIGNATURE or AT_KEYEXCHANGE. In our case, when I created a CA-cert for a certificate server, I needed AT_SIGNATURE. xenroll.KeySpec affects the keystorage and specifies key usage. It does not change anything in the certificate itself. Therefore it can be set only in pkcs12, when using openssl. In your case, creating a server certificate (and using the keys for this type of activity), I would suppose that you would need the option -keyex instead of -keysig. (... just had a look to my old e-mails and project notes concerning this stuff, hope I got it right.) Best regards, Michael P.S.: There is some rudimentary information concerning this in the man of pkcs12. -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.7 beta 4 released
Am 2002-11-19 11:12 Uhr schrieb Richard Levitte - VMS Whacker unter [EMAIL PROTECTED]: The full set of changes between 0.9.6{x} and 0.9.7 beta 4 include: ... o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit ... A/UX, really? Are there still people using the old Apple Unix solution? intersting! Best regards, Michael -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: I give up
It's not so easy to find out, how basic your knowledge really is: Did you create your own (self signed) Certificate Authority? (steps: create keys, create selfsigned cert as CA-cert. then you can start signing requests -- but you will have to accomodate openssl.cnf) Maybe you would need a third party cert, if the cert should be for a customer's website to allow https-requests? Then a selfsigned cert only helps, if it is for intranet (= well known clients that you can make to accept an unknown CA.) If the cert is needed for internet-served https of a customer's website, have a look at pages of Thawte, Verisign, or some free CA projects mentioned in this list before. Best regards, Michael Am 2002-11-19 13:57 Uhr schrieb James Smith unter [EMAIL PROTECTED]: I should say I have been trying to use openssl ca -in y:¥certreq.txt -out y:¥cert.cer but I can't figure out what other options to use, am I even on the correct track? -- James Smith - Original Message - From: James Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 19, 2002 12:51 PM Subject: I give up ok, the time has come. H!!! I have finally managed to compile openssl on win32 (xp) with the GCC compiler and all of the test exe's seem to work ok. Not for love nor money can I generate a certificate and the docs are as usefull as a chocolate fireguard (no offence, I guess the time just hasn't been available to finish them). I am not a programmer, I am a web developer, so could someone please explain in short words how I take the certreq.txt file from IIS and turn it into a working certificate? Thanks -- Jay __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OT: how to make OpenSSL certs for M$ IAS EAP-TLS?
Hi, Jason (and other people interested in the secret world of M$-implementations) Had some experiences with M$-certificate authorities. We provided a root cert to a M$-Certificate server, which led to some problems. Hey, Vadim, it may be a less than perfect idea to let M$ do the support. In my case they took about a month to provide the needed hints and they were provided in form of MS-API stuff. The solution, nevertheless was easy, and mavbe it helps you: 1) It definitely needed crlDistributionPoints and authorityInfoAccess and, most important, when creating the pkcs#12: use the -keysig option! Hope this helps. (If you need any whys I could provide you with some correspondence) Best regards, Michael Am 2002-11-18 5:10 Uhr schrieb Jason Haar unter [EMAIL PROTECTED]: [Bit cheeky asking in the FreeRADIUS group :-)] Can anyone tell me the magic extensions I need to add to make OpenSSL make client/server certs that will make Microsoft Internet Access Server (RADIUS Server) do EAP-TLS? As usual, M$ appear to have made IAS only accept certs generated by M$ Certificating Authority Server, and we're using OpenSSL... And no - FreeRADIUS would currently not be an option anywhere else in the company except where I am :-) Thanks! -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I add 8-bit charset/unicode strings to certs?
Hi, Jason! Some input, maybe it helps: To my understanding, UTF8 would encode Ö as \xc3\x96 and Ä as \xc3\x84 D6 is 214 is the position in ISO8859-1 of the Ouml (Ö). So, LDAP exported iso8859-1 (or so) I suppose, and not UTF8. (with Mozilla it could be that you use some non-iso translation) Best regards, Michael Am 2002-11-12 4:51 Uhr schrieb Jason Haar unter [EMAIL PROTECTED]: Hi there I want to generate certs from our internal LDAP server. We have people from all over the world here, and so some of these entries have 8bit chars in their names (shock! horror!) Now I went off and generated a cert for one Frank Österberg (that's an O with two dots on top), and when I vi the PEM afterwards I see \xD6sterberg. However, under Mozilla Import, the name shows up as A?sterberg (the A has two dots on top) - not the same thing. Is this an issue with the Unix (Linux BTW) system doing some ISO charset, but Openssl expecting unicode? If so, what is the correct way to do this? Thanks in advance for any help - my poor ASCII brain is feeling overwhelmed :-) -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS#10?
this is very basic. pkcs#10 is the standard request format. under normal circumstances, the client ( person who requests a certificate) sends a pkcs#10 to the ca and the ca signs this request. in openssl this is done with openssl ca -in thePKCS#10.pem -out theCert.pem, using different options for CA-name, validity, keyfile, directories, extensions, batch mode, ... you find this with man ca Best regards, Michael Am 2002-11-07 21:30 Uhr schrieb Oblio unter [EMAIL PROTECTED]: Does anyone know what to do with a PKCS#10 cert request? Oblio __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS#10?
Basically, you have to create a CA at first. This means to have a private key to sign certificates. The private key needs to be kept under very strict security. (create by; openssl genrsa ...) The first cert you create is a self-signed root certificate. This includes the public key (openssl req -new -x509 ...) This certificate needs to be trusted by the clients. The client requests are signed by the CA, see last posting. You have to understand the openssl.cnf, because you need to adapt this file. See info on openssl.org and documentation! (But beware, some of the online docu reflects future options of the software, as it describes 0,9,7 and 0.9.6g is used for production systems, normally.) Googling for keywords may help a lot. Best regards, Michael Am 2002-11-07 22:37 Uhr schrieb Oblio unter [EMAIL PROTECTED]: Ok, I know it's very basic, it's just that there's no easy starting point for someone who's never done this. First, understand that I'm attempting all this under WinNT, and I couldn't even get the thing to compile. Fortunately, the folks at shininglightpro.com posted a win32 port, so at least I have the executable. However, I don't have any of the manuals (although, I can kind of read through the .pods). I have a cert request that I want to sign, and I don't know how to go about it. If I do what you suggest, and use the ca command, it's looking for a config file (which I don't have, nor do I know what's supposed to be in it). I've tried using the x509 command, and I get closer, but it's either looking for a key, or a trusted cert. Do I just generate an RSA (or some other kind?) of key? If so, don't I need to distribute a public key to challenge the cert with? This really isn't very straight forward, and I can use all the help I can get. Thanks, Oblio At 11/7/2002 09:52 PM +0100, you wrote: this is very basic. pkcs#10 is the standard request format. under normal circumstances, the client ( person who requests a certificate) sends a pkcs#10 to the ca and the ca signs this request. in openssl this is done with openssl ca -in thePKCS#10.pem -out theCert.pem, using different options for CA-name, validity, keyfile, directories, extensions, batch mode, ... you find this with man ca Best regards, Michael Am 2002-11-07 21:30 Uhr schrieb Oblio unter [EMAIL PROTECTED]: Does anyone know what to do with a PKCS#10 cert request? Oblio __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Can we use / and = in CN and DN ?
Title: Re: Can we use / and = in CN and DN ? One more thing: As I understand it, you could use additional optional fields to be defined in openssl.cnf: G and S for _G_iven Name and _S_urname. In my opinion it is a good idea to create the CN automatically as a serial-number for uniqueness of client certs and handle the user information via LDAP. Best regards, Michael Am 2002-11-06 10:05 Uhr schrieb CALinux unter [EMAIL PROTECTED]: Hi everyone, we are using OpenCA and OpenSSL. We want to create a certificate with special CN and DN such as CN=surname/name/fiscal code DN=C=surname/N=nameD=birth date but OpenSSL don't accept this character, in fact when we put =/ it believe that is a second field with different value. There is same special escape character? Where can we found something about this? Thank you. CALinux Staff. -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED]
Re: Can we use / and = in CN and DN ?
The syntax-element /String= is used for concatenating fields, as you would see in [EMAIL PROTECTED] or DirName:/C=AT/ST=Wien/L=., when you use openssl x509 -in myCert.pem -noout -text The problem for you could be, that C stands for _C_ountry and will be used in another place in the certificate and N, D and R are not defined as fields. Maybe (someone like steve henson could verify) it would be needed to add these identifiers as extensions to allow this syntax with D and N and R. ... I don't know, just trying to find hints ... best regards, Michael Am 2002-11-06 13:16 Uhr schrieb CALinux unter [EMAIL PROTECTED]: One more thing: As I understand it, you could use additional optional fields to be defined in openssl.cnf: G and S for _G_iven Name and _S_urname. In my opinion it is a good idea to create the CN automatically as a ³serial-number² for uniqueness of client certs and handle the user information via LDAP. Hi thanks for help, our problem is that in Italian Public Adminitsration is mandatory the object Description in Certificates. It must be like this: Description=C=surname/N=name/D=date's birth[/R=job role] Example Description=C=Werzowa/N=Karl-Michael/D=01-01-1980 When we use only single character / or = it's OK Exampledescription=C=Werzowa OK But when we use them together Exampledescription=C=Werzowa/N=Karl-Micheal NOT OK and we obtain in the certificate description=C=Werzowa/, N=Karl-Micheal CALinux Staff. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cert using opnssl:Kdb format to PEM Format
Title: Re: Cert using opnssl:Kdb format to PEM Format Hello, Scott! *.kdb files normally are the Key-DBs used by IBM server systems, e.g. Websphere. These are not certificates but complete keyrings , which could hold many different keypairs, client-certificates, trusted certificates, requests. There is a tool to handle these files and any import or export action: ikeyman (I do use this only under AIX and Linux. ikeyman is written in java, so it will be usable with other systems.) Best regards, michael P.S.: I CCed you directly, because your mailing is some days old and you may have given up. Am 2002-10-30 18:53 Uhr schrieb Scott Harris unter [EMAIL PROTECTED]: I am having a hard time trying to figure out a certificate generated through IBM in .kdb format to convert to .PEM format. I am getting error while converting to .PEM. Can some one please tell me if there is a way to make this conversition. OpenSSL pkcs12 -in /tmp/ldap_server.kdb -out /tmp/ldap_server.pem 2184:error:0D0FE007:asn1 encoding routines:d2i_PKCS12:expecting an asn1 sequenc :./crypto/pkcs12/p12_lib.c:85:address=9758640 offset=0 error in pkcs12 Do you Yahoo!? Y! Web Hosting http://webhosting.yahoo.com/ - Let the expert host your web site -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED]
Re: Converting PEM file to PKCS12 or PFX for the MacOS (Not MacOSx)...
Title: Re: Converting PEM file to PKCS12 or PFX for the MacOS (Not Mac OSx)... Hello, Wally, as I dont use Pre-X Mac OSes anymore, only something general: The formats are portable, there should be no problem. You may encounter another problem: Available clients on Mac, using openSSL client certs. Microsoft DOES NOT support client certs on MacOS, not even under X . (neither with IE nor Entourage nor Outlook) Easiest way is to use Netscape 7, the use of certs is really solved in a cross platform way, like on any Linux or other commonly used PC platform. Opera supports certs, they say. OmniWeb does somehow, but its a hack. Not even documented, just stumbled about it. Best regards, Michael --- I CCed you directly, as your posting is quite old and I just stumbled about the Mac OS in your subject. (If you would have put Mac OS more to the beginning of your posting, you may have had more reaction from Mac-people . The others mostly dont feel so well with Mac-Aliens, besides with Ellen Feiss ;-) Am 2002-10-25 16:26 Uhr schrieb Auteria Wally Winzer Jr. unter [EMAIL PROTECTED]: has anyone converted pem files into pkcs12, pfx, or der format explicitly for the MacOS versions 8.5 and above? i have 3 macs that needs CA's loaded. if anyone has done this by all means give me the lowdown. i really appreciate everyone's efforts in solving this major issue, one being the CEO! thanks! wally winzer jr. -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED]
Re: Converting PEM file to PKCS12 or PFX for the MacOS (Not MacOSx)...
Title: Re: Converting PEM file to PKCS12 or PFX for the MacOS (Not Mac OSx)... Importing root certs into Mac OS clients has similar problems as adding client certs, use Netscape 7 to avoid trouble. Am 2002-10-25 16:26 Uhr schrieb Auteria Wally Winzer Jr. unter [EMAIL PROTECTED]: has anyone converted pem files into pkcs12, pfx, or der format explicitly for the MacOS versions 8.5 and above? i have 3 macs that needs CA's loaded. if anyone has done this by all means give me the lowdown. i really appreciate everyone's efforts in solving this major issue, one being the CEO! thanks! wally winzer jr. -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED]
Re: free Certificate Authority
... on www.thawte.com you'll find it at middle, left of home page: (9 o'clock ;-) Am 2002-10-27 18:41 Uhr schrieb Peter Ziobrzynski unter [EMAIL PROTECTED]: Franck Martin wrote: I think there was something called www.medacen.net http://www.medacen.net Also, check the ISOC PKI working Group www.isoc.org You can register a free certificate for e-mail on thawte and versisign. This is interesting. How do you know about it? Did you do it? On either thwate or verisign sites there is no trace of this kind of service. All they have is try or buy for ~$400 for a year. -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: oids, attributes (doc pointers)
Hello, Eric 1) oids are a means to avoid conflicting extensions (or other definitions). Depending on the country and/or organization you are in, there may be also other sources for your OID than IANA. The link of Markus Lorch points to the source of private enterprise numbers, which are below iso.org.dod.internet.private.enterprise (1.3.6.1.4.1) Some more general information on the OID-tree you may find at http://www.alvestrand.no/objectid/top.html (schemes ok, details a bit outdated) A big bunch of OIDs is organized in a more structured way (than below 1.3.6.1.4.1) by using a countrywise scheme. This is below 2.16,x , joint-iso-itu-t(2) country(16) and (x) is the country-ID (US has 840, for example --- it's alphabetical) complete(?) list of country-ids under http://userpage.chemie.fu-berlin.de/diverse/doc/ISO_3166.html oid arc -- see: http://asn1.elibel.tm.fr/oid/root/joint-iso-itu-t/country/#top (there is also a deprecated tree under 1.2. for countries) in US, ANSI governs the OIDs of the 2.16.840 tree. For more information on how to register an organization name, see the report ANSI X3.216 available at: http://web.ansi.org/public/services/reg_org.html 2) get an oid, build your own subtree, get into ASN.1, define an extension. (needs some asn.1 knowledge) Then, add the oid to openssl.cnf, [ new_oids ] as my_own_extension = 2.16.840.x.x and, where extension should be added, 2.16.840.x.x=DER:SomeHexValues see openssl.txt Best regards, Michael Am 2002-10-25 19:51 Uhr schrieb Eric Weitzman unter [EMAIL PROTECTED]: Would someone be kind enough to direct me to sources of information on: 1) creating new oids that don't conflict with existing oids 2) creating new attributes in certificates that can hold arbitrary values Thanks, - Eric __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: addding own extensions to openssl.cnf
Thanks, it works. Added to [ new_oids ]: mycustomexension=1.2.3.4.5 entered into [ my_extensions ] mycustomextension=DER:01:01:FF used x509_extensions=my_extensions where needed. (names are dummynames) Nevertheless, in the certs one only sees the oid. Suppose, that cleartext will be only available for standard-extensions. Best regards, Michael Am 2002-10-18 20:27 Uhr schrieb Dr. Stephen Henson unter [EMAIL PROTECTED]: On Fri, Oct 18, 2002, Karl-Michael Werzowa wrote: Hello, helpful experts, How do I add a custom extension to openssl? Just adding the extension to openssl.cnf (into the right section) does not work: mycustomextension=DER:01:01:FF (Would be nice to input the asn.1 + OID in some oid-file ;-) Have you added a definition for mycustomextension so it knwos which OID to use? Alternatively try the numerical form of the OID directly. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
addding own extensions to openssl.cnf
Hello, helpful experts, How do I add a custom extension to openssl? Just adding the extension to openssl.cnf (into the right section) does not work: mycustomextension=DER:01:01:FF (Would be nice to input the asn.1 + OID in some oid-file ;-) Thanks in advance, Michael -- +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Specifying CRL URL for CA
hello, Fred easiest would be to insert the extension crlDistributionPoints=URI:http://your.server.com/your.crl in the section [usr_cert] of your working openssl.cnf. If you need ldap-URIs, create a subsection for the URIs. Best regards, Michael Am 2002-08-23 20:31 Uhr schrieb Reimer, Fred unter [EMAIL PROTECTED]: Hello, I'm definitely a newbie here, but I'm attempting to use OpenSSL with FreeS/WAN to connect a Linux box up to a Check Point VPN-1 NG FP-2 firewall. I created a CA (on a separate box) and used the CA cert to create an OPSEC PKI CA server object in the firewall. Then I generated a request for the firewall and created a cert on the CA. I also created a separate request for the Linux box and signed this, so the Linux box has it's key and cert in the /etc/ipsec.d directory and the firewall accepted the cert that was generated for it. The problem, it appears is that the firewall doesn't know how to get a CRL for the CA, and apparently won't proceed without one. This is the error it gives when the Linux box sends its cert over the IKE session: 13:46:11 drop 1.1.1.1 daemon src 2.2.2.2 dst 1.1.1.1 peer gateway 2.2.2.2scheme: IKE IKE: Main Mode No valid CRL. [EMAIL PROTECTED],CN=mack.ens.eclipsys.com,OU=IVNS,O=Eclip sys Corporation,ST=Georgia,C=US CookieI 3759eee447cec449 CookieR db05e82d36988563 methods: 3DES + MD5, RSA signatures community LinuxIntranet product VPN-1 FireWall-1 13:46:11 keyinst 1.1.1.1 daemon src 1.1.1.1 dst 2.2.2.2 peer gateway 2.2.2.2 scheme: IKE IKE: Main Mode Sent Notification: invalid certificate CookieI 3759eee447cec449 CookieR db05e82d36988563 community LinuxIntranet product VPN-1 FireWall-1 I edited the openssl.cnf file so that nsCaRevocationUrl points to the correct URL for the CRL, which I generated and can get with wget, for instance. After that I totally reconfigured everything, throwing away the whole directory structure for the CA, recreating a new CA and certificates, taking everything out of the firewall configuration and recreating a new CA with the new CA cert, replacing the keys on the Linux box, etc. It still gives that error, and I don't see the URL for the CRL in any certificates. So, how does one specify where to get the CRL for a particular CA from? Apparently this is something that Check Point requires before accepting any certs... Thanks for any assistance! - Fred __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: How do I input ldap urls of the crlDistributionPoints URI value in openssl.cnf ?
Hello, You have to use / instead of the , inside the LDAP-URI, because the , delimits the URIs. The ? does not do any harm, you can use it without change. (Besides, some time ago I read in a comment that openssl would not support ldap-URIs because of the commas inside the ldap-URI. When you create text-output from a certificate with openssl x509 -in certificate.pem -text you see that the ldap entry for subject uses slashes! Just did the same, it worked.) Best regards, Michael -Ursprungliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im Auftrag von Jung-Ho Cha Gesendet: Freitag, 16. August 2002 10:52 An: [EMAIL PROTECTED] Betreff: How do I input ldap urls of the crlDistributionPoints URI value in openssl.cnf ? Hello, I use OpenSSL 0.97 library. I read the opensl.txt file and trying to use crlDistributionPoints extention option. But I met some problem to use crl repository point in ldap url format. The below shows the error messages. Error Loading extension section usr_cert 1704:error:0E06D06C:configuration file routines:NCONF_get_string:no value:P:\OpenSSL\openssl-0.9.7-beta2\crypto\conf\con f_lib.c:329:group=CA_default name=email_in_dn 1704:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME:missing value:P:\OpenSSL\openssl-0.9.7-beta2\crypto\x509v3\v3_alt. c:391: 1704:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:P:\OpenSSL\openssl-0.9.7-beta2\crypto\x509v3\v3_ conf.c:92:name=crlDistributionPoints, value=URI: ldap://203.233.91.35:389/ou=dp2p1140,ou=LicensedCA,o=yessign,c=kr?certif icateRevocationList I surveyed the errors. I found the reason that the ldap url format has like this, ldap://203.233.91.35:389/ou=dp2p1140,ou=LicensedCA,o=yessign,c=kr?certif icateRevocationList and this string has the characters , and ?. I also see the URI name value pair is delimited by , in openssl.cnf file. So OpenSSL library read the , in ldap url as URI delimiter. And fail to parse the string. I need some help to input the correct ldap url in openssl.cnf . Any one knows how to input the ldap url in openssl.cnf? Thanks. J. H. cha __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
crlDistributionPoint -- unknown extension name
Hello, We are using openssl since more than a year for an internal pki solution. Now we wanted to add the crlDistributionPoint - ext. to the certificates. When adding a line with crlDistributionPoint= URI:... to the openssl.cnf into the c3_ca stanza (... for ca-certs of sub-CAs), there is an error on running the certificate creation: (input output, linebreaks only in email:) (input line:) [localhost:~/openssl-mani/CA/perls] mikey% openssl ca -config ./openssl-iks.cnf -name CA -batch -days 3650 -keyfile ../private/CAkey.pem -extensions v3_ca -in ../requests/iksRootReq.pem -out ../newcerts/iksRootCertv3.pem -outdir ../certs | tee -a ../log/certs.log (output lines:) Using configuration from ./openssl-iks.cnf Error Loading extension section v3_ca 15843:error:2207C082:X509 V3 routines:DO_EXT_CONF:unknown extension name:v3_conf.c:121: 15843:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:91:name=crlDistributionPoint, value=http://... (end of copy) The problem arises on linux, openssl 0.9.6 and Mac OS X, openssl 0.9.6.d Best regards, Michael -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Root.cacert
Hi, Damien, Microsoft did not implement a few things with IE on Macintosh. You neither can use client certificates with the IE Mac, even not on Mac OS X (neither certificates on Outlook/Entourage) You can use all of it with Omniweb, which is a very nice browser. -- I did not try client certificates on Mac OS X yet, but documentation says so. you get omniweb at: http://www.omnigroup.com/ maybe opera also works, but I did not find a hint, yet. Best regards, Michael Am 2002-07-19 7:43 Uhr schrieb Damien Babilon unter [EMAIL PROTECTED]: Hi, I'm actually testing openssl. I've never worked with this before. I have make the root certificate (cacert.pem) with success, but I can't export it to an apple computer running IE. I've see on the globalsign website that IE accept to import root.cacert file but how to generate this cacert file? Please, help me. Best regards, Damien Babilon Websol.be Mobile: 0495/250.475 http://www.websol.be http://support.websol.be __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]