new version of mod_authz_ldap
Is that new version of mod_authz_ldap ready ? I'm not in an hurry. Just curious to try. regards sarath -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andreas Mueller Sent: Wednesday, October 02, 2002 8:18 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Apache 2.0.39 + ssl + ldap with client certificate authentication On Wed, 2 Oct 2002, Sarath Chandra M wrote: > Dear Jose, > I had looked at the site u mentioned. But my problem is in applying > the patch (http://authzldap.othello.ch/modssl-patch.html) to mod_ssl > as said in the installation page of the same site. If you could tell > me how to apply this patch, then I can go ahead and try. I'm right now working on a new release of the module that is sup- posed to support apache2, hopefully I'll get that out of the door today or tomorrow. Mit herzlichem Gruss Andreas Mueller -- Dr. Andreas Mueller, Beratung und Entwicklung CH-8852 Altendorf Switzerland Tel: +41 55 4621483 Fax: +41 55 4621485 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Apache 2.0.39 + ssl + ldap with client certificate authentication
Title: Message Dear group,Has anybody tried doing ldap client certificate authentication for an apache2.0.39 ssl server ?Our environment is :RedHat linux 7.1 kernel 2.4.xapache 2.0.39 (inc. mod_ssl)openssl-engine-0.9.6gopenldap (on a different redhat linux server)The apache website has a verisign server certificate, a self-signed CAcertificate and all clients havecertificates in the ldap server signed by this CA.When clients present their certificate to browse the Apache secure site,Apache should check theexistence of their certificate in the LDAP server and also the validity ofthe contents of the certificate presented.Kindly provide some direction to any solution or resources related to thisissue.Any help would be highly appreciated.TIASarath
how to reissue certificate
Hi, I am using openssl in linux. I hav a default configuration. I created a selfsigned CA certificate and some user certificates. There is some problem with one of the certificates as I am unable to import it in internet explorer. Now I would like to reissue certificates to this user. But the entry will be in index.txt. How can I create another certificate for this user ? If I create a CRL and revoke this user certificate, will I be able to issue a new one for the same user without any problem ? Kindly guide me for this issue. regards Sarath Chandra M __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
FW: create cert non interactively
Dear friends, thanx a lot for the help. I am doing this way. A shell script to accept values for each attribute and put these in a info.inf file. Then do this : openssl req -new -key prikey.pem -out req.csr < info.inf thanx again. sarath -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Aleix Conchillo Sent: Tuesday, April 02, 2002 2:05 PM To: [EMAIL PROTECTED] Subject: Re: create cert non interactively On Tue, 2002-04-02 at 11:50, Sarath Chandra M wrote: > Hi, > Is there way to create certificates using openssl in a noninteractive > mode ? All the required values (common name, email, organization, ou > etc) will be captured using a unix shell script > and passed to openssl commands. > Is it possible. Any help will be highly appreciated. > i do it this way. there is probably a better one: openssl req -new -key prikey.pem -out req.csr < info_file where info_file is a generated file (in this case with your shell script) and looks like this: -- ES Your state Your city Your organization Your organizational unit Your name -- if you don't want to fill any of the fields just leave a blank line. hope this helps. best regards, -- Aleix Conchillo Flaqué http://www.scytl.com --- PGP Key: http://www.scytl.com/pgp-keys/AleixConchillo.asc --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
create cert non interactively
Title: Message Hi, Is there way to create certificates using openssl in a noninteractive mode ? All the required values (common name, email, organization, ou etc) will be captured using a unix shell script and passed to openssl commands. Is it possible. Any help will be highly appreciated. regards sarath
FW: reg. CA expiry/renewal and effect on Client certs
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sarath Chandra M Sent: Thursday, March 21, 2002 6:38 PM To: [EMAIL PROTECTED] Subject: reg. CA expiry/renewal and effect on Client certs Hi, We hav a CA certificate and Client certificates generated using openssl. All configurations are default ones. My doubt is if/when the CA expires and I renew/extend its life, will the Client certificates get affected in anyway. In our case, the Client certificates are stored in hardware tokens and sent to users. What has to be done to ensure smooth operations in this case. Any help will be highly appreciated. regards Sarath Chandra M __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
reg. CA expiry/renewal and effect on Client certs
Hi, We hav a CA certificate and Client certificates generated using openssl. All configurations are default ones. My doubt is if/when the CA expires and I renew/extend its life, will the Client certificates get affected in anyway. In our case, the Client certificates are stored in hardware tokens and sent to users. What has to be done to ensure smooth operations in this case. Any help will be highly appreciated. regards Sarath Chandra M __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
where is the private key ?
Title: Message Hi, I am generating client certificates using this method at the openssl server: openssl genrsa -des3 -out user.key 1024 openssl req -new -config openssl.cnf -key user.key -out user.csr openssl ca -config openssl.cnf -cert CA.pem -in user.csr -keyfile CA.key -out user.crt After this, I am exporting the user.crt to the browser for that user. Its working fine. Now, I would like to know where the private key of the user is ? I am using the user.crt to put it in the user entry in the ldap server. Does this user.crt contain client's private key also ? If I need the user.crt in pkcs12 format, I use openssl pkcs12 -export -in user.crt -inkey user.key -out user.pfx Anything wrong with this export ? Does it contain the private key ? I am doing all these without proper knowledge of openssl. Half knowledge is dangerous. But I can't help it now. So kindly bear with me if there's anything stupid in the method above. thanx and regards sarath
how to generate key pair at client browser (IE)
Title: Message Hi, I have a requirement like this. Users/clients will access a web site, fill in a form, generate a keypair and send it to server. the csr is done at the server. client cert is created in the server and sent back thru email. Is this a proper approach ? If so, I would like to get some help in constructing the setup. I have openssl ready and working. Only thing is web (site) interface for the html form. Also, how to generate the keypair at the client (browser) ? I cant find that certenr3.dll. Is there any other java/javascript program to do it without depending on microsoft dlls ? Any help will be highly appreciated. First I would like to try generating key pair with just a html page in Win2K. regards Sarath
RE: dont want private key of the client in the ldap
Title: RE: dont want private key of the client in the ldap Steve, Could you please let me know the exact openssl commands for generating the CA cert and Client certs, both without compromising the private keys. As u told, CAs private key is sent to everyone in the following method. But I couldnt find how to stop this. And also, I want to generate the client certificates using just the CSR and also dont want to store anything else in the ldap entries except the certificate alone. I would like to know the openssl command steps for this also. All I did was follow some openssl cookbook found somewhere in the net. Couldnt find any specialist procedure (inc. step by step commands) for generating CA and client certs. Waiting for guidance. Sarath > Hi everybody, > I trying to do client authentication using self signed CA and client certificates. I want to store the client > certificate in the ldap entries. The CA certificate is in the web server. I followed the below mentioned steps > to create the CA and client certificates : > > CA Certificate > # generate the key for the certificate and store it in .key file > openssl genrsa -des3 -out $CA_DIR/CA.key 1024 > > # sign the request for the CA cert and store it in .csr file > openssl req -new -x509 -days 365 -config $SSLDIR/openssl.cnf -key $CA_DIR/CA.key -out $CA_DIR/CA.crt > # convert the cert into pkcs12 format so that it can imported into IE > openssl pkcs12 -export -in $CA_DIR/CA.crt -inkey $CA_DIR/CA.key -out $CA_DIR/CA.pfx > DO NOT DO THIS!! This gives away your CAs private key to everyone using it and renders it useless. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
dont want private key of the client in the ldap
Hi everybody, I trying to do client authentication using self signed CA and client certificates. I want to store the client certificate in the ldap entries. The CA certificate is in the web server. I followed the below mentioned steps to create the CA and client certificates : CA Certificate # generate the key for the certificate and store it in .key fileopenssl genrsa -des3 -out $CA_DIR/CA.key 1024 # sign the request for the CA cert and store it in .csr file openssl req -new -x509 -days 365 -config $SSLDIR/openssl.cnf -key $CA_DIR/CA.key -out $CA_DIR/CA.crt # convert the cert into pkcs12 format so that it can imported into IEopenssl pkcs12 -export -in $CA_DIR/CA.crt -inkey $CA_DIR/CA.key -out $CA_DIR/CA.pfxClient Certificate# generate the key for the client certificate and store it in User.key fileopenssl genrsa -des3 -out $CLIENT_DIR/User.key 1024# sign the request for the client cert and store it in User.csr fileopenssl req -new -config $SSLDIR/openssl.cnf -key $CLIENT_DIR/User.key -out $CLIENT_DIR/User.csr# generate the client cert and store it in UserID.crtopenssl ca -config $SSLDIR/openssl.cnf -cert $CA_DIR/CA.pem -in $CLIENT_DIR/User.csr -keyfile $CA_DIR/CA.key -out $CLIENT_DIR/User.crtNow I am storing this client certificate in the ldap entry of the client/user. What I would like to know is, whether the private key of the client is also being stored in the certificate ? Because I dont want the private key of the client certificate to be on the ldap. How to do it ? Any help please. regards Sarath
how to replace expired CA certificate
Hi, Recently I generated a CA certificate using openssl and installed it on a iPlanet webserver. This certificate has expired. Now I regenerated a new CA certificate. In the webserver, I removed the old one and installed the new one. But ssl is failing. Is it a problem with openssl new CA generation or I missed something in the iPlanet webserver ? Any help please. regards Sarath Chandra M IT Dept. UAE Exchange Centre LLC PO Box 170, Abu Dhabi, UAE Phone 02-6322166, 6394342 Fax 02-6221447, 6340713 GSM 050-4450417 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
RE: CRL how to
Title: RE: CRL how to Hi, How to automatically put an entry in the CRL when a new Client certificate is generated. regards Sarath -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 25 September 2001 13:28 To: [EMAIL PROTECTED] Subject: RE: CRL how to Hi Sarath, In the openssl CA Directory there is a file named "index.txt" which contains a summary of the issued certificate. For example: V 020925082220Z 01 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Goofy V 020925082341Z 02 unknown /C=AU/ST=New Zeland/L=Wellington/O=Internet Widgits Pty Ltd/OU=uncle duck/CN=Gogo This entries must be modified in order to make the CRL: R 020925082220Z 010925090120Z 01 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Goofy R 020925082341Z 010925092341Z 02 unknown /C=AU/ST=New Zeland/L=Wellington/O=Internet Widgits Pty Ltd/OU=uncle duck/CN=Gogo At this point just enter the following statements at prompt: $ ca -gencrl -crldays 30 -out temp.pem $ crl2pkcs -in temp.pem -out pkcs7_crl.pem At this point you have a PKCS7 file containing a CRL, which can be imported into whatever application supporting it. Best Regards [Gerardo Maiorano] -- Original Message -- > >Hi, > I have installed openssl and have started generating client >certificates. I would like to >know, how I can create and maintain CRLs. > >I would appreciate if anybody provides any help or resource pointers for >this. > >thanx in advance >Sarath Chandra M > > __ Abbonati a Tiscali! Con VoceViva puoi anche ascoltare ed inviare email al telefono. Chiama VoceViva all' 892 800 http://voceviva.tiscali.it __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CRL how to
Hi, I have installed openssl and have started generating client certificates. I would like to know, how I can create and maintain CRLs. I would appreciate if anybody provides any help or resource pointers for this. thanx in advanceSarath Chandra M
