Re: Signing .p10 certificate signing requests
* Dr. Stephen Henson wrote on Tue, Jan 05, 2010 at 20:26 +0100: Trying both types to see which (if any) worked would be one strategy to handle this automatically or seeing if the initial SEQUENCE header looked like it covered the whole file. There would be exceptions to both cases though. Could a bad guy try to fool something here? Like having to different CSRs inside hoping some CA will do some mistake (authenticate first, sign second or so)? oki, Steffen -- --[ end of message ]---8=== About Ingenico: Ingenico is a leading provider of payment solutions, with over 15 million terminals deployed in more than 125 countries. Its 2,850 employees worldwide support retailers, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. More information on http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail About Ingenico: Ingenico is a leading provider of payment solutions, with over 15 million terminals deployed in more than 125 countries. Its 2,850 employees worldwide support retailers, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. More information on http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Signing .p10 certificate signing requests
Hi, I have a certificate signing request in the form name.p10 issued by microsoft outlook which I am trying to sign and issue and certificate for from my linux server. I am having some problems finding the correct syntax to treat this type of file as other requests I have signed have come with the .csr extension. Any ideas ? Anton
R: Signing .p10 certificate signing requests
It's not a matter of file name extension. The CA script which comes with openssl assumes certificate requests are PEM encoded, maybe the request outlook produced is DER encoded; in that case all you have to do is openssl req -in your .p10 file -inform der -out a new file name to convert the encoding to PEM. Claudio Campetto Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Per conto di Anton Xuereb Inviato: martedì 5 gennaio 2010 12.10 A: openssl-users@openssl.org Oggetto: Signing .p10 certificate signing requests Hi, I have a certificate signing request in the form name.p10 issued by microsoft outlook which I am trying to sign and issue and certificate for from my linux server. I am having some problems finding the correct syntax to treat this type of file as other requests I have signed have come with the .csr extension. Any ideas ? Anton
Re: Signing .p10 certificate signing requests
A .p10 file *is* the same as a .csr file; the Certificate Signing Request format is defined in PKCS#10. The only question is whether the file content begins with an '=' character. If it does, use -inform PEM; if it doesn't, use -inform DER. (Considering that it's entirely possible to differentiate a base64-der-encoded blob as opposed to a der-encoded blob, because there's no way that an '=' character can start a DER blob, there's really no reason that I can see to keep the PEM versus DER distinction on the commandline. This is a legacy behavior from SSLeay that I can't really see the need for.) -Kyle H On Tue, Jan 5, 2010 at 3:09 AM, Anton Xuereb mewt.rea...@gmail.com wrote: Hi, I have a certificate signing request in the form name.p10 issued by microsoft outlook which I am trying to sign and issue and certificate for from my linux server. I am having some problems finding the correct syntax to treat this type of file as other requests I have signed have come with the .csr extension. Any ideas ? Anton __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Signing .p10 certificate signing requests
On Tue, Jan 05, 2010, Kyle Hamilton wrote: A .p10 file *is* the same as a .csr file; the Certificate Signing Request format is defined in PKCS#10. The only question is whether the file content begins with an '=' character. If it does, use -inform PEM; if it doesn't, use -inform DER. (Considering that it's entirely possible to differentiate a base64-der-encoded blob as opposed to a der-encoded blob, because there's no way that an '=' character can start a DER blob, there's really no reason that I can see to keep the PEM versus DER distinction on the commandline. This is a legacy behavior from SSLeay that I can't really see the need for.) An = as the first character is not definitive. PEM files can contain text before the PEM headers. A DER file (well all the types OpenSSL uses) by contrast will contain 0x30 as the first character (SEQUENCE tag) but that is also ASCII '0'. Trying both types to see which (if any) worked would be one strategy to handle this automatically or seeing if the initial SEQUENCE header looked like it covered the whole file. There would be exceptions to both cases though. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org