OpenSLL Timestamping
Hi all! In the openssl documentation I found the command ts for timestamping actions. Trying this command with my openssl 0.9.8e I was told that this is an unknown command. Now I am wondering if the documentation may be some kind of too uptodate - what is normally not the case with docs - or if it is just a joke. Who can tell me more about openssl and timestamping? Best regards Thomas Atos Origin GmbH, Theodor-Althoff-Str. 47, D-45133 Essen, Postfach 100 123, D-45001 Essen Telefon: +49 201 4305 0, Fax: +49 201 4305 689095, www.atosorigin.de Dresdner Bank AG, Hamburg: Kto. 0954411200, BLZ 200 800 00, Swift Code DRESDEFF200, IBAN DE6920080954411200 Geschäftsführer: Dominique Illien, Handelsregister Essen HRB 19354, Ust.-ID.-Nr.: DE147861238
AW: Database file structure
Bruno, A database line is structured as followed: 1. state of the cert (V=valid, R=revoked, E=expired where the state is not changes automatically if a cert expires) 2. end of validity 3. revocation time (empty when the cert ist not revoked) 4. serial number in hex 5. Where the cert can be found (only value is unknown today) 6. Name of certificate holder (normally the DN) Regards Thomas -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bruno Costacurta Gesendet: Donnerstag, 24. Mai 2007 17:30 An: openssl-users@openssl.org Betreff: Database file structure Dears, just for curiosity, what are the structure description of the database file (often) called 'index' and which corresponds in fact to the parameter 'database' in openssl.cnf ? Please find a sample hereafter as it's mainly human readable. Thanks for any info. Bye, Bruno ... V 100221212735Z 03 unknown /C=BE/ST=Brussels Region/L=Brussels/O=Acme.org/CN=acer9100 radius client/[EMAIL PROTECTED] V 100523143810Z 04 unknown /C=BE/ST=Brussels Region/L=Brussels/O=Acme.org/CN=pc34ghz.org/emailAddress=bruno @Acme.org V 100523144327Z 05 unknown /C=BE/ST=Brussels Region/L=Brussels/O=Acme.org/CN=pc34ghz.org/emailAddress=bruno @Acme.org V 100523151137Z 06 unknown /C=BE/ST=Brussels Region/L=Brussels/O=Acme.org/CN=Bruno Acme/[EMAIL PROTECTED]/description=test only V 100523151243Z 07 unknown /C=BE/ST=Brussels Region/L=Brussels/O=Acme.org/CN=pc34ghz.org/emailAddress=bruno @Acme.org/description=for apache2 SSL server client ... -- PGP key ID: 0x2e604d51 Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html Key fingerprint = 713F 7956 9441 7DEF 58ED 1951 7E07 569B 2E60 4D51 -- Atos Origin GmbH, Theodor-Althoff-Str. 47, D-45133 Essen, Postfach 100 123, D-45001 Essen Telefon: +49 201 4305 0, Fax: +49 201 4305 689095, www.atosorigin.de Dresdner Bank AG, Hamburg: Kto. 0954411200, BLZ 200 800 00, Swift Code DRESDEFF200, IBAN DE6920080954411200 Geschäftsführer: Dominique Illien, Handelsregister Essen HRB 19354, Ust.-ID.-Nr.: DE147861238 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Openssl ocsp
Hi all, I try to ask an ocsp responder for the status of some certificates using openssl as ocsp client. Doing that the client produces the following Messages: --- C:\Programme\OpenSSL\binopenssl ocsp -issuer c:\Programme\OpenSSL\bin\certs\cert.pem -serial 1123 -url http://161.90.190.254:2560 -verify_other c:\Programme\OpenSSL\bin\certs\ocsp.pem -trust_other Response Verify Failure 2492:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:.\crypto\rsa\rsa_pk1.c:100: 2492:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:.\crypto\rsa\rsa_eay.c:699: 2492:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:.\crypto\asn1\a_verify.c:168: 2492:error:27069075:OCSP routines:OCSP_basic_verify:signature failure:.\crypto\ocsp\ocsp_vfy.c:98: 1123: revoked This Update: Mar 30 15:51:13 2007 GMT Next Update: Apr 2 10:33:23 2007 GMT Revocation Time: Mar 30 15:00:00 2007 GMT --- What will openssl tell me? Whats going wrong here? Any ideas? Best regards Thomas Atos Origin GmbH, Theodor-Althoff-Str. 47, D-45133 Essen, Postfach 100 123, D-45001 Essen Telefon: +49 201 4305 0, Fax: +49 201 4305 689095, www.atosorigin.de Dresdner Bank AG, Hamburg: Kto. 0954411200, BLZ 200 800 00, Swift Code DRESDEFF200, IBAN DE6920080954411200 Geschäftsführer: Dominique Illien, Handelsregister Essen HRB 19354, Ust.-ID.-Nr.: DE147861238 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
pkey-command
Hi all, in the openssl docs I found a command called pkey that is said to show me the public and private keys in differnt ways. Trying to use it openssl (0.9.8d) told me, that pkey is an unknown command. I wonder if it is not lnger supported in later versions. Best regards Thomas
AW: AGAIN: Query on CRL distribution point
Stephen, Thanx for your reply. I found that x509_config page before. But to be honest, the cdp part didn't help me very much with the particular comma problem. And, by the way, the second error below and the value=cdp_sect message results from my tries to use the configuration described in that page. It seems to me that the refered section is not found or erroneous. Best regards Thomas -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Dr. Stephen Henson Gesendet: Dienstag, 19. Dezember 2006 01:59 An: openssl-users@openssl.org Betreff: Re: AGAIN: Query on CRL distribution point On Mon, Dec 18, 2006, [EMAIL PROTECTED] wrote: Hi all, I am just worling on a certificate profile an I need to include a cdp in the following form: ldap://my.company.com/CN=Name,OU=Department,O=Company,C=DE?certificate RevocationList So the cdp should point to the crl in a directory on a certain server and the access protocal is ldap. From the attached email I learnd that the commas in the directory string will cause problems! But how is it done correct? How do I have to write the section mentioned below? All my tries result in messages like this: Error Loading extension section v3_ca 4461:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:432: 4461:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=crlDistributionPoints, value=cdp_sect Erm I answered your question below. Sorry if it wasn't clear. This should hopefully clarify it: http://www.openssl.org/docs/apps/x509v3_config.html#NOTES Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AGAIN: Query on CRL distribution point
Hi all, I am just worling on a certificate profile an I need to include a cdp in the following form: ldap://my.company.com/CN=Name,OU=Department,O=Company,C=DE?certificateRevocationList So the cdp should point to the crl in a directory on a certain server and the access protocal is ldap. From the attached email I learnd that the commas in the directory string will cause problems! But how is it done correct? How do I have to write the section mentioned below? All my tries result in messages like this: Error Loading extension section v3_ca 4461:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:432: 4461:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=crlDistributionPoints, value=cdp_sect Best regards Thomas -Ursprüngliche Nachricht- Von: Dr. Stephen Henson [mailto:[EMAIL PROTECTED] Gesendet: Sonntag, 5. September 2004 21:46 An: openssl-users@openssl.org Betreff: Re: Query on CRL distribution point On Sun, Sep 05, 2004, pijush koley wrote: Hi! I want to setup a test CA using OpenSSL. So I configured openssl.cnf file according to my environment. Then I executed following command CA.pl -newca This gave an error and it indicated that following line produced an error. crlDistributionPoints = URI:ldap://server IP:port/CRLObjID=CRLPoint,o=domain Than I changed this line to crlDistributionPoints = URI:http://server IP:port/TestCRL/ and this time whole setup worked fine. Can anybody please tell me why crlDistributionPoints failed to take an URI started with ldap? Yes its the embedded comma. If you need a comma then use the alternative @section format mentioned in doc/openssl.txt Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: SHA2
Is there already a stable version of OpenSSL in the field that supports SHA256? Best regards Thomas -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Nils Larsch Gesendet: Donnerstag, 12. Mai 2005 09:33 An: openssl-users@openssl.org Betreff: Re: SHA2 Milan Tomic wrote: I'm trying to generate self signed certificates with sha256, sha384 and sha512 algorithms for testing purposes. It seems openssl.exe doesn't understand it, although I have downloaded latest version (openssl-0.9.7g). try a recent snapshot from 0.9.8-dev (the cvs head) Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
WG: [Openca-Users] After 100000 certificate issued...
I found this in the OpenCA-Users mailinglist. Any ideas or suggestions? Regards Thomas -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Diego de Felice Gesendet: Montag, 18. September 2006 23:32 An: Ideas, tips and discussions about OpenCA installation and management. Betreff: [Openca-Users] After 10 certificate issued... I've tested OpenCA (an old version to be honest) by issuing more than 10 certificates. The response times of course are a bit degraded. I can say that the global functionality of OpenCA are not so much influenced (only some pages regardings searches, but I think they can be simply fixed). The most terrible issue however is OpenSSL and its index.txt! With 10 and more certificates the index.txt file is about 19 megabytes and for every certificate you must wait a lot of seconds and this is more and more notable when this number grows. I know this is not to OpenCA related, but someone knows if there is a project to enhance index.txt in a more performing solution ? Is the nextgen OpenCA less dependent from the command line openssl ? Thanks in advance. -- Diego de Felice -- --- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforge CID=DEVDEV ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
