RE: Creating certificates
Read my comments please. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson Sent: Wednesday, June 19, 2013 7:50 PM To: openssl-users@openssl.org Subject: Re: Creating certificates Hi Rodney, First of all, this isn't a CA certificate - the Basic Constraints CA:FALSE quite plainly points to this. This is a wildcard certificate for use by authorised representatives of securesites.com to be able to use for their own servers. [[Rod's comment]] Precisely, I want to use this CA for blahblah.securesites.com. (ldap server). Therefore, you will never be able to create any further certificates, you'll just be able to use this certificate and keypair to enable secure communications with your clients with your servers. [[Rod's comment]] Keypair? Do you mean I can use this CA and the key file it was accompanied with to configure LDAP/TLS/SSL so that my LDAP server will be a authentication provider for services such as shell and ftp? You MAY need to obtain the GeoTrust CA Certificate to assist people to resolve the trust to your Server. [[Rod's comment]] Ah, ok, I'm starting to understand this processCorrect me if I am wrong, my admin basically sent me a cert/key pair and if LDAP requires the CA certificate, I'll need to get that from GeoTrust... From your previous message, I think that your instance of OpenLDAP is configured to use the Mozilla LibNSS Security Library, and not OpenSSL - the reference to certdb / pkcs#11 sounds a lot like a LibNSS error to me. Therefore, questions regarding the configuration of your server may be more appropriately directed at the OpenLDAP mailing list, and any Certificate issues at the Mozilla LibNSS mailing list. [[Rod's comment]] Thanks! Best Regards, Patrick. On 2013-06-19, at 5:58 PM, Rodney Simioni wrote: Hi, There was an email earlier yesterday about LDAP/SSL/TLS but I'm going to revise my question. Please disregard the email because instead of creating certificates, I'm going to use certs provided by my linux admin to configure SSL/TLS with LDAP. My sysadmin gave me 3 wildcard openssl files; with an ext of .cert, .csr, and .key. This wildcard.xxx.cert is suppose to be a CA, below are the important contents: [root@fl1-lsh99apa007 ~]# openssl x509 -in wildcard.securesites.com.cert -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 69277 (0x10e9d) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA Validity Not Before: Dec 1 05:59:42 2011 GMT Not After : Dec 2 01:04:06 2016 GMT Subject: serialNumber=NwnaG0OQxm/2fIiyWh6NThC40ROOk/KH, C=US, ST=Colorado, L=Englewood, O=MYNAMESERVER, LLC, OU=Secure Services Division, CN=*.securesites.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) X509v3 extensions: X509v3 Authority Key Identifier: keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:*.securesites.com, DNS:securesites.com X509v3 CRL Distribution Points: Full Name: URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl X509v3 Subject Key Identifier: D9:88:62:C6:90:FE:5D:78:9B:AE:5A:78:AF:DF:30:49:7E:54:D3:83 X509v3 Basic Constraints: critical CA:FALSE Authority Information Access: CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt How do I create signed certificates with the CA above and those wildcard file so that it will be used with LDAP? Please excuse my ignorance with openssl, I've been working with this for a few days and there are so many ways to configure LDAP/SSL searching google but they haven't worked for me probably because I lack experience with SSL, thanks in advance. Rod This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. --- Patrick Patterson Chief PKI Architect Carillon
Creating certificates
Hi, There was an email earlier yesterday about LDAP/SSL/TLS but I'm going to revise my question. Please disregard the email because instead of creating certificates, I'm going to use certs provided by my linux admin to configure SSL/TLS with LDAP. My sysadmin gave me 3 wildcard openssl files; with an ext of .cert, .csr, and .key. This wildcard.xxx.cert is suppose to be a CA, below are the important contents: [root@fl1-lsh99apa007 ~]# openssl x509 -in wildcard.securesites.com.cert -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 69277 (0x10e9d) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA Validity Not Before: Dec 1 05:59:42 2011 GMT Not After : Dec 2 01:04:06 2016 GMT Subject: serialNumber=NwnaG0OQxm/2fIiyWh6NThC40ROOk/KH, C=US, ST=Colorado, L=Englewood, O=MYNAMESERVER, LLC, OU=Secure Services Division, CN=*.securesites.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) X509v3 extensions: X509v3 Authority Key Identifier: keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:*.securesites.com, DNS:securesites.com X509v3 CRL Distribution Points: Full Name: URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl X509v3 Subject Key Identifier: D9:88:62:C6:90:FE:5D:78:9B:AE:5A:78:AF:DF:30:49:7E:54:D3:83 X509v3 Basic Constraints: critical CA:FALSE Authority Information Access: CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt How do I create signed certificates with the CA above and those wildcard file so that it will be used with LDAP? Please excuse my ignorance with openssl, I've been working with this for a few days and there are so many ways to configure LDAP/SSL searching google but they haven't worked for me probably because I lack experience with SSL, thanks in advance. Rod This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
Re: Creating certificates
Hi Rodney, First of all, this isn't a CA certificate - the Basic Constraints CA:FALSE quite plainly points to this. This is a wildcard certificate for use by authorised representatives of securesites.com to be able to use for their own servers. Therefore, you will never be able to create any further certificates, you'll just be able to use this certificate and keypair to enable secure communications with your clients with your servers. You MAY need to obtain the GeoTrust CA Certificate to assist people to resolve the trust to your Server. From your previous message, I think that your instance of OpenLDAP is configured to use the Mozilla LibNSS Security Library, and not OpenSSL - the reference to certdb / pkcs#11 sounds a lot like a LibNSS error to me. Therefore, questions regarding the configuration of your server may be more appropriately directed at the OpenLDAP mailing list, and any Certificate issues at the Mozilla LibNSS mailing list. Best Regards, Patrick. On 2013-06-19, at 5:58 PM, Rodney Simioni wrote: Hi, There was an email earlier yesterday about LDAP/SSL/TLS but I'm going to revise my question. Please disregard the email because instead of creating certificates, I'm going to use certs provided by my linux admin to configure SSL/TLS with LDAP. My sysadmin gave me 3 wildcard openssl files; with an ext of .cert, .csr, and .key. This wildcard.xxx.cert is suppose to be a CA, below are the important contents: [root@fl1-lsh99apa007 ~]# openssl x509 -in wildcard.securesites.com.cert -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 69277 (0x10e9d) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA Validity Not Before: Dec 1 05:59:42 2011 GMT Not After : Dec 2 01:04:06 2016 GMT Subject: serialNumber=NwnaG0OQxm/2fIiyWh6NThC40ROOk/KH, C=US, ST=Colorado, L=Englewood, O=MYNAMESERVER, LLC, OU=Secure Services Division, CN=*.securesites.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) X509v3 extensions: X509v3 Authority Key Identifier: keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:*.securesites.com, DNS:securesites.com X509v3 CRL Distribution Points: Full Name: URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl X509v3 Subject Key Identifier: D9:88:62:C6:90:FE:5D:78:9B:AE:5A:78:AF:DF:30:49:7E:54:D3:83 X509v3 Basic Constraints: critical CA:FALSE Authority Information Access: CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt How do I create signed certificates with the CA above and those wildcard file so that it will be used with LDAP? Please excuse my ignorance with openssl, I've been working with this for a few days and there are so many ways to configure LDAP/SSL searching google but they haven't worked for me probably because I lack experience with SSL, thanks in advance. Rod This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Creating certificates
Hello, So I have played arround a little bit more yesterday, but with the same result. Attached are the the openssl.cnf I am using. The problem is the same, I do not know how to override the subject information from the config file (specified in the req_distinguished_name section), from the command line. And this is what I execute from the cmd line: openssl genrsa -des3 -out ..\demo_store\private\private_key_client.pem -passout pass:pass 1024 openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial Regards, Gerald On Mon, Aug 17, 2009 at 7:20 PM, Serge Fonville serge.fonvi...@gmail.comwrote: What does your openssl.cnf look like, since it is used in the req? On Mon, Aug 17, 2009 at 6:00 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hy, So my end goal is to have a CA, which I can use to sign certificates. I have set up a CA, that was not that hard. But now I want to create certificates signed by my CA, and I want to provide the subject from the command line. I don't want it to be read from the openssl.cnf. That is because I have to create more certificates, and I do not want to modify the opennssl.cnf, for each of them. I have tried to create certificates, signed by my CA, and the subject information was provided in the openssl.cnf file. That I have succeeded. Then I have tried to provide the subject information from the command line, and that I have failed. And I have verified the contents of the certificate, and the subject was not what I have specified in the command line, but what was found in the config file. So it looks to me like if this option: -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate is ignored, and like openssl tries to read this info from the config file, and I do not understand why :(. Regards, Gerald On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville serge.fonvi...@gmail.com wrote: Hi, I assume you have done a lot of googling and have read the docs extensively. First, what is your end goal? Since creating a certificate and having it signed by your own CA is not that difficult. What resources have you consulted. What have you already tried. Have you looked at the resulting certificate to verify its contents Regards, Serge Fonville On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with -subj in the first openssl req command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald openssl.cnf Description: Binary data
Re: Creating certificates
Why don't you use the ca command? On Tue, Aug 18, 2009 at 9:38 AM, Gerald Iakobinyi-Pich nutri...@gmail.comwrote: Hello, So I have played arround a little bit more yesterday, but with the same result. Attached are the the openssl.cnf I am using. The problem is the same, I do not know how to override the subject information from the config file (specified in the req_distinguished_name section), from the command line. And this is what I execute from the cmd line: openssl genrsa -des3 -out ..\demo_store\private\private_key_client.pem -passout pass:pass 1024 openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial Regards, Gerald On Mon, Aug 17, 2009 at 7:20 PM, Serge Fonville serge.fonvi...@gmail.comwrote: What does your openssl.cnf look like, since it is used in the req? On Mon, Aug 17, 2009 at 6:00 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hy, So my end goal is to have a CA, which I can use to sign certificates. I have set up a CA, that was not that hard. But now I want to create certificates signed by my CA, and I want to provide the subject from the command line. I don't want it to be read from the openssl.cnf. That is because I have to create more certificates, and I do not want to modify the opennssl.cnf, for each of them. I have tried to create certificates, signed by my CA, and the subject information was provided in the openssl.cnf file. That I have succeeded. Then I have tried to provide the subject information from the command line, and that I have failed. And I have verified the contents of the certificate, and the subject was not what I have specified in the command line, but what was found in the config file. So it looks to me like if this option: -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate is ignored, and like openssl tries to read this info from the config file, and I do not understand why :(. Regards, Gerald On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville serge.fonvi...@gmail.com wrote: Hi, I assume you have done a lot of googling and have read the docs extensively. First, what is your end goal? Since creating a certificate and having it signed by your own CA is not that difficult. What resources have you consulted. What have you already tried. Have you looked at the resulting certificate to verify its contents Regards, Serge Fonville On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with -subj in the first openssl req command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald
Re: Creating certificates
On Tue, Aug 18, 2009, Gerald Iakobinyi-Pich wrote: Hello, So I have played arround a little bit more yesterday, but with the same result. Attached are the the openssl.cnf I am using. The problem is the same, I do not know how to override the subject information from the config file (specified in the req_distinguished_name section), from the command line. Well that configuration file has the values hard coded in the config file. You should either use a standard openssl.cnf which means you'll get prompted to enter the value or use the environment substitution method, see the manual pages for more details. The CA.pl script is much easier to use instead of random cookbooks. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Creating certificates
Hello, Yes, you are right. I can do it using the 'ca' command. Thanks for the hint. Gerald On Tue, Aug 18, 2009 at 11:48 AM, Serge Fonville serge.fonvi...@gmail.comwrote: Why don't you use the ca command? On Tue, Aug 18, 2009 at 9:38 AM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hello, So I have played arround a little bit more yesterday, but with the same result. Attached are the the openssl.cnf I am using. The problem is the same, I do not know how to override the subject information from the config file (specified in the req_distinguished_name section), from the command line. And this is what I execute from the cmd line: openssl genrsa -des3 -out ..\demo_store\private\private_key_client.pem -passout pass:pass 1024 openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial Regards, Gerald On Mon, Aug 17, 2009 at 7:20 PM, Serge Fonville serge.fonvi...@gmail.com wrote: What does your openssl.cnf look like, since it is used in the req? On Mon, Aug 17, 2009 at 6:00 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hy, So my end goal is to have a CA, which I can use to sign certificates. I have set up a CA, that was not that hard. But now I want to create certificates signed by my CA, and I want to provide the subject from the command line. I don't want it to be read from the openssl.cnf. That is because I have to create more certificates, and I do not want to modify the opennssl.cnf, for each of them. I have tried to create certificates, signed by my CA, and the subject information was provided in the openssl.cnf file. That I have succeeded. Then I have tried to provide the subject information from the command line, and that I have failed. And I have verified the contents of the certificate, and the subject was not what I have specified in the command line, but what was found in the config file. So it looks to me like if this option: -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate is ignored, and like openssl tries to read this info from the config file, and I do not understand why :(. Regards, Gerald On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville serge.fonvi...@gmail.com wrote: Hi, I assume you have done a lot of googling and have read the docs extensively. First, what is your end goal? Since creating a certificate and having it signed by your own CA is not that difficult. What resources have you consulted. What have you already tried. Have you looked at the resulting certificate to verify its contents Regards, Serge Fonville On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with -subj in the first openssl req command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald
Creating certificates
Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with -subj in the first openssl req command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald
Problem creating certificates
Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with -subj in the first openssl req command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald
Re: Creating certificates
Hi, I assume you have done a lot of googling and have read the docs extensively. First, what is your end goal? Since creating a certificate and having it signed by your own CA is not that difficult. What resources have you consulted. What have you already tried. Have you looked at the resulting certificate to verify its contents Regards, Serge Fonville On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich nutri...@gmail.comwrote: Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with -subj in the first openssl req command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald
Re: Creating certificates
Hy, So my end goal is to have a CA, which I can use to sign certificates. I have set up a CA, that was not that hard. But now I want to create certificates signed by my CA, and I want to provide the subject from the command line. I don't want it to be read from the openssl.cnf. That is because I have to create more certificates, and I do not want to modify the opennssl.cnf, for each of them. I have tried to create certificates, signed by my CA, and the subject information was provided in the openssl.cnf file. That I have succeeded. Then I have tried to provide the subject information from the command line, and that I have failed. And I have verified the contents of the certificate, and the subject was not what I have specified in the command line, but what was found in the config file. So it looks to me like if this option: -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate is ignored, and like openssl tries to read this info from the config file, and I do not understand why :(. Regards, Gerald On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville serge.fonvi...@gmail.comwrote: Hi, I assume you have done a lot of googling and have read the docs extensively. First, what is your end goal? Since creating a certificate and having it signed by your own CA is not that difficult. What resources have you consulted. What have you already tried. Have you looked at the resulting certificate to verify its contents Regards, Serge Fonville On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with -subj in the first openssl req command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald
Re: Creating certificates
What does your openssl.cnf look like, since it is used in the req? On Mon, Aug 17, 2009 at 6:00 PM, Gerald Iakobinyi-Pich nutri...@gmail.comwrote: Hy, So my end goal is to have a CA, which I can use to sign certificates. I have set up a CA, that was not that hard. But now I want to create certificates signed by my CA, and I want to provide the subject from the command line. I don't want it to be read from the openssl.cnf. That is because I have to create more certificates, and I do not want to modify the opennssl.cnf, for each of them. I have tried to create certificates, signed by my CA, and the subject information was provided in the openssl.cnf file. That I have succeeded. Then I have tried to provide the subject information from the command line, and that I have failed. And I have verified the contents of the certificate, and the subject was not what I have specified in the command line, but what was found in the config file. So it looks to me like if this option: -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate is ignored, and like openssl tries to read this info from the config file, and I do not understand why :(. Regards, Gerald On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville serge.fonvi...@gmail.comwrote: Hi, I assume you have done a lot of googling and have read the docs extensively. First, what is your end goal? Since creating a certificate and having it signed by your own CA is not that difficult. What resources have you consulted. What have you already tried. Have you looked at the resulting certificate to verify its contents Regards, Serge Fonville On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich nutri...@gmail.com wrote: Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj /C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with -subj in the first openssl req command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald
Creating certificates inline
Can someone point me to some documentation on how to create certificates during runtime in the code? I can use the openssl command from solaris at the terminal but how do I do it in the code? Thanx. Dave __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Creating Certificates Via The SSL/Crypto Api's
Very straight forward and well documented? You gotta be kidding. Perhaps for a long time openssl developer, but not for your run of the mill C developer. I spent all last night going through the example provided, and yeah beyond being painfully inhibiting for a developer in its complexity, its also hideously ugly code. What im talking about is functions like a2i_ASN1_INTEGER. When i check the crypto library documentation on openssl.org for usage or such, there is no man page available, actually.. the entire asn1 section is blacked out. You guys are making me think that i should just provide my client a wrapper around the openssl tool itself, considering how frustrating it is to use this portion of the library. I dont know, using this library is making me jaded towards it. You'd think an industry standard library such as this wouldn't be so letdownish in terms of support and documentation. I mean, this should be a 2 function ordeal. I shouldn't have to be investing so much time into such a largely trivial portion of the solution. Regardless im having to do it anyway, so im going to figure out wtf is going on and maybee post a wrapper somewhere so another balding twentysomething wont have to suffer the same as i am. love;~jason
RE: Creating Certificates Via The SSL/Crypto Api's
What im talking about is functions like a2i_ASN1_INTEGER. When i check the crypto library documentation on openssl.org for usage or such, there is no man page available, actually.. the entire asn1 section is blacked out. There's no reason you need to use that function. The load_serial/save_serial functions happen to work in a very weird way, but there's really no reason anyone needs to understand them. Just pick a serial number any way that you want to. You guys are making me think that i should just provide my client a wrapper around the openssl tool itself, considering how frustrating it is to use this portion of the library. I dont know, using this library is making me jaded towards it. You'd think an industry standard library such as this wouldn't be so letdownish in terms of support and documentation. I mean, this should be a 2 function ordeal. I shouldn't have to be investing so much time into such a largely trivial portion of the solution. Regardless im having to do it anyway, so im going to figure out wtf is going on and maybee post a wrapper somewhere so another balding twentysomething wont have to suffer the same as i am. Egad, no! You really have no business issuing a certificate if you don't understand the nitty-gritty details of what you are doing. Issuing a certificate is like signing a contract, and it is a serious mistake to invent ways not to have to read the fine print. You cannot sprinkle in a function call or two and wind up with secure software. You have to understand exactly what you are doing and exactly what your functions make the system do under the hook. The OpenSSL function calls are at precisely the right level of detail, hiding under the hood only the things you don't need to know and making sure you have to face the important issues. (Your point about the documentation is reasonable though. There are definitely some important functions that are not very well documented.) DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Creating Certificates Via The SSL/Crypto Api's
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Jason, edf green schrieb: Very straight forward and well documented? You gotta be kidding. Perhaps for a long time openssl developer, but not for your run of the mill C developer. I spent all last night going through the example provided, and yeah beyond being painfully inhibiting for a developer in its complexity, its also hideously ugly code. The code is *not* intentionally complicated, but on the one side it is grown code (and a rework could be helpfull) and on the other side is issuing a certificate *the* single point of failure in the X509 security model. Most of the important decisions are made at that point. So a deeper understanding of the X509 security model and the OpenSSL framework is a requirement for anybody who wants to work on this code. It is definitively not the right place to start working with the OpenSSL framework. What im talking about is functions like a2i_ASN1_INTEGER. When i check the crypto library documentation on openssl.org http://openssl.org for usage or such, there is no man page available, actually.. the entire asn1 section is blacked out. The OpenSSL documentation is still incomplete and it is started with the functions that a newbee needs to start working with OpenSSL. In some areas it is in the state if you need a man page for this function, you should better keep away from it... OpenSSL started as a big and complicated library with still needed functionality to add and NO documentation. So you had to find your way by wading through application code, headers and library code (naturally with help from the list) You guys are making me think that i should just provide my client a wrapper around the openssl tool itself, considering how frustrating it is to use this portion of the library. I don't want to put you down, but if you don't know what is happening there it is in deed better to just use the OpenSSL tool itself than to give you a set of functions that you need... You'd think an industry standard library such as this wouldn't be so letdownish in terms of support and documentation. The problem here is that the development time available for OpenSSL is finite. It is mostly driven by the guys in the core team with input from the community. Documentation is just one of the many things that needs to be written. I mean, this should be a 2 function ordeal. I shouldn't have to be investing so much time into such a largely trivial portion of the solution. As I said: issuing a cert is *the* single point of failure in the X509 security model and there are so many decisions to make that it is _not_ a 2 function ordeal. To rephrase David: If you have the background knowledge that you need to issue a certificate, the source becomes straightforward. Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFEw922iGqZUF3qPYRAvKpAJ9N3LjopvlEctAzSj86aQCWyqeFzgCeL95G P37Ixx47ySKfwBDfYzWLhYI= =obmA -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Creating Certificates Via The SSL/Crypto Api's
Hello all, Long time reader, first time poster. I have a problem currently with the generation of a SSL cert using the libssl/crypto apis. I can generate keys fine, but i cannot find any documentation on how to actually create a cert file via anything other then the openssl command line tool. If anyone has any example code, or maybee a tutorial on the subject i'd very much so appreciate it. Thanks;~Jason
Re: Creating Certificates Via The SSL/Crypto Api's
Hello, Long time reader, first time poster. I have a problem currently with the generation of a SSL cert using the libssl/crypto apis. I can generate keys fine, but i cannot find any documentation on how to actually create a cert file via anything other then the openssl command line tool. If anyone has any example code, or maybee a tutorial on the subject i'd very much so appreciate it. Look at apps/x509.c function x509_certify(). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Creating Certificates Via The SSL/Crypto Api's
you're kidding right? That has to be some of the most atrocious and confusing code i have ever seen. I dont suppose anyone has anything more practical as an example? Perhaps some documentation on the process or such. On 9/20/06, Marek Marcola [EMAIL PROTECTED] wrote: Hello, Long time reader, first time poster. I have a problem currently with the generation of a SSL cert using the libssl/crypto apis.I can generate keys fine, but i cannot find any documentation on how to actually create a cert file via anything other then the openssl command line tool.If anyone has any example code, or maybee a tutorial on the subject i'd very much so appreciate it. Look at apps/x509.c function x509_certify().Best regards,--Marek Marcola [EMAIL PROTECTED]__ OpenSSL Project http://www.openssl.orgUser Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Creating Certificates Via The SSL/Crypto Api's
Please don't top post. Look at apps/x509.c function x509_certify(). you're kidding right? That has to be some of the most atrocious and confusing code i have ever seen. I dont suppose anyone has anything more practical as an example? Perhaps some documentation on the process or such. I just took a look at that code, and it seems very straightforward and well documented. It very clearly: grabs the public key from the CA; initializes the X509 structure; creates a serial number for the certificate; verifies that the CA private key is correct; sets the issuer name, serial number, and validity times; sets the version and any extensions, and then signs the certificate. I honestly can't imagine what more you could want. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Creating certificates
I'm not sure what's wrong. I think that you might read the configuration file of openssl carefuly. Can you show out you resaults in BASE64 format in order to let others to test then for you? 2006/4/25, nduval (sent by Nabble.com) [EMAIL PROTECTED]: I have installed openssl and am hoping to use it to create a self signed CAand then client certificates to go along with it.I am using everything after a normal install.So far all I have done is a ca -newca, fill in the info.Then I do ca -newreqand then ca -sign.It seems I get what I need...I get the CA file, and the certificate file. To check them, I loaded the CA as a trusted root on my local machine, andthen opened the certificate to see if it corresponded properly to the CA inthe certification path, but I get the following message when I view it: The certificate is not valid because one of the certification authorities inthe certification path does not appear to be allowed to issue certificatesor this certificate cannot be used as an end-entity certificate. The CA does show up in the certification path, but with the yellowexclamation mark on it.Can anyone tell me how to correct this?Many thanks.Nathan--View this message in context: http://www.nabble.com/Creating-certificates-t1502430.html#a4073593Sent from the OpenSSL - User forum at Nabble.com.__ OpenSSL Project http://www.openssl.orgUser Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Creating certificates
I have installed openssl and am hoping to use it to create a self signed CA and then client certificates to go along with it. I am using everything after a normal install. So far all I have done is a ca -newca, fill in the info. Then I do ca -newreq and then ca -sign. It seems I get what I need... I get the CA file, and the certificate file. To check them, I loaded the CA as a trusted root on my local machine, and then opened the certificate to see if it corresponded properly to the CA in the certification path, but I get the following message when I view it: The certificate is not valid because one of the certification authorities in the certification path does not appear to be allowed to issue certificates or this certificate cannot be used as an end-entity certificate. The CA does show up in the certification path, but with the yellow exclamation mark on it. Can anyone tell me how to correct this? Many thanks. Nathan -- View this message in context: http://www.nabble.com/Creating-certificates-t1502430.html#a4073593 Sent from the OpenSSL - User forum at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Creating certificates with more than one eMail address
Michael Helm wrote: [...] What I wanted to try ( might eventually) is going back to the client test we did some time ago. We found that the client always ignored the extra subjectaltname entries, and so I suspect that the subject components are the ones evaluated. To my knowledge, tests made recently with all major email clients available gave completely different results. Multiple emailAddress entries were not supported while multiple email within subjectAltName usage was supported (not by M$ client). -- C'you, Massimiliano Pala --o Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] Tel.: +39 (0)59 270 094 http://www.openca.org Fax:+39 178 270 2077 http://openca.sourceforge.net Mobile: +39 (0)347 7222 365 University of Modena and Reggio Emilia Certification Authority Informations: Authority Access Point http://pki.unimo.it Authority's Certificate:http://pki.unimo.it/ca/issuers.html Certificate Revocation List: http://pki.unimo.it/crl/cacrl.crl --o smime.p7s Description: S/MIME Cryptographic Signature
Re: Creating certificates with more than one eMail address
Lee Dilkie writes: you didn't look at the certificate fully. there is also RFC822 [EMAIL PROTECTED] RFC822 [EMAIL PROTECTED] RFC822 [EMAIL PROTECTED] in the Subject Alternative Name as rfc3280 requires. That is very clever of them! I have been meaning to test your cert consruction ( try it on my own Thawte account) but too many other problems have kept me from it. Despite what you say elsewhere, tho, I think this is pushing back against the standard attribute Conforming implementations generating new certificates Simultaneous inclusion of the EmailAddress attribute in the subject distinguished name to support legacy implementations is deprecated but permitted. What I wanted to try ( might eventually) is going back to the client test we did some time ago. We found that the client always ignored the extra subjectaltname entries, and so I suspect that the subject components are the ones evaluated. That construction is inconvenient for directory (and kind of nonsensical, in that many different entities for the same person are created) but it can be made to work, if publishing of certs is needed, and is better managed by non LDAP dbms. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Creating certificates with more than one eMail address
IMHO if you want to use multiple email addresses within the same certificate you should use multiple subjectAltName extensions. This ensures usability with available clients (i.e. Mozilla, Thunderbird, etc... ). I guess you are able to use the certificate because the same addresses are also reported in the subjectAltName extension. Multiple emailAddress, anyway, within the DN should be avoided as this format is against the standard and does not add any value over the subjAltName extension usage :-D -- C'you, Massimiliano Pala Well, putting multiple email addresses (or even one address) in both places maximizes compatibility with both new and older certificate parsers (email clients in this case). Putting them in the DN isn't against the standard. The standard has been modified, subject alt name has been added and there is a wish to move such information to the new extension. Until legacy applications are gone, it is wise to code this information in both locations. Wouldn't you agree? That's exactly what the CA I used has done. -lee smime.p7s Description: S/MIME cryptographic signature
RE: Creating certificates with more than one eMail address
you didn't look at the certificate fully. there is also RFC822 [EMAIL PROTECTED] RFC822 [EMAIL PROTECTED] RFC822 [EMAIL PROTECTED] in the Subject Alternative Name as rfc3280 requires. So I assume Thawte is covering all bases by putting the addresses in both places. And I hope we could do the same with an openssl generated certificate. -lee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael Helm Sent: Tuesday, February 03, 2004 3:55 PM To: [EMAIL PROTECTED] Subject: Re: Creating certificates with more than one eMail address Lee Dilkie writes: Mine works fine. In a sense. E = [EMAIL PROTECTED], E = [EMAIL PROTECTED], E = [EMAIL PROTECTED], CN = Thawte Freemail Member rfc 3280 http://www.ietf.org/rfc/rfc3280.txt p 23-24, section 4.1.2.6 Subject In addition, legacy implementations exist where an RFC 822 name is embedded in the subject distinguished name as an EmailAddress attribute Conforming implementations generating new certificates with electronic mail addresses MUST use the rfc822Name in the subject alternative name field (section 4.2.1.7) to describe such identities. Simultaneous inclusion of the EmailAddress attribute in the subject distinguished name to support legacy implementations is deprecated but permitted. So this is not an rfc 3280 conforming cert, not even for legacy support. S/MIME v3 spec http://www.ietf.org/rfc/rfc2632.txt 3. Using Distinguished Names for Internet Mail End-entity certificates MAY contain an Internet mail address as described in [RFC-822]. The address must be an addr-spec as defined in Section 6.1 of that specification. The email address SHOULD be in the subjectAltName extension, and SHOULD NOT be in the subject distinguished name. Even the S/MIME v2 spec says that mail receiving agents (~clients) must recognize email addressES in both subject dn's and subject alt name fiels. ^^ So your cert may abruptly stop working or behave strangely in a client with fastidious rfc 3280 enforcement. One prominent vendor has been known to abruptly change its software to enforce aspects of rfc 3280. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Creating certificates with more than one eMail address
Lee Dilkie wrote: Mine works fine. I have multiple E= fields in the subject attribute. I use the same certificate from several accounts. (This message is signed so you can take a look for yourself). Also, this isn't openssl generated but I see no reason why that would matter. IMHO if you want to use multiple email addresses within the same certificate you should use multiple subjectAltName extensions. This ensures usability with available clients (i.e. Mozilla, Thunderbird, etc... ). I guess you are able to use the certificate because the same addresses are also reported in the subjectAltName extension. Multiple emailAddress, anyway, within the DN should be avoided as this format is against the standard and does not add any value over the subjAltName extension usage :-D -- C'you, Massimiliano Pala --o- Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED] Tel.: +39 (0)59 270 094 http://www.openca.orgFax:+39 178 270 2077 http://openca.sourceforge.netMobile: +39 (0)347 7222 365 University of Modena and Reggio Emilia Certification Authority Informations: Authority Access Point http://pki.unimo.it Authority's Certificate: http://pki.unimo.it/ca/issuers.html Certificate Revocation List: http://pki.unimo.it/crl/cacrl.crl --o- smime.p7s Description: S/MIME Cryptographic Signature
Creating certificates with more than one eMail address
Hello! Is it possible to create certificates with more than one eMail address? I want to create a cert which can sign mails from different eMail addresses. Is that possible? And if it is, how can I do it? Thank you for your help! Stephan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Creating certificates with more than one eMail address
in openssl.cnf in the section regarding the DN definition. 0.emailAddress 1.emailAddress -- Frédéric Giudicelli http://www.newpki.org Stephan Boldt wrote: Hello! Is it possible to create certificates with more than one eMail address? I want to create a cert which can sign mails from different eMail addresses. Is that possible? And if it is, how can I do it? Thank you for your help! Stephan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Creating certificates with more than one eMail address
I had created one certificate but the2nd email address was just UNUSABLE. I couldn't use that 2nd email address to sign, encrypt. etc. Tested with Mozilla and Outlook family email clients. Frédéric Giudicelli wrote: in openssl.cnf in the section regarding the DN definition. 0.emailAddress 1.emailAddress __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Creating Certificates for Pocket PC
Hi, I have succesfully installed openssl 0.9.7b for Windows CE, andi need to create certificates for my openssl client that runs on a pocket pc 2002. When i run openssl from command prompt (in Win 2000) writes: "The image file openssl.exe is valid, but is for a machine type other than the current machine". Any advices ?? Another problem is with asn1.h file wich include time.h. Is it safe toset the path to c:\wcecompat\include ??? Many thanks in advance
RE: Creating Certificates for Pocket PC
Title: Message You are trying to run the openssl.exe built for the Pocket PC. It wont run on the desktop. You would probably be better off using a desktop build of openssl, creating the certificates with that, and transferring them to the PPC. If you really want to use the PPC version, get the desktop tool cerun.exe from my website (part of cetools.zip) and use it to invoke the openssl.exe that you have on your PPC. I don't understand your last question. You need to set the WCECOMPAT environment variable to c:\wcecompat so that openssl can find time.h. Regards, Steven -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kambourakis GeorgiosSent: Thursday, 2 October 2003 4:24 AMTo: [EMAIL PROTECTED]Subject: Creating Certificates for Pocket PC Hi, I have succesfully installed openssl 0.9.7b for Windows CE, andi need to create certificates for my openssl client that runs on a pocket pc 2002. When i run openssl from command prompt (in Win 2000) writes: "The image file openssl.exe is valid, but is for a machine type other than the current machine". Any advices ?? Another problem is with asn1.h file wich include time.h. Is it safe toset the path to c:\wcecompat\include ??? Many thanks in advance
Re: Creating certificates with a WEB Browser
In message [EMAIL PROTECTED] on Mon, 11 Aug 2003 14:36:52 +0900, Shalkebaev,AntonMSCAG [EMAIL PROTECTED] said: ShalkebaevA Take a look at www.pyca.de anototrher one is ShalkebaevA http://cultura.eii.us.es/~pablo/elyca/ Added to the collection of links in http://www.openssl.org/related/apps.html. It will be visible within the hour. -- Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Creating certificates
Title: Creating certificates OpenSSL Ver: 0.9.6b OS: Solaris 8 CC: CC 5.2 I would like to be able to create certificates without using the openssl tool if possible. I don't like the idea of my program having to call an outside application to create certificates, and I was wondering if there was any documentation on this. OpenSSL.org's site is a little less than helpful for information. These certificates will be used with the ACE/TAO orb. Thanks for the help. - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
Problems creating certificates
Hi,.. I can't seem to generate a valid certificate for my openSSL app. Whenever I try a certificate that is produced by me, using the openssl command line tool, or some other tool, I get the following error msgs from my app.: 12359:error:0906406D:PEM routines:DEF_CALLBACK:problems getting password:pem_lib.c:114: 12359:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:430: 12359:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:missing asn1 eos:ssl_rsa.c:707: However when I use a demo certificate that comes with your distro 0.9.5a this app does work. The only problem is that clients keep whining that the server doesn't use a certificate that is validated for the used IP number. Could anybody shed some light on this darkness ? regards, Peter Zijlstra programmer @ freeler.nl PS. I'm not on this mailing list, so would you all be so kind as to mail me any responces ? **= working certificate = -BEGIN CERTIFICATE- MIIC5TCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQQFADBcMQswCQYDVQQGEwJBVTET MBEGA1UECBMKUXVlZW5zbGFuZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQx HDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0IGJpdCkwHhcNOTkxMjAyMjEzODUxWhcN MDUwNzEwMjEzODUxWjBbMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu ZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxGzAZBgNVBAMTElRlc3QgQ0Eg KDEwMjQgYml0KTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo7ujy3XXpU/p yDJtOxkMJmGv3mdiVm7JrdoKLUgqjO2rBaeNuYMUiuI6oYU+tlD6agwRML0Pn2JF b90VdK/UXrmRr9djaEuH17EIKjte5RwOzndCndsjcCYyoeODMTyg7dqPIkDMmRNM 5R5xBTabD+Aji0wzQupYxBLuW5PLj7ECAwEAAaOBtzCBtDAdBgNVHQ4EFgQU1WWA U42mkhi3ecgey1dsJjU61+UwgYQGA1UdIwR9MHuAFE0RaEcrj18q1dw+G6nJbsTW R213oWCkXjBcMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxHDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0 IGJpdCmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBb39BRphHL 6aRAQyymsvBvPSCiG9+kR0R1L23aTpNbhXp2BebyFjbEQYZc2kWGiKKcHkNECA35 3d4LoqUlVey8DFyafOIJd9hxdZfg+rxlHMxnL7uCJRmx9+xB411Jtsol9/wg1uCK sleGpgB4j8cG2SVCz7V2MNZNK+d5QCnR7A== -END CERTIFICATE- -BEGIN RSA PRIVATE KEY- MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425 gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd 2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6 hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2 J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL 21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2 XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ -END RSA PRIVATE KEY- **= generation attempt = -BEGIN CERTIFICATE- MIICiTCCAfICAQAwDQYJKoZIhvcNAQEEBQAwgYwxCzAJBgNVBAYTAk5MMQswCQYD VQQIEwJGTDERMA8GA1UEBxMITGVseXN0YWQxEDAOBgNVBAoTB0ZyZWVsZXIxDjAM BgNVBAsTBUktTGFiMRgwFgYDVQQDEw9wb3AzLmZyZWVsZXIubmwxITAfBgkqhkiG 9w0BCQEWEnN1cHBvcnRAZnJlZWxlci5ubDAeFw0wMDA1MjIxMjQxMzVaFw0xMDA1 MjAxMjQxMzVaMIGMMQswCQYDVQQGEwJOTDELMAkGA1UECBMCRkwxETAPBgNVBAcT CExlbHlzdGFkMRAwDgYDVQQKEwdGcmVlbGVyMQ4wDAYDVQQLEwVJLUxhYjEYMBYG A1UEAxMPcG9wMy5mcmVlbGVyLm5sMSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGZy ZWVsZXIubmwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMeU3EbtMCHGdFS/ M3YIWAUiZVffe7qeR3GBsaRBqbyqcrw8CeJbj0GROfZzvjdA3pntYWbaJrCJZ6pT EN8xN36hxbRLHkXQqlDVRCzGkW+/ZYtKVUw/cKjfPjuFVN+TjQFaU70mYHMirg1U Cv6jITllJ+VQbiVj4ywSZXiqTHkpAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAKWVY AY82DvPFPPRm97uwse9Q43qkyoYHbnn4/0tmo9RPa+bkKjS/ACQZHlmpjq2grj2e dkUMY6OKbsBnxPYJN5Z1t+sWeZ/aOo9eF4DSM8R2EAqYDMMyNkxTXTO09rx7K0UF 1xDsHFVxKwHll9/dHwg56cq7tfJRmFvcPK86q8U= -END CERTIFICATE- -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,B745515C625A7F3A pekHqkdxk5dCJa4OwJYoEs4QKqaIEdKRdOq4e0EICM3QGrvh3WQ+rEk9VeMyHuU2 kSY69MrVuZKqbO95KgHv+xxnXRu4g/8N1gstN14gfkzPGjYpnnKfR4HKq4fCdImE VsOnBNZA7CxHg3B5kU3eFOOulxPzihc99/2IC7LzqYMSLov+qAp+WzoM6BUXEQJU UbmOS31VdJHcRuKxsl3q8Ux6ZR/GV84iU37Lvro+LYtCEFcCAvi83lAO76FDE0Xx W8scxmR1Kc4W3kFD9Kt7MBdU/iCUDkwL7t+7EM/fVZOc94KgykOo/m/roR4QreEo PJfEN/nh1Lwu84KyyUaMcavTWQvueN26n+n2vibl9H7Xx4llhYhpyrJl7IVYhuKg awIHShsym1NV4xs+H6GwrA362kAWaAKHZ8tBhMK+zyVYFYznR/CMPgNXxbf4ADEv GeGKrjuTgua22JmPnW1aacA1V3eoxC3d8DQ2Af92GHGFk0epJSbl6WSF84qu7UMY LPn1LhfzitBaI6JVqIthSIJ7G4QsLfW6R0cFDNiajxMevkx7RXCwi5p1O1B1ACmW gody8egQjNXsxBibhuJ4g29PpJh80Ah8zJfg17xzilWtNiPDHqvqgJvbL3nz9dY2 Y0dB+sEU4yC7KljAMIvtYa7YRYg75qTt45PiNfKvDq65JHhH5ykRr50/5MJ+S7jV r2uekWx03a3AU6U4FPm9VibYTyVYxIoZhYcxtx7HwO+1uRauWQy9gFLdbPZasNyR 6iT9TzNfxGGSTp9PNNLfnd88i+yBKvP1K5AbYTbXdvmyK2l9Mw+mmw== -END RSA PRIVATE KEY- __ OpenSSL
Re: Creating Certificates and CA roots.
I'm still unsure about the CA cert? What does this do, how does it fit in? Is this the SAME as a signed certificate which the web server uses? (I don't think so) Which certificate is the one browsers need to install? (ie: the one we need to generate for them) I'm fine with: - generating a secret key file - generating a CSR - generating a singed CSR (with will be used by the web server) but not so clear with the browser side when the server is configured to ask for a client certificate. Thanks BTW MATT : Your web link would be much appreciated to clear the concepts for neophytes. At 04:03 PM 08/11/99 -0700, you wrote: Hi: Eventually, I'm going to create a website that explains the basics (since that's all I know so far) of making a root cert from the command line. Here's how I do it. 1) generate a 1024 bit private key, have the output go to privkey.pem, encrypted with triple DES openssl genrsa -des3 -out privkey.pem 1024 you will be prompted for a passphrase for the 3des encryption 1.5) OPTIONAL - take a look at the key you just made openssl rsa -in privkey.pem -text passphrase again 2) Create a certificate request that includes your public key, and is signed with your private key. openssl.cnf will have to exist somewhere for this to function - if you don't know what that aught to look like, you'll have to wait for me to finish my website (start it, actually)- or search the sparse docs - the sample one that shops with OpenSSL is OK openssl req -new -key privkey.pem -out mycert-req.pem passphrase, yet again, plus lots of personal information I think you can combine steps 1 and 2 by using openssl req -newkey rsa:1024, but a) I'm not sure if it encrypts the key b) I've never done it that way, and I only want to suggest what I know 2.5) OPTIONAL - take a look at your cert request openssl req -in mycert-req.pem -text 3) Use the cert request and the private key to generate a self-signed cert openssl x509 -req -in mycert-req.pem -out mycert.pem -signkey privkey.pem -CAcreateserial This bears a little explanation: x509 : the subcommand of openssl that deals with x.509 certificate objects -req : tells openssl that the input file is a certificate request -in : the cert-request file -out : where to put the output (a certificate) -signkey : this tells openssl two things (at least, there may be more) a) which key to sign the cert with b) that this is the creation of the CA cert, so don't ask where the CA cert is - this is important, because an x.509 object needs issuer information normally contained in the CA cert, but this flag indicates that this info will have to come from the user -CAcreateserial : every cert needs a serial number, and this flag says "there ain't one; make it up" passphrase still again, plus personal info that will become issuer information for your root cert 4) Take a peek at your new cert openssl x509 -in mycert.pem -text That should do it. I'm pretty sure there are ways to combine some/all of these steps, but I haven't done it any other way. As I'm a novice with OpenSSL myself, corrections from those who know better will be welcome. Best of luck -Mike Matt Isleb wrote: Hi, I am setting up an Aventail VPN server and it uses SSL for encryption. But to get SSL to work I need a signed certificate as well as the root cert. It seems that the openssl command is poorly documented. I found information on the apache-ssl web site on creating signed cert using ssleay. Here is what I have done so far: openssl req -new new.cert.csr openssl rsa -in privkey.pem -out new.cert.key openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365 What I need now is the root cert. Like what verisign would give you to put in your browser when they sign a test cert. I imagine that it is some incarnation of 'openssl ca' but for the life of me I can't figure it out. Matt Isleb UNIX Support Guy onShore, Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]