Re: HELP!!!! mod_tsa:could not load X.509 certificate
Hello! Thank you very much for your help. I managed to install it, load the server and connect to the database, the problem was the version of apache. Compiled httpd-2.0.59 version. Now I want to try the service for time stamping. I generate a query with the following command: . /openssl ts-reply-queryfile request.tsq-signer / root / tssCRT.pem-inkey / root / tssKey.pem-out-token_out responde.tsr And I get the following file: 04 ^ B ^ A ^ A0! 0 ^ F ^ E + ^ N ^ C ^ B ^ Z ^ E ^ @ ^ D ^ T ¾ A-,,, ÿ ® (^ Gau @] ^ Db * x ^ B ^ Most Holy ¬ V @ $ c) ^ A ^ Aÿ ~ In format text is: Version: 1 Hash Algorithm: sha1 Message data: - be ab 2c 2c 2c 2d 41 ff-ae July 28 fc 40 5d c3 04 .. A-,,,..(...@]. 0010 to 62 the 2nd 3e 78 b * x Policy OID: unspecified Nonce: 0x5B1374C33082CD80 Certificate required: yes Extensions: Now when I generate the certificate stamp, I do it with this command: ./openssl ts-reply-queryfile request.tsq-signer / root / tssCRT.pem-inkey / root / tssKey.pem-out-token_out responde.tsr But I said it was wrong, and not what is the problem. Have generated a certificate from this type? Know something about it? Thank you very much again. Have been very helpful. Greetings! 2011/2/24 Mounir IDRASSI mounir.idra...@idrix.net Hi, Getting the same error (on ts_rsp_sign.c:206) with the file I send means that you are not using the right files : I have explicitely tested the OpenSSL function referenced in ts_rsp_sign.c and it is working with no error. You have to check your configuration in order to point to the right key file. In my tests, I only used OpenSSL code, no mod_tsa or Apache, because I was targeting the OpenSSL error you described. I used the latest version 1.0.0d but I thinks this has nothing to do with your problem since it is certainly caused by a configuration issue. Concerning cnf file, I just modified the usr_cert section in the default one in order to add extendedKeyUsage = critical,timeStamping and set keyUsage to nonRepudiation, digitalSignature. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/23/2011 3:32 PM, Yessica De Ascencao wrote: Hello! Thanks for your help and monitoring. Yes, I get the same error, I also throws the same when tested with the files you sent me. I think there must be something I missed or did wrong in the installation. Which version did you use for this package: openssl mod_tsa Apache mod_ssl mysql ts-patch_ Another thing, to generate the certificate for the extension tsa with Time Stamping, which. cnf did you use? The openssl.cnf or one created for you? Very grateful! Thanks 2011/2/22 Mounir IDRASSI mounir.idra...@idrix.net mailto: mounir.idra...@idrix.net Hi, Are you sure you have the same error description (lib(47):func(131):reason(117):ts_rsp_sign.c:206:)? I have tested here with a certificate containing Digital Signature, Non Repudiation key usage and OpenSSL doesn't complain. I'm attaching the timestamp certificate (with its key and its CA certificate) that I used. Can you see if it is working for you? Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/22/2011 3:11 PM, Yessica De Ascencao wrote: Hi Mounir IDRASSI! I generated the certificate with ONLY Digital Signature, Non Repudiation but I still have the same problem. Thanks! Certificate: Data: Version: 3 (0x2) Serial Number: d8:e6:a3:f6:22:c7:a4:0c Signature Algorithm: sha1WithRSAEncryption Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz, CN=ac/emailAddress=a...@suscerte.gob.ve mailto:a...@suscerte.gob.ve mailto:a...@suscerte.gob.ve mailto:a...@suscerte.gob.ve Validity Not Before: Feb 22 14:08:20 2011 GMT Not After : Feb 22 14:08:20 2012 GMT Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte, CN=tsscompany/emailAddress=t...@company.com mailto:t...@company.com mailto:t...@company.com mailto:t...@company.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7: 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd: 56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37: 6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7: 6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40: b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac: 1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b: 36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e: 51:de:ef:93
ts -reply
Hi people! I installed the service for time stamping with opentsa, now I want to try the service for time stamping. I generate a query with the following command: . /openssl ts-reply-queryfile request.tsq-signer / root / tssCRT.pem-inkey / root / tssKey.pem-out-token_out responde.tsr And I get the following file: 04 ^ B ^ A ^ A0! 0 ^ F ^ E + ^ N ^ C ^ B ^ Z ^ E ^ @ ^ D ^ T ¾ A-,,, ÿ ® (^ Gau @] ^ Db * x ^ B ^ Most Holy ¬ V @ $ c) ^ A ^ Aÿ ~ In format text is: Version: 1 Hash Algorithm: sha1 Message data: - be ab 2c 2c 2c 2d 41 ff-ae July 28 fc 40 5d c3 04 .. A-,,,..(...@]. 0010 to 62 the 2nd 3e 78 b * x Policy OID: unspecified Nonce: 0x5B1374C33082CD80 Certificate required: yes Extensions: Now when I generate the certificate stamp, I do it with this command: ./openssl ts-reply-queryfile request.tsq-signer / root / tssCRT.pem-inkey / root / tssKey.pem-out-token_out responde.tsr But I said it was wrong, and not what is the problem. Have generated a certificate from this type? Know something about it? Thank you very much again. Have been
Re: HELP!!!! mod_tsa:could not load X.509 certificate
Hello! Thanks for your help and monitoring. Yes, I get the same error, I also throws the same when tested with the files you sent me. I think there must be something I missed or did wrong in the installation. Which version did you use for this package: openssl mod_tsa Apache mod_ssl mysql ts-patch_ Another thing, to generate the certificate for the extension tsa with Time Stamping, which. cnf did you use? The openssl.cnf or one created for you? Very grateful! Thanks 2011/2/22 Mounir IDRASSI mounir.idra...@idrix.net Hi, Are you sure you have the same error description (lib(47):func(131):reason(117):ts_rsp_sign.c:206:)? I have tested here with a certificate containing Digital Signature, Non Repudiation key usage and OpenSSL doesn't complain. I'm attaching the timestamp certificate (with its key and its CA certificate) that I used. Can you see if it is working for you? Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/22/2011 3:11 PM, Yessica De Ascencao wrote: Hi Mounir IDRASSI! I generated the certificate with ONLY Digital Signature, Non Repudiation but I still have the same problem. Thanks! Certificate: Data: Version: 3 (0x2) Serial Number: d8:e6:a3:f6:22:c7:a4:0c Signature Algorithm: sha1WithRSAEncryption Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz, CN=ac/emailAddress=a...@suscerte.gob.ve mailto:a...@suscerte.gob.ve Validity Not Before: Feb 22 14:08:20 2011 GMT Not After : Feb 22 14:08:20 2012 GMT Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte, CN=tsscompany/emailAddress=t...@company.com mailto:t...@company.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7: 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd: 56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37: 6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7: 6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40: b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac: 1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b: 36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e: 51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71: 27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc: f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb: 2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b: 3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c: 87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c: 8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19: 7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8: 6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7: 7a:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17 X509v3 Authority Key Identifier: keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76 X509v3 Subject Alternative Name: email:t...@company.com mailto:email%3a...@company.com X509v3 Extended Key Usage: critical Time Stamping Signature Algorithm: sha1WithRSAEncryption 3d:d4:76:9a:d7:2d:6a:93:62:d7:2c:29:87:cc:9c:72:97:19: 1a:2d:59:b8:fc:6c:86:22:ad:9c:ba:74:de:89:cb:55:c0:f8: 50:02:5d:7d:58:92:cb:0d:c9:9a:30:a9:2a:32:7e:2c:c6:a1: 19:eb:09:30:55:85:c8:30:d4:f1:51:9a:ca:77:58:8e:f8:a6: b8:d9:92:63:10:fa:ad:06:79:aa:d9:5a:09:9c:5b:91:8b:7a: 04:66:f5:24:0b:25:25:69:a5:66:30:c1:4a:b8:cf:c7:51:e1: 5a:a0:a6:51:cf:b0:26:05:8d:c4:66:cd:3b:c6:08:a5:de:57: 81:af 2011/2/22 Mounir IDRASSI mounir.idra...@idrix.net mailto: mounir.idra...@idrix.net Hi, I don't agree : from the error description (lib(47):func(131):reason(117):ts_rsp_sign.c:206) it is clear that OpenSSL loaded the certificate but the X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) call in ts_rsp_sign failed. Actaully, reading the certificate dump shows that the problem is coming from the certificate Key Usage : it MUST NOT contain Key Encipherment. So, to resolve your problem, set the Key Usage to ONLY Digital Signature, Non Repudiation. I hope this will help. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/22/2011 2:40 PM, Patrick Patterson wrote: Hi Yessica
Re: HELP!!!! mod_tsa:could not load X.509 certificate
Hi Patrick! The certificate has all permissions, and the tutorial does not specify a location for its storage. Thanks! 2011/2/22 Patrick Patterson ppatter...@carillonis.com Hi Yessica: That error is fairly straightforward - it's can't load the cert (meaning, it can't even load the file). Have you made sure that the permissions are correct? Are you absolutely sure that you have the right cert in the right location? Have fun. Patrick. On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote: Hi! This is the new certificate: Certificate: Data: Version: 3 (0x2) Serial Number: d8:e6:a3:f6:22:c7:a4:0b Signature Algorithm: sha1WithRSAEncryption Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz, CN=ac/emailAddress=a...@suscerte.gob.ve Validity Not Before: Feb 21 20:15:08 2011 GMT Not After : Feb 21 20:15:08 2012 GMT Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte, CN=tsscompany/emailAddress=t...@company.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7: 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd: 56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37: 6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7: 6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40: b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac: 1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b: 36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e: 51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71: 27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc: f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb: 2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b: 3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c: 87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c: 8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19: 7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8: 6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7: 7a:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17 X509v3 Authority Key Identifier: keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76 X509v3 Subject Alternative Name: email:t...@company.com X509v3 Extended Key Usage: critical Time Stamping Signature Algorithm: sha1WithRSAEncryption 02:d1:fd:44:de:1e:9f:e0:29:66:35:8f:43:da:e6:b5:20:43: 52:90:b0:dc:8a:0f:09:92:9e:c2:6b:dc:14:ab:2c:9f:1b:8e: 02:76:9a:17:08:77:ca:26:06:13:25:9e:4a:e2:bf:bb:2b:4d: cf:67:41:c0:2b:3a:1a:d0:ae:a8:88:3c:13:e2:0d:f6:9c:1e: e7:ba:ef:22:c6:b8:18:3b:a8:5e:f9:0e:43:b8:de:82:b1:e0: be:00:d2:57:9c:f3:d9:48:72:28:70:5d:06:d7:73:84:bc:f7: 5e:65:27:86:0d:e8:28:b4:dd:72:4d:8e:59:02:cc:39:0f:8d: 47:87 And this is the error: [Mon Feb 21 20:15:37 2011] [error] mod_tsa:could not load X.509 certificate: /usr/local/ssl/misc/demoCA/tss.pem [Mon Feb 21 20:15:37 2011] [error] mod_tsa:17262:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206: [Mon Feb 21 20:15:37 2011] [emerg] exiting, fatal error during mod_tsa initialisation. Thanks!!! 2011/2/21 Jaroslav Imrich jaroslav.imr...@gmail.com Hello Yessica, please post new certificate and exact error you're getting. -- Kind Regards / S pozdravom Jaroslav Imrich http://www.jariq.sk On Mon, Feb 21, 2011 at 4:41 PM, Yessica De Ascencao yessima...@gmail.com wrote: hello!!! Thanks for the response! Yes I needed the extension to Time Stamping, however when I load the sample certificate in the OpenTSA page, continues to show me the same error. I created a certificate with the correct extension and likewise gives me error. I really do not know what may be happening. Thank you very much! 2011/2/18 Jaroslav Imrich jaroslav.imr...@gmail.com Hello Yessica, this line in your logs tells you where the error occured: [Thu Feb 17 19:23:09 2011] [error] mod_tsa:1510:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206: When you look into source code of openssl ts module - http
Re: HELP!!!! mod_tsa:could not load X.509 certificate
Hi Mounir IDRASSI! I generated the certificate with ONLY Digital Signature, Non Repudiation but I still have the same problem. Thanks! Certificate: Data: Version: 3 (0x2) Serial Number: d8:e6:a3:f6:22:c7:a4:0c Signature Algorithm: sha1WithRSAEncryption Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz, CN=ac/emailAddress=a...@suscerte.gob.ve Validity Not Before: Feb 22 14:08:20 2011 GMT Not After : Feb 22 14:08:20 2012 GMT Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte, CN=tsscompany/emailAddress=t...@company.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7: 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd: 56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37: 6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7: 6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40: b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac: 1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b: 36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e: 51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71: 27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc: f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb: 2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b: 3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c: 87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c: 8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19: 7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8: 6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7: 7a:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17 X509v3 Authority Key Identifier: keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76 X509v3 Subject Alternative Name: email:t...@company.com X509v3 Extended Key Usage: critical Time Stamping Signature Algorithm: sha1WithRSAEncryption 3d:d4:76:9a:d7:2d:6a:93:62:d7:2c:29:87:cc:9c:72:97:19: 1a:2d:59:b8:fc:6c:86:22:ad:9c:ba:74:de:89:cb:55:c0:f8: 50:02:5d:7d:58:92:cb:0d:c9:9a:30:a9:2a:32:7e:2c:c6:a1: 19:eb:09:30:55:85:c8:30:d4:f1:51:9a:ca:77:58:8e:f8:a6: b8:d9:92:63:10:fa:ad:06:79:aa:d9:5a:09:9c:5b:91:8b:7a: 04:66:f5:24:0b:25:25:69:a5:66:30:c1:4a:b8:cf:c7:51:e1: 5a:a0:a6:51:cf:b0:26:05:8d:c4:66:cd:3b:c6:08:a5:de:57: 81:af 2011/2/22 Mounir IDRASSI mounir.idra...@idrix.net Hi, I don't agree : from the error description (lib(47):func(131):reason(117):ts_rsp_sign.c:206) it is clear that OpenSSL loaded the certificate but the X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) call in ts_rsp_sign failed. Actaully, reading the certificate dump shows that the problem is coming from the certificate Key Usage : it MUST NOT contain Key Encipherment. So, to resolve your problem, set the Key Usage to ONLY Digital Signature, Non Repudiation. I hope this will help. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/22/2011 2:40 PM, Patrick Patterson wrote: Hi Yessica: That error is fairly straightforward - it's can't load the cert (meaning, it can't even load the file). Have you made sure that the permissions are correct? Are you absolutely sure that you have the right cert in the right location? Have fun. Patrick. On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote: Hi! This is the new certificate: Certificate: Data: Version: 3 (0x2) Serial Number: d8:e6:a3:f6:22:c7:a4:0b Signature Algorithm: sha1WithRSAEncryption Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz, CN=ac/emailAddress=a...@suscerte.gob.ve Validity Not Before: Feb 21 20:15:08 2011 GMT Not After : Feb 21 20:15:08 2012 GMT Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte, CN=tsscompany/emailAddress=t...@company.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7: 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd: 56:23:89
Re: HELP!!!! mod_tsa:could not load X.509 certificate
hello!!! Thanks for the response! Yes I needed the extension to Time Stamping, however when I load the sample certificate in the OpenTSA page, continues to show me the same error. I created a certificate with the correct extension and likewise gives me error . I really do not know what may be happening. Thank you very much! 2011/2/18 Jaroslav Imrich jaroslav.imr...@gmail.com Hello Yessica, this line in your logs tells you where the error occured: [Thu Feb 17 19:23:09 2011] [error] mod_tsa:1510:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206: When you look into source code of openssl ts module - http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.cv=1.6.4.2- you can see that line 206 contains following code: if (X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1) { TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT, TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE); return 0; } That means loading of TSA certificate failed because of incorrect extensions. Certificate you posted has critical mark on X509v3 Subject Alternative Name which is completely wrong in this case. It is Time Stamping that has to be marked as critical. -- Kind Regards / S pozdravom Jaroslav Imrich http://www.jariq.sk -- Saludos! Yessica De Ascencao 0426-7142582
HELP!!!! mod_tsa:could not load X.509 certificate
Hello! I have days trying to install the timestamp service with openTSA, but I have troubles with Step 14: Generate a private key and a certificate Including the critical TimeStamping X.509v3 extended key usage extension for the TSA and set-up options in the configuration mod_tsa httpd.conf, see the documentation for the available mod_tsa mod_tsa-specific directives. In the tsa.conf I have: IfModule mod_tsa.c Location /tsa SetHandler tsa Order allow,deny Allow from all /Location TSASerialFile conf/tsaserial # TSACryptoDevice builtin TSACertificate /root/tssCRT.pem #TSACertificateChain /home/ca_certs TSAKey /root/tssKey.pem TSAKeyPassPhrase Off TSADefaultPolicy 1.1.2 TSAPolicies 1.1.3 1.1.4 TSAMessageDigests sha1 md5 TSAAccuracy 60 0 0 TSAClockPrecisionDigits 0 TSAOrdering Off TSAIncludeName On TSAESSCertIdChain On # TSADBModule None # TSAMySQLHost localhost # TSAMySQLPort 3306 # TSAMySQLUnixSocket /tmp/mysql.sock # TSAMySQLUser zglozik # TSAMySQLDatabase tsa # TSAMySQLPassPhrase On # TSAFireBirdHost localhost # TSAFireBirdPort 3306 # TSAFireBirdUnixSocket /tmp/firebird.sock # TSAFireBirdUser SYSDBA # TSAFireBirdDatabase tsa # TSAFireBirdPassPhrase On # TSAPostgreSQLHost localhost # TSAPostgreSQLPort 5432 # TSAPostgreSQLUser www # TSAPostgreSQLDatabase tsa # TSAPostgreSQLPassPhrase On /IfModule In the httpd.conf I have: LoadModule tsa_module /usr/lib/apache2/modules/mod_tsa.so LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so Include /root/mod_tsa/tsa.conf ServerName Localhost In my apache log gives the following error: [Thu Feb 17 19:23:09 2011] [notice] mod_tsa:database driver is set to: None [Thu Feb 17 19:23:09 2011] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] [Thu Feb 17 19:23:09 2011] [warn] module tsa_module is already loaded, skipping [Thu Feb 17 19:23:09 2011] [warn] module tsa_module is already loaded, skipping [Thu Feb 17 19:23:09 2011] [notice] mod_tsa:re-initialization started [Thu Feb 17 19:23:09 2011] [notice] mod_tsa:serial file is re-used: /etc/apache2/conf/tsaserial [Thu Feb 17 19:23:09 2011] [notice] mod_tsa:crypto device is set to: builtin [Thu Feb 17 19:23:09 2011] [error] mod_tsa:could not load X.509 certificate: /root/tssCRT.pem [Thu Feb 17 19:23:09 2011] [error] mod_tsa:1510:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206: [Thu Feb 17 19:23:09 2011] [emerg] exiting, fatal error during mod_tsa initialisation. They know that I can be doing wrong? Appreciate your help. And not know what else to do, and create the certificate with extension for Time Stamping. Thanks!
Re: HELP!!!! mod_tsa:could not load X.509 certificate
Hi TSA certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 8d:0b:98:ba:f3:e4:5d:4c Signature Algorithm: sha1WithRSAEncryption Issuer: C=ve, ST=distrito capital, L=caracas, O=suscerte, OU=ac, CN=acraiz/emailAddress=a...@dom.com Validity Not Before: Feb 17 18:54:59 2011 GMT Not After : Feb 17 18:54:59 2012 GMT Subject: C=VE, ST=Distrito Capital, L=Caracas, O=Sistema Nacional, OU=TSA, CN=TSS/emailAddress=t...@sdom.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:af:85:81:65:df:3a:7d:49:df:fc:04:cd:3a:83: 76:ac:67:af:98:70:4d:d9:34:ed:fc:e2:96:5f:09: 07:9d:cf:3c:f0:6b:f0:1e:9c:61:d5:1d:6a:c9:d2: 42:27:2b:1e:83:53:fa:01:97:f7:ef:82:92:a8:9a: 7b:f3:36:89:e0:ce:4f:5f:7b:0f:a5:2d:f8:84:6e: 9d:14:70:12:77:f7:bf:29:f8:ef:07:1d:6f:ff:e6: e7:0c:e4:94:a2:6e:9f:dc:63:51:d8:d9:d5:f2:7f: 5b:89:3d:45:91:04:db:5b:9d:9b:6b:86:68:7f:fc: ff:78:d7:c1:6e:91:ec:dd:64:56:66:fe:9f:40:a3: fa:a7:be:3a:bb:f1:9f:95:03:db:29:14:51:1a:d6: 04:4c:d7:33:8b:a8:c6:d6:b1:d4:12:85:91:bf:b8: fb:2b:12:d2:c6:bd:d4:5f:96:37:c7:fa:8a:cc:59: ef:7f:24:f6:b8:3c:a4:b9:19:03:3e:76:ef:2b:7f: 53:73:e4:40:38:b7:4e:e6:34:bc:c5:54:49:ea:b2: 25:ab:aa:2a:49:0f:26:47:2b:7d:1d:65:fa:4d:fe: 0b:a2:a9:bb:c7:1a:d9:f6:3a:d5:07:c0:10:46:18: 6f:08:76:2e:8b:ad:12:8d:54:83:ca:71:50:13:20: b5:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: Time Stamping X509v3 Subject Alternative Name: critical email:a...@dom.com Signature Algorithm: sha1WithRSAEncryption 12:7e:67:66:51:e3:a5:98:3c:ae:e5:fc:1f:b2:ca:99:f7:d0: eb:db:62:48:f0:68:80:ed:94:ed:13:7a:41:f9:92:3e:bc:05: 92:42:f2:8d:dc:39:54:3b:de:06:a8:cc:1d:fb:f4:65:95:87: da:71:17:7f:60:02:ce:fb:18:4f:0f:50:30:63:5e:cc:2e:ed: 9a:e9:a8:2f:dc:f8:a9:05:ac:6c:68:83:29:b6:49:97:a1:5f: d0:4d:79:f9:ca:84:7b:3b:4a:0f:88:74:fb:3e:b9:ea:62:d2: 71:51:df:fc:11:23:62:3a:4c:4d:75:34:08:75:73:40:58:10: e4:b6:20:b1:63:85:93:4b:55:75:6d:47:38:ac:56:03:b4:ee: fa:2e:e5:ac:db:bf:e5:dd:81:bb:ea:26:a6:64:72:c2:50:39: d7:14:3a:f1:11:0b:7a:21:18:e6:0f:c3:18:91:f6:1c:9f:b4: 39:17:5c:61:98:bb:92:b0:e6:e3:ff:d8:36:56:dc:e5:5a:94: 1d:79:86:af:bb:a6:7d:5a:ca:ea:ad:92:36:b9:07:ae:28:83: 98:78:93:51:31:d0:6c:b0:bc:c1:35:53:4f:41:07:ce:81:e5: 92:19:1a:39:a4:08:7b:7b:29:04:b1:8a:6a:b0:64:0d:81:ef: 54:0c:bc:36 Thanks for your help! 2011/2/18 Jaroslav Imrich jaroslav.imr...@gmail.com Hello Yessica, error may be caused by incorrect extensions in TSA certificate. Could you please post output of following command: openssl x509 -in /root/tssCRT.pem -text -- Kind Regards / S pozdravom Jaroslav Imrich http://www.jariq.sk
Re: HELP!!!! mod_tsa:could not load X.509 certificate
I tried with the certificate is opentsa page tsa_ns.crt, still gives me the same error. This is the certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 15 (0xf) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IE, ST=Co. Dublin, L=Dublin, O=OpenTSA, CN=OpenTSA Root CA/emailAddress=i...@opentsa.org Validity Not Before: Sep 23 20:20:13 2006 GMT Not After : Sep 20 20:20:13 2016 GMT Subject: C=HU, ST=Co. Bekes, L=Bekescsaba, O=OpenTSA, CN=OpenTSA demo/emailAddress=zglo...@opentsa.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d6:4c:ef:5f:21:1b:11:77:87:fe:df:14:a6:3f: 09:a3:45:ac:90:83:06:11:b1:93:3e:90:60:5e:88: 69:43:7e:d1:1f:5c:5f:60:58:f0:ea:37:b5:b0:0e: ad:6d:f6:bd:2b:15:2a:bc:b8:16:53:2f:5c:25:ee: 9d:5f:99:ad:04:a0:d2:e7:73:2f:f0:f5:87:97:de: 3f:a5:79:13:9f:0e:f8:c4:be:bf:ef:76:64:39:d2: 4b:fd:5c:3e:4d:33:a6:8c:c1:05:23:9e:33:61:8e: b2:1b:e8:d7:ae:6e:d0:b5:bf:52:bc:29:7a:c1:7e: 24:b6:de:3d:f3:5a:f7:30:ef Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation X509v3 Subject Key Identifier: CE:11:23:2C:41:E2:96:4C:E8:16:0D:DA:6A:FC:24:57:C2:2B:EA:78 X509v3 Authority Key Identifier: keyid:2D:9D:F7:1D:7E:65:77:9A:F4:D9:B4:99:B1:17:3B:C4:2F:C8:AD:A5 DirName:/C=IE/ST=Co. Dublin/L=Dublin/O=OpenTSA/CN=OpenTSA Root CA/emailAddress=i...@opentsa.org serial:97:36:5B:C6:93:41:1C:87 X509v3 Subject Alternative Name: email:zglo...@opentsa.org X509v3 Extended Key Usage: critical Time Stamping Signature Algorithm: sha1WithRSAEncryption da:fd:01:4c:29:ba:f0:a4:e9:21:5c:ec:6c:d4:77:6d:e7:69: 8b:9f:ec:71:43:9c:0e:9a:97:b6:4d:6a:d5:ec:24:82:52:c5: f7:07:23:64:04:07:3c:ac:f1:af:4a:67:eb:1f:57:73:23:c4: 36:2c:39:36:f0:58:bb:c8:8e:c5:af:64:02:76:bc:46:a6:c5: 62:31:7e:80:31:17:72:b5:a6:50:e8:ef:34:cd:e8:47:e6:98: 71:88:2f:07:96:f8:09:20:19:f4:8d:f4:2c:33:09:09:93:c5: f1:3a:f7:c3:2f:87:d7:01:d6:eb:ce:95:87:12:67:fa:cb:e8: 63:f6:6f:20:f2:40:a5:d8:60:49:9c:3f:79:1c:7c:34:45:c7: be:c3:63:16:0a:0d:e8:28:1a:7f:6f:75:bf:f4:e4:ec:97:93: 84:fa:8d:41:18:a7:ef:15:97:b4:8b:d7:b2:e4:5d:c1:95:47: 6d:21:3d:ea:a8:7d:31:dd:21:94:15:ea:5c:9f:1f:0e:85:bf: df:3a:45:d2:dc:1c:e4:6a:31:b7:61:f0:54:4f:a7:c1:1c:02: d9:10:f2:ed:c3:a4:90:c6:53:aa:9f:4b:84:c1:4b:06:5e:65: d3:32:b2:fe:f6:7a:96:ea:f5:07:63:48:a1:eb:54:9e:62:41: 4d:73:6b:57
mod_tsa:could not load X.509 certificate
hello! I'm installing mod_tsa over apache2, i follow the configuration but show me the error: [Wed Feb 16 19:51:54 2011] [notice] mod_tsa:database driver is set to: None [Wed Feb 16 19:51:54 2011] [warn] module tsa_module is already loaded, skipping [Wed Feb 16 19:51:54 2011] [warn] module tsa_module is already loaded, skipping [Wed Feb 16 19:51:54 2011] [warn] module tsa_module is already loaded, skipping [Wed Feb 16 19:51:54 2011] [notice] mod_tsa:re-initialization started [Wed Feb 16 19:51:54 2011] [notice] mod_tsa:serial file is re-used: /etc/apache2/conf/tsaserial [Wed Feb 16 19:51:54 2011] [notice] mod_tsa:crypto device is set to: builtin [Wed Feb 16 19:51:54 2011] [error] mod_tsa:could not load X.509 certificate: /usr/local/ssl/misc/demoCA/tsscert.pem [Wed Feb 16 19:51:54 2011] [error] mod_tsa:1590:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206: [Wed Feb 16 19:51:54 2011] [emerg] exiting, fatal error during mod_tsa initialisation. Appreciate for your help. thanks! grettings!
Problems with installing openssl in ubuntu
Hi people! I'm new to the group and the openssl issue, I need to install openssl with support for TSS on a machine with ubuntu 10.10. I downloaded the source code http://www.openssl.org/source/, version openssl-fips-1.2.2 but when you make I get the following error: Unable to find / usr/local/ssl/lib/fips-1.0 / / fipscanister.o make [2]: *** [link_app.] Error 1 make [2]: Leaving directory `/ home/yessica/Desktop/openssl-fips-1.2.2/ test make [1]: *** [ssltest] Error 2 make [1]: Leaving directory `/ home/yessica/Desktop/openssl-fips-1.2.2/ test make: *** [build_tests] Error 1 So I tried with openssl-1.0.0c version, compiled and installed without problems, however even from version 1.0.0-beta4 is supported TSS, the install will not offer that service. Check with the command openssl version and I said I have OpenSSL 0.9.8o June 1, 2010 even install version 1.0.0c. Anyone have any idea that might be happening? Be obliged your help! Thanks! Greetings!