RE: Anyone Know of a Web Based Certificate Authority.
I now pyca www.pyca.de and http://cultura.eii.us.es/~pablo/elyca/ I didn't try last one, but the first send an e-mail to requestor to verify it. Anton -Original Message- From: John Doe [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 07:48 To: [EMAIL PROTECTED] Subject: Anyone Know of a Web Based Certificate Authority. Anyone know of a web based certificate authority that actually works as advertised. I have tried php-ca but I am having alot of trouble getting it to work. OpenCA is a little bit to full featured for what I am trying to accomplish. Basically I am looking to send a secret to an email address in order to verify a requestor's identity. If the requestor can correctly verifies themself, I would like to issue them a certificate. Thanks in Advance James Wilson _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Does the Web server have to run SSL in order to do certificates?
You don't need to run SSL for your For your IE your should adjust settings to permit run ActiveX. Anton -Original Message- From: Mark Liu [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 08:56 To: [EMAIL PROTECTED] Subject: Does the Web server have to run SSL in order to do certificates? I am working on an X509 public key certificate authentication project using Java technology. The client applies for a certificate from the Web interface of the CA. Currently, I only want to consider Internet Explorer. Question 1: I run Tomcat 4.1.18 under my win2k box as the CA Web server. Do I have to run it in SSL mode in order to handle clients' certificate request? I got a sample vbscript code for certificate enrollment from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se curity/request_sample_in_vbscript.asp , which I paste in the following: *** beginning of the sample code * HTML HEAD TITLEVBScript Certificate Enrollment Control Sample /TITLE OBJECT classid=clsid:43F8F289-7A20-11D0-8F06-00C04FC295E1 codebase=xenroll.dll id=Enroll /OBJECT OBJECT classid=clsid:98AFF3F0-5524-11D0-8812-00A0C903B83C codebase=certcli.dll id=Request /OBJECT BR Certificate Enrollment Control Request Sample BR BR SCRIPT language=VBScript !-- ' Declare the distinguished name variable. Dim strDN ' Declare the request variable. Dim strReq ' Declare a local variable for request disposition. Dim nDisp ' Enable error handling. On Error Resume Next ' Declare consts used by CertRequest object. const CR_IN_BASE64 = H1 const CR_IN_PKCS10 = H100 ' Build the DN. strDN = CN=UserName _ ,OU=UserUnit _ ,O=UserOrg _ ,L=UserCity _ ,S=WA _ ,C=US ' Attempt to use the control, in this case, to create a PKCS #10. MsgBox(Creating PKCS #10 strDN) strReq = Enroll.createPKCS10( strDN, 1.3.6.1.4.1.311.2.1.21) ' If above line failed, Err.Number will not be 0. if ( Err.Number 0 ) then MsgBox(Error in call to createPKCS10 Err.Number) err.clear else MsgBox(Submitting request strReq) nDisp = Request.Submit( CR_IN_BASE64 OR CR_IN_PKCS10, _ strReq, _ , _ Machine\CertAuth) ' If the preceding line failed, Err.Number will not be 0. if ( Err.Number 0 ) then MsgBox(Error in Request Submit Err.Number) err.clear else MsgBox(Submitted certificate; disposition = nDisp) end if end if -- /SCRIPT BR /HEAD /HTML *** end of the sample code I saved this code as certreq.html under my web application folder. When I visit this page with IE, I get a VBscript pop-up dialog box, which reads: Creating PKCS #10 CN=UserName, OU=UserUnit, O=UserOrg,L=UserCity, S=WA,C=US I click OK, then I get another VBscript pop-up dialog box, which reads: Submitting request IICdTCCAh8CAQAwldfasldk8425lkasdfasdfADSFASDa/sdfoiuj aASDFkj9/asldfkadfr98SADkjla0ASDF09rASdfjasdlfkjASDFa dfoiujlerASDFadfloiwerLKJalkjafoiWERo0lkj934lkasfDlkj [snip] It is just a mess of codes. If I click OK, I get a warning pop-up windows, which reads: ! An ActiveX Control on this page is not safe. Your current security settings prohibit running unsafe controls on this page. As a result, this page may not display as intended. And if I click OK, I see another popup windows, which reads: Error in Request Submit 438 These are all I get with this certreq.html page. I know there is a big problem with this sample code, because this code does not specify to which servlet the PKCS#10 request should be submitted. I want to specify it, but I have no clue where and how to do this. Can you guys please help? Thanks a lot! __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: IE request generation just stopped working...
Hi I think you can specify two objects on one page and first try to use new component if it failed you will use the old one.(This is not hard to implement). If your users take about their security they should upgrade the vulnurable IE. If you need help please post your page. Anton -Original Message- From: Andrew Brady [mailto:Andrew.Brady;ecmwf.int] Sent: Thursday, November 14, 2002 03:37 To: [EMAIL PROTECTED] Subject: Re: IE request generation just stopped working... Before I get dirty and write the VBSCRIPT Has anyone already written the vbscript to support both the old and new versions simultaneously? Some of my users have high security so cannot dl and run the new dll. Andy Shalkebaev,AntonMSCAG wrote: There is no any secret in your file you have: OBJECT classid=clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1 CODEBASE=xenroll.dll id=Enroll Your should place new xenroll.dll to your web server for example you put it to root directory and it accessed from http://yourserver/xenroll.dll in your file change CODEBASE=/xenroll.dll and clients will be asked to install new library, if there security settings not so high :). Anton -Original Message- From: Richard Levitte - VMS Whacker [mailto:levitte;stacken.kth.se] Sent: Tuesday, October 15, 2002 05:41 To: Shalkebaev,AntonMSCAG Cc: [EMAIL PROTECTED] Subject: Re: IE request generation just stopped working... In message B5FC94784717D211931A006008911A69018B4B41@MSC0E001 on Tue, 15 Oct 2002 21:55:44 +0900, Shalkebaev,AntonMSCAG [EMAIL PROTECTED] said: ShalkebaevA Just change clsid to 127698e4-e730-4e5c-a2b1-21490a70c8a1 ShalkebaevA and place your new xenroll.dll to a web server for none updated clients OK, that worked fine. How should the users with non-updated xenroll.dll install it? Some secret procedure I should know about? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem creating signed certs
Hi your should check openssl.cnf file find policy section and change your countryName = match to something like this supplied or optional depends on policy Anton -Original Message- From: MikeCC [mailto:mikecc;atrek.org] Sent: Wednesday, October 30, 2002 07:02 To: [EMAIL PROTECTED] Subject: Problem creating signed certs Hello, I am trying to create a signed client certificate, but when I execute the command openssl ca -in req.pem -out newcert.pem The newcert.pem file is created but it is created as an empty file. Here is what I see on the display: /openssl-engine-0.9.6g/apps openssl ca -in req.pem -out newcert.pem Using configuration from /usr/local/ssl/openssl.cnf Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'MA' localityName :PRINTABLE:'Arlington' organizationName :PRINTABLE:'Brandywine mills' organizationalUnitName:PRINTABLE:'Hobbiton' commonName:PRINTABLE:'Frodo' emailAddress :IA5STRING:'[EMAIL PROTECTED]' The countryName field needed to be the same in the CA certificate (AU) and the request (US) /openssl-engine-0.9.6g/apps ls -l newcert.pem -rw-r--r--1 root root0 Oct 29 22:29 newcert.pem Can anyone help me understand what I'm missing or doing incorrectly? == Mike Cerone, CISSP, CCNA Ad Astra! == __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: IIS5 client certs
They the same as in apache except SSL_CLIENT_S_DN_UID your can find them in IIS help :) : - Certificate Field Select or enter the certificate field name. Fields are comprised of subfields that contain specific identification information. Field names represent general categories of information; field names are Client (Subject) and Issuer. For more information about fields and subfields, see you certification authority. Subfield To select or enter the certificate subfield name, use this drop down box. The following list describes basic subfields contained in a certificate: (O) Organization Preferably International Organization for Standardization (ISO)-registered top-level organization or company name. (OU) Organizational Unit A department within a company, such as Marketing. (CN) Common Name The domain name of the server, for example, www.microsoft.com. (C ) Country Two letter ISO country designation, for example, US, FR, AU, UK, and so on. (S) State/Province Type in the full name of the state or province, do not abbreviate. For example, Washington, Alberta, and so on. (L) Locality Type in the full name of the city where your company is located, such as Redmond or Toronto. The rule editor also supports several non-standard subfield categories, including: (I) Initials of the certificate owner. (GN) Given Name of the certificate owner. (T) Title of the certificate owner. (Email) Email address of the certificate owner. Consult a certification authority to obtain updated subfield information. Criteria Use this text box to specify the criteria for matching field and subfield information. For example, if the Subfield is O, the criteria could be Microsoft to tell the matching rule which organization to match to. You can use the wildcard character to partially specify the text of your criteria. - Anton -Original Message- From: Eric Weitzman [mailto:eweitzman;acm.org] Sent: Sunday, October 27, 2002 09:09 To: [EMAIL PROTECTED] Subject: IIS5 client certs Does anyone know (or know where to find) the characteristics that a client certificate should have so that IIS5 will verify the client? Thanks, - Eric __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: IE request generation just stopped working...
Just change clsid to 127698e4-e730-4e5c-a2b1-21490a70c8a1 and place your new xenroll.dll to a web server for none updated clients Anton -Original Message- From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 04:00 To: [EMAIL PROTECTED] Subject: IE request generation just stopped working... I've probably hacked this incorrectly. I'm doing the usual certificate request page for IE, with the usual VBscript to generate a PKCS#10 request. I did a windows update a few days ago, and since, that page stopped working. I'm attaching it, and would be really glad if someone could tell me what things I got wrong (I also lack the possibility to choose the key size, and would like that to happen as well). -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: IE request generation just stopped working...
There is no any secret in your file you have: OBJECT classid=clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1 CODEBASE=xenroll.dll id=Enroll Your should place new xenroll.dll to your web server for example you put it to root directory and it accessed from http://yourserver/xenroll.dll in your file change CODEBASE=/xenroll.dll and clients will be asked to install new library, if there security settings not so high :). Anton -Original Message- From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 05:41 To: Shalkebaev,AntonMSCAG Cc: [EMAIL PROTECTED] Subject: Re: IE request generation just stopped working... In message B5FC94784717D211931A006008911A69018B4B41@MSC0E001 on Tue, 15 Oct 2002 21:55:44 +0900, Shalkebaev,AntonMSCAG [EMAIL PROTECTED] said: ShalkebaevA Just change clsid to 127698e4-e730-4e5c-a2b1-21490a70c8a1 ShalkebaevA and place your new xenroll.dll to a web server for none updated clients OK, that worked fine. How should the users with non-updated xenroll.dll install it? Some secret procedure I should know about? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL configuration, OpenLDAP integration
I don't know where to find Step by Step guide but your can look at next projects www.pyca.de and www.openca.org I'm using pyca it works fine but with some changes. Anton -Original Message- From: Pravin Joshi [mailto:[EMAIL PROTECTED]] Sent: Saturday, October 12, 2002 09:35 To: '[EMAIL PROTECTED]' Subject: OpenSSL configuration, OpenLDAP integration Can anybody give me links for, 1. Step by step guidance for configuring OpenSSL. 2. Step by step guidance for integration of OpenSSAL with OpenLDAP Thanks Regards Pravin Joshi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]