Config file

[Zerg]

Hi.
Is it possible to write to config file with CONF API?

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Sample config file

[Archer-Lampron]

Hello,

I am a newbie trying to generate my first certificates with openssl for use
with Apache on Windows XP.  I seem to be missing a .CONF configuration file.
Is a sample available somewhere?

Thanks for any assistance that can be provided.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Config File ..help !

[Nabil Ghadiali]

Title: Config File ..help !







Hello,


Can someone tell me if this is the correct format for a configuration file to be used with the asn1parse -genconf option.

--

asn1=SEQUENCE:otherName


[otherName]

type-id=OID:1.3.6.1.4.1.311.20.2.3

value=UTF8:[EMAIL PROTECTED]

--


Thanks in advance.


-Nabil

config file help

[Eric Weitzman]

Is there any overview documentation on the relationship between the keys and
sections in openssl.cnf and both the commands that use those keys (ca, req,
x509, etc) and to which other sections in the config file certain keys point?
For example, the value for the key distinguished_name in the [ req ] section is
used by the req command to find the section that contains the distinguished name
for ???

Neither O'Reilly's OpenSSL book nor the html documentation on www.openssl.org
contain any documentation (that I can find...) to unravel these mysteries.

TIA,
- Eric


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Sample config file

[Archer-Lampron]

Thank you for the reply.

I do not have an openssl.cnf file anywhere in the Apache Group directory nor
in its subdirectories.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson
Sent: Sunday, April 25, 2004 12:07 PM
To: [EMAIL PROTECTED]
Subject: Re: Sample config file


On Fri, Apr 23, 2004, Archer-Lampron wrote:

> Hello,
>
> I am a newbie trying to generate my first certificates with openssl for
use
> with Apache on Windows XP.  I seem to be missing a .CONF configuration
file.
> Is a sample available somewhere?
>
> Thanks for any assistance that can be provided.
>

openssl.cnf in the apps directory.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Sample config file

[Carlos Roberto Zainos H]

Hi !
Dr Henson refers to openssl-0.9.7.your-dist/apps (if you're working in a Linux/Unix box), in that directory there is an openssl.cnf file (openssl example configuraton file).
 
If you're working in Win32 there must be  an openssl.cnf in C:\openssl-folder\bin.In both cases you must customize (if you want) that file; for testing purposes, file without changes would be ok.
 
ZainosArcher-Lampron <[EMAIL PROTECTED]> wrote:
Thank you for the reply.I do not have an openssl.cnf file anywhere in the Apache Group directory norin its subdirectories.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen HensonSent: Sunday, April 25, 2004 12:07 PMTo: [EMAIL PROTECTED]Subject: Re: Sample config fileOn Fri, Apr 23, 2004, Archer-Lampron wrote:> Hello,>> I am a newbie trying to generate my first certificates with openssl foruse> with Apache on Windows XP. I seem to be missing a .CONF configurationfile.> Is a sample available somewhere?>> Thanks for any assistance that can be provided.>openssl.cnf in the apps directory.Steve.--Dr Stephen N. Henson. Email, S/MIME and PGP keys: see
 homepageOpenSSL project core developer and freelance consultant.Funding needed! Details on homepage.Homepage: http://www.drh-consultancy.demon.co.uk__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

openssl config file location

[Kent Yoder]

Hi, the page

http://www.openssl.org/docs/crypto/OPENSSL_config.html

claims that OPENSSL_CONFIG should be the environment variable to set
for an alternate config file, however it appears that the code wants
OPENSSL_CONF.  Also, the OPENSSL_config.3 man page shows
OPENSSL_CONFIG..  Others manpages such as ca.1 show OPENSSL_CONF...

Kent
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: config file help

[Richard Levitte - VMS Whacker]

In message <[EMAIL PROTECTED]> on Tue, 22 Oct 2002 
11:49:39 -0700, "Eric Weitzman" <[EMAIL PROTECTED]> said:

eweitzman> Is there any overview documentation on the relationship
eweitzman> between the keys and sections in openssl.cnf and both the
eweitzman> commands that use those keys (ca, req, x509, etc) and to
eweitzman> which other sections in the config file certain keys point?
eweitzman> For example, the value for the key distinguished_name in
eweitzman> the [ req ] section is used by the req command to find the
eweitzman> section that contains the distinguished name for ???

Isn't http://www.openssl.org/docs/apps/req.html enough?  There's a
small blurb about distinguished_name ending by saying that the section
it refers to is explained in the next section of that manual.  That
section is basically right below said blurb.

Generally, look at the manual for each command, and you will hopefully
find what you're looking for.

If you find the manuals incomplete, please tell us in detail what's
missing or should be changed, and we'll do our best to correct it.

Note: the manuals on the web are for the development, so some things
do not yet exist in the latest OpenSSL releases.  I don't think that's
the case for req, however...

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: config file help

[Eric Weitzman]

Richard,

> "Eric Weitzman" <[EMAIL PROTECTED]> said:
>
> eweitzman> Is there any overview documentation on the relationship
> eweitzman> between the keys and sections in openssl.cnf and both the

> Isn't http://www.openssl.org/docs/apps/req.html enough?  There's a
> small blurb about distinguished_name ending by saying that the section
> it refers to is explained in the next section of that manual.  That
> section is basically right below said blurb.

This is enough to document req. But I was looking for overview documentation of
the config file per se.

Being new to openssl, it's a leap to go from a code distribution and command
descriptions to understanding the config file. It's an even bigger leap to
understand that one anticipated usage pattern for req requires that an app will
write the config file to supply specific values for the distinguished name
fields of the request. Normally, the config file tells the app how to act
globally, not how to behave for a specific invocation of the app.

It was while glimpsing this unique arrangement that I wondered, is there some
overview documentation that spells out the relationships between
commands->sections->keys->other_sections. It would be nice if this was done in
general, or as a compendium of all the various commands' usage of the config
file in the config file documentation. For example, are req and ca the only
commands that have their own eponymously-named sections with keys whose values
point to other sections? Or are there others? Are the OIDs in the section
pointed to by the global key oid_section used by more than x509?(I'll answer
this for myself shortly...see below)

> Generally, look at the manual for each command, and you will hopefully
> find what you're looking for.

I will take your advice and look for the information this way.

> If you find the manuals incomplete, please tell us in detail what's
> missing or should be changed, and we'll do our best to correct it.

I'm spiraling in to an understanding of the system as the blind men came to
understand the elephant. Since I'm interested in the CA capabilities, a document
that describes how ca, req, and x509 fit together and are configured would be
helpful.

> Note: the manuals on the web are for the development

Given this note, I understand that my documentation desires might go unheeded!
NP, I was just asking.

Thanks,
- Eric


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: config file help

[Richard Levitte - VMS Whacker]

In message <[EMAIL PROTECTED]> on Tue, 22 Oct 2002 
13:05:40 -0700, "Eric Weitzman" <[EMAIL PROTECTED]> said:

eweitzman> Richard,
eweitzman> 
eweitzman> > "Eric Weitzman" <[EMAIL PROTECTED]> said:
eweitzman> >
eweitzman> > eweitzman> Is there any overview documentation on the relationship
eweitzman> > eweitzman> between the keys and sections in openssl.cnf and both the
eweitzman> 
eweitzman> > Isn't http://www.openssl.org/docs/apps/req.html enough?  There's a
eweitzman> > small blurb about distinguished_name ending by saying that the section
eweitzman> > it refers to is explained in the next section of that manual.  That
eweitzman> > section is basically right below said blurb.
eweitzman> 
eweitzman> This is enough to document req. But I was looking for
eweitzman> overview documentation of the config file per se.

http://www.openssl.org/docs/apps/config.html

eweitzman> It's an even bigger leap to understand that one anticipated
eweitzman> usage pattern for req requires that an app will write the
eweitzman> config file to supply specific values for the distinguished
eweitzman> name fields of the request.

Not quite.  There are two ways you can do this; 1) use the -subj
option when you call req, or 2) change all the {foo}_default values to
come from environment variables, and then set all those environment
variables to sensible values and call req with -batch.  An example:

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = ${ENV::COUNTRYNAME}
countryName_min = 2
countryName_max = 2

eweitzman> It was while glimpsing this unique arrangement that I
eweitzman> wondered, is there some overview documentation that spells
eweitzman> out the relationships between
eweitzman> commands->sections->keys->other_sections. It would be nice
eweitzman> if this was done in general, or as a compendium of all the
eweitzman> various commands' usage of the config file in the config
eweitzman> file documentation. For example, are req and ca the only 
eweitzman> commands that have their own eponymously-named sections
eweitzman> with keys whose values point to other sections? Or are
eweitzman> there others? Are the OIDs in the section pointed to by the
eweitzman> global key oid_section used by more than x509?   (I'll
eweitzman> answer this for myself shortly...see below)

I think you need a general understanding of OpenSSL.  The OpenSSL
commands are really quite independent.  Each of them have their own
name as the main section of the configuration file to look in.  The
only ones that look in the configuration file are req, x509 and ca, so
the main sections in the configuration file are [req], [x509] and
[ca].  All other sections are somehow referenced from somewhere else,
and those details are specific to each command.

oid_section is used by req, x509 and ca.  Perhaps that isn't entirely
clear, although it is mentioned in each of those manual pages.

eweitzman> I'm spiraling in to an understanding of the system as the
eweitzman> blind men came to understand the elephant. Since I'm
eweitzman> interested in the CA capabilities, a document that
eweitzman> describes how ca, req, and x509 fit together and are
eweitzman> configured would be helpful.

In general, you can ignore x509 except for two purposes: 1) to create
a root certificate if you need to, and 2) to look at certificates.  It
only uses the configuration when creating certificates.

req is used to create certificate requests, ca is used to sign them.
Basically, the users wanting certificates would use req, and the CA
administrator would use ca...

eweitzman> > Note: the manuals on the web are for the development
eweitzman> 
eweitzman> Given this note, I understand that my documentation desires
eweitzman> might go unheeded!

Not necessarely, but we do have a certain structure, and it seems like
some overall manual that would direct you better than
http://www.openssl.org/docs/apps/openssl.html does is what you would
have needd.  Is that correct?

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

OpenSLL:Unable to load config file

[王 振江]

Excuse me:
When I create an certificate, encounter this error:Unable to load config 
file.

The ditails below:
My system enviroment:FC3 core + apache-1.3.33 +openssl-0.9.8 + 
mod_ssl-2.8.28 
Install Mode :DSO

when i excute command in shell:
#openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
//ca.ke is already existed.
Unable to load config info
Enter pass phrase for ca.key:**
unable to find  'distinguished name' in config
problems making Certificate Request
8097: error 0E06D06A:configuration file routines:NCONF_get_string:no conf 
or enviroment variable:conf_lib.c325:

//---
Openssl Location:
/usr/bin/openssl
/usr/include/openssl
and there is a config file 'openssl.conf' in the source code directory 
which is already make & make install


How can I solve this problem?

_
与联机的朋友进行交流，请使用 MSN Messenger:  http://messenger.msn.com/cn  


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: openssl config file location

[Dr. Stephen Henson]

On Thu, Jun 02, 2005, Kent Yoder wrote:

> Hi, the page
> 
> http://www.openssl.org/docs/crypto/OPENSSL_config.html
> 
> claims that OPENSSL_CONFIG should be the environment variable to set
> for an alternate config file, however it appears that the code wants
> OPENSSL_CONF.  Also, the OPENSSL_config.3 man page shows
> OPENSSL_CONFIG..  Others manpages such as ca.1 show OPENSSL_CONF...
> 

That web page and OPENSSL_config.3 are from the same .pod file so they will
say the same :-)

Thanks for the report I'll fix it.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Special characters in config file

[Fiel Cabral]

Hello,

Does anyone have an idea of the escape sequences supported
by the config file? I'm trying to escape special characters
that could occur in the distinguished name attribute values
in the [req] section. Thank you for any tips.

-Fiel Cabral




__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Max values in config file

[Gerd Schering]

Hallo,

in the sample config file that comes with openssl, there are some 
maximal lenghts for some of the values, i.e.:

commonName_max  = 64
emailAddress_max= 40
I couldn't figure out the "real" limits for those values.
Does someone know these limits or where to look for?
Thanks,
Gerd
--
--
-- Gerd Schering, Email: [EMAIL PROTECTED]  --
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSLL:Unable to load config file

[Bernhard Froehlich]

王 振江 wrote:
> Excuse me:
> When I create an certificate, encounter this error:Unable to load
> config file.
> The ditails below:
> My system enviroment:FC3 core + apache-1.3.33 +openssl-0.9.8 +
> mod_ssl-2.8.28 Install Mode :DSO
> when i excute command in shell:
> #openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
> //ca.ke is already existed.
> Unable to load config info
> Enter pass phrase for ca.key:**
> unable to find 'distinguished name' in config
> problems making Certificate Request
> 8097: error 0E06D06A:configuration file routines:NCONF_get_string:no
> conf or enviroment variable:conf_lib.c325:
> //---
> Openssl Location:
> /usr/bin/openssl
> /usr/include/openssl
> and there is a config file 'openssl.conf' in the source code directory
> which is already make & make install
>
> How can I solve this problem?
Tell OpenSSL where it can find the configuration file you want to use,
either by using the -config parameter or by setting the environment
variable OPENSSL_CONF. Be sure to edit the config file to match your
needs...

Hope it helps,
Ted
;)

-- 
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Doubt about OPENSSL config file

[Raul Gutierrez Rodriguez]

Right.

But what is the use of RANDFILE and oid_file in openssl?

Slds
Raul Gutierrez
- Original Message -
From: Richard Levitte - VMS Whacker <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, January 11, 2000 9:31 AM
Subject: Re: Doubt about OPENSSL config file


> raulg> What is the meanig of field
> raulg>
> raulg> RANDFILE  = $ENV::HOME/.rnd
> raulg> oid_file  = $ENV::HOME/.oid
> raulg>
> raulg> in the openssl config file?
> raulg>
> raulg> If i have the OpenSSL on a MS NT 4 PC,  what value can i assign to
it?
>
> If you make sure that each user has a HOME environment variable, the
> above lines will work as intended.
>
> Of course, you need to make sure each user gets a *different* HOME
> :-).
>
> $ENV::foo is the notation in the configuration file to fetch the value
> of the environment variable foo.  Therefore $ENV::HOME will get the
> value of HOME...
>
> --
> Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
> Redakteur@Stacken  \ S-161 43  BROMMA  \ T: +46-8-26 52 47
> \  SWEDEN   \ or +46-708-26 53 44
> Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
>
> Unsolicited commercial email is subject to an archival fee of $400.
> See <http://www.stacken.kth.se/~levitte/mail/> for more info.
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Doubt about OPENSSL config file

[Richard Levitte - VMS Whacker]

raulg> But what is the use of RANDFILE and oid_file in openssl?

RANDFILE is a file where the current random number generator state is
stored.  Basically, it is used as a seed for the next run of openssl.
This is a whole lot better, even if not perfect, than having a static
seed, wouldn't you say?  And for the systems supporting it, I think (I
haven't looked in quite a while) that some state from other things,
like perhaps /dev/urandom, is added to the blob...

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-161 43  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Doubt about OPENSSL config file

[Daniel S. Reichenbach]

> dsr> RANDFILE= %USERPROFILE%\.rnd
> dsr> oid_file= %USERPROFILE%\.oid
> dsr> 
> dsr> This would point to the users home dir under NT.
> 
> Really?  Have you tested that?  I dunno, but if I were you, I'd
> replace "%USERPROFILE%" with "$ENV::USERPROFILE"...
> 
Yes, you`re right. Just did a small test with it. Works okay.

Daniel
__
The OpenSA Project  http://www.opensa.org/
Daniel S. Reichenbach   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Adding new_oids in config file

[Richard Levitte - VMS Whacker]

From: Karim-Eric <[EMAIL PROTECTED]>

kfl> How can i add fields in my config file so when i create a CSR
kfl> i'm asked for it. Right now, it ask for
kfl> the country name, state, and all the others default fields but even if i
kfl> 
kfl> create an oid file with let say:
kfl> 
kfl> 1.2.MyThing=This thing should be asked
kfl> 1.2.MyThing_default= Duh
kfl> 1.2.MyThing_max= 23

Equal signs?  I thought the format was like this:

1.2.3.4.5   ShortName   Long Name

kfl> or even if the same thing is written in [new_oids]. It NEVER ask for it.

If you read the manual for req, you will see that the things that will
be prompted for are the ones in the sections indicated by the entries
distinguished_name and attributes.

I assume those are extra attributes that you want added...

Ref: http://www.openssl.org/docs/apps/req.html

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

What's workaround for config file problem?

[Vladislovas Razas]

I need to create self-signed certificate but I run 
into the problem exactly described in FAQ 
section:
 
4. Why can't I create certificate 
requests?
 
What can I do about it??? Please help if you can, I 
am really stuck here. 
 
The docs explanation would be:

The following messages are frequently asked about: Using configuration from /some/path/openssl.cnf
Unable to load config info

This is followed some time later by... unable to find 'distinguished_name' in config
problems making Certificate Request

The first error message is the clue: it can't find the configuration 
file! Certain operations (like examining a certificate request) don't need a 
configuration file so its use isn't enforced. Generation of certificates or 
requests however does need a configuration file. This could be regarded as a 
bug. 
 
Best Regards

Re: Special characters in config file

[Dr. Stephen Henson]

On Thu, Jul 03, 2003, Fiel Cabral wrote:

> Hello,
> 
> Does anyone have an idea of the escape sequences supported
> by the config file? I'm trying to escape special characters
> that could occur in the distinguished name attribute values
> in the [req] section. Thank you for any tips.
> 

These are documented in the config manual page. The set of escapes supported 
is currently very limited, you can't use the octal \NNN or hex \xNN forms.
This will be fixed at some point...

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Special characters in config file

[Fiel Cabral]

Thanks.
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Thu, Jul 03, 2003, Fiel Cabral wrote:
> 
> > Hello,
> > 
> > Does anyone have an idea of the escape sequences
> supported
> > by the config file? I'm trying to escape special
> characters
> > that could occur in the distinguished name attribute
> values
> > in the [req] section. Thank you for any tips.
> > 
> 
> These are documented in the config manual page. The set
> of escapes supported 
> is currently very limited, you can't use the octal \NNN
> or hex \xNN forms.
> This will be fixed at some point...
> 
> Steve.
> --
> Dr Stephen N. Henson.
> Core developer of the   OpenSSL project:
> http://www.openssl.org/
> Freelance consultant see:
> http://www.drh-consultancy.demon.co.uk/
> Email: [EMAIL PROTECTED], PGP key: via
> homepage.
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Using non-std OIDs in config file

[Bob Bramwell]

I am trying to add two new OIDs to my configuration, and then specify that a 
certificate should contain such objects with values that I specify.  After 
extensive RTFMing and a lot of time wading through the configuration code I 
still have not got a working setup.  Can anyone provide an example?

What I have been trying is along the lines of the config file included below, 
and the complaint from openssl req is:

Error Loading extension section v3_req
28763:error:2207C081:X509 V3 routines:DO_EXT_CONF:unknown extension:v3_conf.c:128:
28763:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in 
extension:v3_conf.c:92:name=msOID2, value=V0.0

Is there any more complete documentation on the config file format?  I have not 
yet found any "formal" explanation of constructs like:
	   certificatePolicies = ia5org,@policy
What else are we not being told? :-)

Thanks,
Bob.

#OpenSSL config file
dir = .
oid_section = new_oids
[ ca ]
default_ca  = CA_default
[ CA_default ]
serial  = $dir/serial
database= $dir/certindex.txt
new_certs_dir   = $dir/certs
certificate = $dir/jasomi.com-cacert.pem
private_key = $dir/jasomi.com-cakey.pem
default_days= 3650
default_md  = sha1
preserve= no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy  = policy_match
x509_extensions = v3_ca
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName= match
organizationalUnitName  = optional
commonName  = supplied
emailAddress= optional
[ req ]
default_bits= 2048  # Size of keys
default_keyfile = key.pem   # name of 
generated keys
default_md  = sha1  # message digest 
algorithm
string_mask = nombstr   # permitted 
characters
distinguished_name  = req_distinguished_name
x509_extensions  = v3_req
oid_section	= new_oids

[ req_distinguished_name ]
# Variable name Prompt string
#---
0.organizationName  = Organization Name (company)
organizationalUnitName  = Organizational Unit Name (department, 
division)
emailAddress= Email Address
emailAddress_max= 40
localityName= Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName  = Common Name (hostname, IP, or your name)
commonName_max  = 64

# Default values for the above, for consistency and less typing.
# Variable name Value
# --
0.organizationName_default  = Jasomi Networks Inc.
localityName_default= Calgary
stateOrProvinceName_default = Alberta
countryName_default = CA
organizationalUnitName_default  = Engineering Department
emailAddress_default= [EMAIL PROTECTED]
commonName_default  = jasomi.com
[ v3_ca ]
# subjectAltName=${ENV::ALTNAME}
basicConstraints= critical,CA:FALSE
subjectKeyIdentifier= hash
authorityKeyIdentifier  = keyid:always,issuer:always
keyUsage= digitalSignature, keyCertSign, cRLSign
crlDistributionPoints   = URI:http://www.jasomi.com/CRL
#
msOID2 = V0.0
msOID1 = CA
[ v3_req ]
basicConstraints= critical,CA:FALSE
subjectKeyIdentifier= hash
keyUsage= digitalSignature, keyCertSign, cRLSign
crlDistributionPoints   = URI:http://www.jasomi.com/CRL
#
msOID2 = V0.0
msOID1 = DomainController
[ new_oids ]
# MS Certificate Template Name
msOID1 = 1.3.6.1.4.1.311.20.2
# MS something or other (CA version?)
msOID2 = 1.3.6.1.4.1.311.21.1
--
Bob BramwellJasomi Networks (Canada) | This space
Ph: 403 269 2938 x155   #31

OID's and X509V3 extensions in config file

[klaus . biedka]

Hello fellows,

at first my truely compliment for our work with OpenSSL. I was
trying to fit 
openssl-0.9.6 on my S.U.S.E. Linux 7.0 and it works! With the
openssl req and 
ca applications I can get certification requests and sign it with
rather 
extensions as described in openssl.cnf examples. 

However I didn't success in including and signing attributes and
my own OID's. 
The req man pages explain that openssl passes the attributes in
requests 
without signing. Unfortunately I am not so deep confirm with
X509V3 standards 
and don't know is that a bug or an intension. Maybe in X509V3 is
no more 
place for X509 attributes instead of several X509V3 extensions?


In case of OID openssl ca traces the OID-section and their
settings in the 
config file very well but assigning any value to the oid variable
in the 
extension section araise an error. What happens? Browsing the
source codes I 
found that the error occurs in v3_lib.c in the function
X509V3_EXT_get_nid: 
OBJ_bsearch seems to return NULL and ext_list is NULL. On the
other side I 
can't find out, where add_oid_section meets ext_list for setting.
Questions 
over questions...

Here my config file fragments:

oid_section = new_oids

[ new_oids ]
TestOID  = 2.5.4.12 

[ CA ]
...
x509_extensions = Usr   # The extentions to add
to the cert


[ Usr ]
basicConstraints= CA:FALSE
keyUsage= nonRepudiation,
digitalSignature, keyEncipherment
nsComment   = "User Certificate"
subjectKeyIdentifier= hash
authorityKeyIdentifier  = keyid,issuer:always
TestOID = Test


In hope for a friendly answer and with best regards

Klaus
  

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

config file to generate request with asn1parse

[Слепнев Владимир]

Hello,

some time ago I posted a question to this list about how to generate a 
certificate request, knowing only the public key. One of the answers I 
got is generate a request "manually" from its fields, then hack the 
openssl utilities so they don't check the signature on the request.

The new function asn1parse -genconf in 0.9.8dev seems to address the 
issue of "manual generation", and the question arises: how should the 
config file look, for asn1parse -genconf to generate a certificate 
request? I've already succeeded in generating a valid (i.e. acceptable 
by openssl utilities) RSA public key in DER format with asn1parse 
-genconf, but this one seems a little trickier.

Regards,

Vladimir Slepnev
Programmer, IVK Systems
Moscow, Russia
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Windows OpenSSL: Where to put the config file?

[Peter O Sigurdson]

Greetings

I'm working (on Windows) with the Apache
SSL software, Also, with the OpenSSL for Windows (the Apache just bundles
that in)
I cannot find where the configuration
file is - all the documentation seems to reference the Linux  filesystem.
Could someone please tell me where to
put the config file, if it is already there I haven't found it!

Could you send me a simple example,
I'd like to make a few simple test certificates and install them in the
Apache server and IE browser to get a feel for how it works.

thank you!

Re: Using non-std OIDs in config file

[Dr. Stephen Henson]

On Mon, May 02, 2005, Bob Bramwell wrote:

> I am trying to add two new OIDs to my configuration, and then specify that 
> a certificate should contain such objects with values that I specify.  
> After extensive RTFMing and a lot of time wading through the configuration 
> code I still have not got a working setup.  Can anyone provide an example?
> 
> What I have been trying is along the lines of the config file included 
> below, and the complaint from openssl req is:
> 
> Error Loading extension section v3_req
> 28763:error:2207C081:X509 V3 routines:DO_EXT_CONF:unknown 
> extension:v3_conf.c:128:
> 28763:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in 
> extension:v3_conf.c:92:name=msOID2, value=V0.0
> 
> Is there any more complete documentation on the config file format?  I have 
> not yet found any "formal" explanation of constructs like:
>  certificatePolicies = ia5org,@policy

Yes, its in the X509v3_config manual page or:

http://www.openssl.org/docs/apps/x509v3_config.html

OpenSSL 0.9.8-dev supports a mini-ASN1 compiler which allows custom extensions
to be generated. 

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Using non-std OIDs in config file

[Bob Bramwell]

Aha!  One I hadn't come across.  Thank you.  I will read it tonight and maybe 
tomorrow I can make some progress.

Cheers,
Bob.
Dr. Stephen Henson wrote:
On Mon, May 02, 2005, Bob Bramwell wrote:

I am trying to add two new OIDs to my configuration, and then specify that 
a certificate should contain such objects with values that I specify.  
After extensive RTFMing and a lot of time wading through the configuration 
code I still have not got a working setup.  Can anyone provide an example?

What I have been trying is along the lines of the config file included 
below, and the complaint from openssl req is:

Error Loading extension section v3_req
28763:error:2207C081:X509 V3 routines:DO_EXT_CONF:unknown 
extension:v3_conf.c:128:
28763:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in 
extension:v3_conf.c:92:name=msOID2, value=V0.0

Is there any more complete documentation on the config file format?  I have 
not yet found any "formal" explanation of constructs like:
	   certificatePolicies = ia5org,@policy

Yes, its in the X509v3_config manual page or:
http://www.openssl.org/docs/apps/x509v3_config.html
OpenSSL 0.9.8-dev supports a mini-ASN1 compiler which allows custom extensions
to be generated. 

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

--
Bob BramwellJasomi Networks (Canada) | This space
Ph: 403 269 2938 x155   #310 602 11th Ave SW | intentionally
FX: 403 269 2993Calgary, AB, T2R 1J8 | left blank.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL config file and supporting multiple OUs

[Dr S N Henson]

"Metzinger, Tim" wrote:
> 
> I want to have a couple of layers of Organizational Units in my cert, and
> I'm not sure what to change in the config file so that I am prompted for the
> additional detail.  I want to issue different certs for different
> applications, i.e.:
> 
> Application1:
> Country= US
> State=DC
> Locality=Washington
> Organization=US Dept. of Treasury
> OU=Office of Human Resource Enterprise Solutions
> OU=Peoplesoft Production Application
> DN=www.hrconnect.treas.gov
> [EMAIL PROTECTED]
> 
> Application2:
> Country= US
> State=DC
> Locality=Washington
> Organization=US Dept. of Treasury
> OU=Office of Human Resource Enterprise Solutions
> OU=Peoplesoft Test Application
> DN=cat.hrconnect.treas.gov
> [EMAIL PROTECTED]
> 
> I couldn't find any reference to the config file and can't figure out how to
> specify an additional OU or two.  Here's the file:
> 
>  [ req ]
>  default_bits   = 1024
>  default_keyfile= key1024.pem
>  distinguished_name = req_distinguished_name
>  attributes = req_attributes
>  prompt = yes
>  output_password= mypass
> 
>  [ req_distinguished_name ]
>  C  = Country
>  ST = State or Province
>  L  = Locality
>  O  = Organization Name
>  OU = Organizational Unit Name
>  CN = Domain Name
>  emailAddress   = [EMAIL PROTECTED]
> 
>  [ req_attributes ]
> 
> Any help is greatly appreciated
> 

This is mentioned in the 'req' manual page. Basically you use the
syntax:

1.OU = First Org Name
2.OU = Second Org Name
3.OU = Third Org Name

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

AW: OpenSSL config file and supporting multiple OUs

[Joerg Voelker]

Hi,

try:

[ req_distinguished_name ]
  C  = Country
  ST = State or Province
  L  = Locality
  O  = Organization Name
  0.OU   = Organizational Unit Name
  1.OU   = Organizational Unit Name
  CN = Domain Name
  emailAddress   = [EMAIL PROTECTED]

regards
joerg

> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]Im Auftrag von Metzinger, Tim
> Gesendet: Dienstag, 13. November 2001 19:49
> An: '[EMAIL PROTECTED]'
> Betreff: OpenSSL config file and supporting multiple OUs
>
>
> I want to have a couple of layers of Organizational Units in my cert, and
> I'm not sure what to change in the config file so that I am
> prompted for the
> additional detail.  I want to issue different certs for different
> applications, i.e.:
>
> Application1:
> Country= US
> State=DC
> Locality=Washington
> Organization=US Dept. of Treasury
> OU=Office of Human Resource Enterprise Solutions
> OU=Peoplesoft Production Application
> DN=www.hrconnect.treas.gov
> [EMAIL PROTECTED]
>
> Application2:
> Country= US
> State=DC
> Locality=Washington
> Organization=US Dept. of Treasury
> OU=Office of Human Resource Enterprise Solutions
> OU=Peoplesoft Test Application
> DN=cat.hrconnect.treas.gov
> [EMAIL PROTECTED]
>
> I couldn't find any reference to the config file and can't figure
> out how to
> specify an additional OU or two.  Here's the file:
>
>  [ req ]
>  default_bits   = 1024
>  default_keyfile= key1024.pem
>  distinguished_name = req_distinguished_name
>  attributes = req_attributes
>  prompt = yes
>  output_password= mypass
>
>  [ req_distinguished_name ]
>  C  = Country
>  ST = State or Province
>  L  = Locality
>  O  = Organization Name
>  OU = Organizational Unit Name
>  CN = Domain Name
>  emailAddress   = [EMAIL PROTECTED]
>
>  [ req_attributes ]
>
> Any help is greatly appreciated
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: config file to generate request with asn1parse

[tuviah snyder]

Can anyone help me with my Windows Async sockets questions? I have it
working fine on Unix, and I'm hoping I don't have to modify my app to use
select or polling.

TIA,
Tuviah

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: config file to generate request with asn1parse

[Dr. Stephen Henson]

On Tue, Dec 02, 2003, Ñëåïíåâ Âëàäèìèð wrote:

> Hello,
> 
> some time ago I posted a question to this list about how to generate a 
> certificate request, knowing only the public key. One of the answers I 
> got is generate a request "manually" from its fields, then hack the 
> openssl utilities so they don't check the signature on the request.
> 
> The new function asn1parse -genconf in 0.9.8dev seems to address the 
> issue of "manual generation", and the question arises: how should the 
> config file look, for asn1parse -genconf to generate a certificate 
> request? I've already succeeded in generating a valid (i.e. acceptable 
> by openssl utilities) RSA public key in DER format with asn1parse 
> -genconf, but this one seems a little trickier.
> 

I didn't actually mean it like that. What I meant was this...

1. Create a certificate request using any private key using the OpenSSL 'req'
utility.

2. Write a short program that reads in the request and the new public key. It
should call X509_REQ_set_pubkey() then write the request out again. This will
have the correct public key but an invalid signature.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openssl req is ignoring the DN in the config file

[Sandipan Gangopadhyay]

opensslreq
   -in pkcs10receivedfromclient.csr
   -config configfilewithDN.cnf
   -out pkcs10withNewDN.csr

is ignoring the DN in the config file.

The pkcs10receivedfromclient.csr has "DC=COM"

and configfilewithDN.cnf has
[ req ]
...
distinguished_name  = req_distinguished_name
[ req_distinguished_name ]
DC   = COM
O  = CAer
OU = Root CA Services
CN = userX

My intention is to obtain the public key from the PKCS10 received from the
client, but supply/modify the DN at the openssl server. Can anyone suggest
how I can achieve this ? Anyhow ?

Please help !

Regards,

Sandipan

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

How to create CA cert, server and client cert from one config file

[Patrick Ben Koetter]

I am on my way to learn more about OpenSSL. My current task is to create
a script, similar to CA.pl, to ease cert handling.

Ideally I would want to have one config file, holding different values
for a CA cert, a server cert and a client cert separated by sections.

This would require to have (at least) different 
[ req_distinguished_name ] sections, right?

If I understood the documentation and what I read on the ML archive this
cannot be done, correct?

Am I right, that if I would want to create certs with as less
interaction as possible I would have to create a config file for every
cert I'd like to create and use entries like:

countryName_value = EX
stateOrProvinceName_value = Examplia
localityName_value = Exampleton
...

Is there a way to create different certs from one config file without
user interaction? I'd be glad to RTFM or hear about best practices.

TIA,

Patrick Koetter

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How to create CA cert, server and client cert from one config file

[Dr. Stephen Henson]

On Mon, Nov 15, 2004, Patrick Ben Koetter wrote:

> I am on my way to learn more about OpenSSL. My current task is to create
> a script, similar to CA.pl, to ease cert handling.
> 
> Ideally I would want to have one config file, holding different values
> for a CA cert, a server cert and a client cert separated by sections.
> 
> This would require to have (at least) different 
> [ req_distinguished_name ] sections, right?
> 
> If I understood the documentation and what I read on the ML archive this
> cannot be done, correct?
> 
> Am I right, that if I would want to create certs with as less
> interaction as possible I would have to create a config file for every
> cert I'd like to create and use entries like:
> 
> countryName_value = EX
> stateOrProvinceName_value = Examplia
> localityName_value = Exampleton
> ...
> 
> Is there a way to create different certs from one config file without
> user interaction? I'd be glad to RTFM or hear about best practices.
> 

There's a section at the end of the 'req' manual page that shows how to do
this. Look at the reference to the "prompt" configuration file option.

You can use that to create certificate requests and self signed certificates
without user interaction. The configuration file would contain the DN
components and the extensions it can also contain private key passphrases or
those can be prompted for or their source supplied on the command line.

To create client and server certifiates you need to sign a certificate request
with a CA certificate. You can use the 'x509' utility to handle this
automatically. Although this works without a configuration file that will only
result in obsolete V1 certificates: you really need a configuration file to
indicate the extensions.

Alternatively you can use the 'ca' utility to do this.


Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How to create CA cert, server and client cert from one config file

[Patrick Ben Koetter]

* Dr. Stephen Henson <[EMAIL PROTECTED]> [041116 00:45]:
> On Mon, Nov 15, 2004, Patrick Ben Koetter wrote:
> 
> > I am on my way to learn more about OpenSSL. My current task is to create
> > a script, similar to CA.pl, to ease cert handling.
> > 
> > Ideally I would want to have one config file, holding different values
> > for a CA cert, a server cert and a client cert separated by sections.
> > 
> > This would require to have (at least) different 
> > [ req_distinguished_name ] sections, right?
> > 
> > If I understood the documentation and what I read on the ML archive this
> > cannot be done, correct?
> > 
> > Am I right, that if I would want to create certs with as less
> > interaction as possible I would have to create a config file for every
> > cert I'd like to create and use entries like:
> > 
> > countryName_value = EX
> > stateOrProvinceName_value = Examplia
> > localityName_value = Exampleton
> > ...
> > 
> > Is there a way to create different certs from one config file without
> > user interaction? I'd be glad to RTFM or hear about best practices.
> > 
> 
> There's a section at the end of the 'req' manual page that shows how to do
> this. Look at the reference to the "prompt" configuration file option.

I found it and I am using it.

> You can use that to create certificate requests and self signed certificates
> without user interaction. The configuration file would contain the DN
> components and the extensions it can also contain private key passphrases or
> those can be prompted for or their source supplied on the command line.

Okay, fine.

> To create client and server certifiates you need to sign a certificate request
> with a CA certificate. You can use the 'x509' utility to handle this
> automatically. Although this works without a configuration file that will only
> result in obsolete V1 certificates: you really need a configuration file to
> indicate the extensions.
> 
> Alternatively you can use the 'ca' utility to do this.

Okay.


To clarify my second question: Can I put config options for a CA,
server and or client certificate in a single config file and have certs
built automatically? 

I haven't understood yet how sections work exactly. I understand they
subsume vars that openssl or an openssl utility will look up. But where
do the section names come from? Can I invent some myself and have
openssl use them?

Ideally I would have something like this:

# openssl.conf

[ ca ]
countryName_value = EX
stateOrProvinceName_value = Examplia
localityName_value = Exampleton

[ server ]
countryName_value = GB
stateOrProvinceName_value = Somewhere
localityName_value = Sometown

[ client ]
countryName_value = DE
stateOrProvinceName_value = bundesland
localityName_value = stadt


But from what I understand about sections at the moment I cannot do this
and will have to go that way:

# ca.conf
...
[ req_distinguished_name ]
countryName_value = EX
stateOrProvinceName_value = Examplia
localityName_value = Exampleton
...

# server.conf
...
[ req_distinguished_name ]
countryName_value = GB
stateOrProvinceName_value = Somewhere
localityName_value = Sometown
...

# client.conf
...
[ req_distinguished_name ]
countryName_value = DE
stateOrProvinceName_value = bundesland
localityName_value = stadt
...


Correct? If there's a better way to handle this I'd appreciate a hint
where to go looking for it.

Thanks,

[EMAIL PROTECTED]

> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.

Reminds me of my work for Postfix and SMTP AUTH...

> Homepage: http://www.drh-consultancy.demon.co.uk
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How to create CA cert, server and client cert from one config file

[Dr. Stephen Henson]

On Tue, Nov 16, 2004, Patrick Ben Koetter wrote:

> 
> To clarify my second question: Can I put config options for a CA,
> server and or client certificate in a single config file and have certs
> built automatically? 
> 
> I haven't understood yet how sections work exactly. I understand they
> subsume vars that openssl or an openssl utility will look up. But where
> do the section names come from? Can I invent some myself and have
> openssl use them?
> 
> Ideally I would have something like this:
> 
> # openssl.conf
> 
> [ ca ]
> countryName_value = EX
> stateOrProvinceName_value = Examplia
> localityName_value = Exampleton
> 
> [ server ]
> countryName_value = GB
> stateOrProvinceName_value = Somewhere
> localityName_value = Sometown
> 
> [ client ]
> countryName_value = DE
> stateOrProvinceName_value = bundesland
> localityName_value = stadt
> 
> 
> But from what I understand about sections at the moment I cannot do this
> and will have to go that way:
> 
> # ca.conf
> ...
> [ req_distinguished_name ]
> countryName_value = EX
> stateOrProvinceName_value = Examplia
> localityName_value = Exampleton
> ...
> 
> # server.conf
> ...
> [ req_distinguished_name ]
> countryName_value = GB
> stateOrProvinceName_value = Somewhere
> localityName_value = Sometown
> ...
> 
> # client.conf
> ...
> [ req_distinguished_name ]
> countryName_value = DE
> stateOrProvinceName_value = bundesland
> localityName_value = stadt
> ...
> 
> 
> Correct? If there's a better way to handle this I'd appreciate a hint
> where to go looking for it.
> 

Well with prompt=no you wouldn't have the _value stuff...

Well some sections are determined by the utility itself, others are specified
in previous sections and others are on the command line. The docs give more
details about each case.

To take your example the section name "req_distinguished_name" is looked up 
under the name "distinguished_name" in the "req" section.

The section used ("req") is hard coded in the "req" utility itself.

So you could change the "distinguished_name" to point to another section.
However that would still need modifications to the config file.

You can avoid this by using the environment variable expansion and doing
something like:

distinguished_name=$ENV::dn_sect

will use the environment variable "dn_sect" instead. Then you can keep one
configuration file and select the appropriate section using the environment
variables.

Again see the docs for more details.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]