Re: OBJ_create - a little problem.
On Mon, Feb 13, 2006 at 08:03:41PM +0100, Dr. Stephen Henson wrote: On Mon, Feb 13, 2006, [EMAIL PROTECTED] wrote: Hi everybody! Here is the sample code: int nid; nid = OBJ_create(1.2.3.4, MyAlias, My Test Alias Extension); X509V3_EXT_add_alias(nid, NID_netscape_comment); add_ext(x, nid, Test Extension...); It works fine :) But I want to change the first parameter in OBJ_create() and I fail there. As I think, it have to be in some special format, but I can't found any info about it. It is the stndard dotted form of an OBJECT IDENTIFIER. Roughly speaking a sequence of two or more non-negative integers separated by dots. The first number can be 0, 1 or 2. The second 0 to 39 unless the first number is 2 in which case it can take any value. Subsequent numbers can take any value, though it is usual to keep them relatively small (say 32 bits maximum). The first few digits are often reserved for certain origanizations and they can define the meaning of objects within their arc. You shouldn't therefore just make up a random set of digits especially if it to appear in anything public. 2.25.x is unregulated and therefore you can drop anything down there without having to apply. The risk is that your ids will collide with someone else's so you must be careful parsing extensions. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OBJ_create - a little problem.
Hi everybody! Here is the sample code: int nid; nid = OBJ_create(1.2.3.4, MyAlias, My Test Alias Extension); X509V3_EXT_add_alias(nid, NID_netscape_comment); add_ext(x, nid, Test Extension...); It works fine :) But I want to change the first parameter in OBJ_create() and I fail there. As I think, it have to be in some special format, but I can't found any info about it. Thanks a lot! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OBJ_create - a little problem.
On Mon, Feb 13, 2006, [EMAIL PROTECTED] wrote: Hi everybody! Here is the sample code: int nid; nid = OBJ_create(1.2.3.4, MyAlias, My Test Alias Extension); X509V3_EXT_add_alias(nid, NID_netscape_comment); add_ext(x, nid, Test Extension...); It works fine :) But I want to change the first parameter in OBJ_create() and I fail there. As I think, it have to be in some special format, but I can't found any info about it. It is the stndard dotted form of an OBJECT IDENTIFIER. Roughly speaking a sequence of two or more non-negative integers separated by dots. The first number can be 0, 1 or 2. The second 0 to 39 unless the first number is 2 in which case it can take any value. Subsequent numbers can take any value, though it is usual to keep them relatively small (say 32 bits maximum). The first few digits are often reserved for certain origanizations and they can define the meaning of objects within their arc. You shouldn't therefore just make up a random set of digits especially if it to appear in anything public. You can apply for your own arc. One place where you can do this is: http://www.iana.org/cgi-bin/enterprise.pl The OpenSSL group for example is: 1.3.6.1.4.1.16604 Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
little problem with certification
Hi there, I'm quite new to SSL, and I'm trying to create SSL certificates for internal use only. So far, I installed the default Debian package and did the following: GENERATION OF ROOT CERTIFICATE openssl req -new ca.csr -keyout ca.pem openssl rsa -in ca.pem -out ca.key openssl x509 -in ca.csr -out ca.crt -req -signkey ca.key -days 3650 GENERATION OF CERTIFICATE SIGNING REQUEST openssl req -new mysite.csr -keyout mysite.pem openssl rsa -in mysite.pem -out mysite.key SIGNING THE CERTIFICATE openssl x509 -in mysite.csr -out mysite.crt -req -CA ca.crt -CAkey ca.pem -CAcreateserial -days 365 It may not be the best way of doing it, but it works :) However, I would like to use the -enddate directive, which only seems to work when using openssl ca. For that, I'd have to set-up my openssl.cnf. Is there any other possibility of manually setting the -enddate with the above commands? I just want to test the certificates out, and the above seems to work, so I don't like to change a lot... Thanks a lot! Florian __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
little problem
Hello, We are 2 students of a Technical Institute of Telecommunication and Computer Networks in France. We have to realize a draft which is a server of certificate X.509. It must issue certificates to users who connect to the server. We have a probleme with the automatic creation of certificates. We recover informations about the user and we place them in default values for the file .cnf which is used in the creation of certificates. But when we launch .bat file, the program stops on fields where normally we must enter information. Do you know the solution to resolve this problem? Our teacher told us that we can create a file with 2 page breakes and place the file in the entrance of the command (openssl req -config user-cert.cnf -key user.key -new -out user.csr) but when you use -new, it's impossible! Do you know a solution? We hope you've understood us? Also, can you tell us where we can find a good documentation about this software and its options. Thanks a lot for your attention! Regards, Artem and Fabrice __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: little problem
Batoussov Artem wrote: Hello, We are 2 students of a Technical Institute of Telecommunication and Computer Networks in France. We have to realize a draft which is a server of certificate X.509. It must issue certificates to users who connect to the server. We have a probleme with the automatic creation of certificates. We recover informations about the user and we place them in default values for the file .cnf which is used in the creation of certificates. But when we launch .bat file, the program stops on fields where normally we must enter information. Do you know the solution to resolve this problem? Our teacher told us that we can create a file with 2 page breakes and place the file in the entrance of the command (openssl req -config user-cert.cnf -key user.key -new -out user.csr) but when you use -new, it's impossible! Do you know a solution? We hope you've understood us? Also, can you tell us where we can find a good documentation about this software and its options. Thanks a lot for your attention! Regards, Artem and Fabrice __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Perhaps you should try the option '-batch' and/or config-file option 'prompt = no' see man req Kind regards, Chris -- Christian Pohl ยป|secaron -- The From: and Reply-To: addresses are internal news2mail gateway addresses. Reply to the list or to Christian Pohl [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: little problem
Batoussov Artem wrote: We are 2 students of a Technical Institute of Telecommunication and Computer Networks in France. We have to realize a draft which is a server of certificate X.509. It must issue certificates to users who connect to the server. We have a probleme with the automatic creation of certificates. We recover informations about the user and we place them in default values for the file .cnf which is used in the creation of certificates. But when we launch .bat file, the program stops on fields where normally we must enter information. Do you know the solution to resolve this problem? Our teacher told us that we can create a file with 2 page breakes and place the file in the entrance of the command (openssl req -config user-cert.cnf -key user.key -new -out user.csr) but when you use -new, it's impossible! Do you know a solution? We hope you've understood us? Also, can you tell us where we can find a good documentation about this software and its options. I hope I understand what you are asking for. Under Unix I get variable items into certificates by passing them as environment variables. Here is an example configuration file: # OpenSSL configuration file for signing Internet Server Certificates [req] # openssl req params prompt = no distinguished_name = dn-param [dn-param] # DN fields C = US ST = Maryland O = University of Maryland OU = College Park Campus CN = $ENV::CERTHOST 1.DC = umd 2.DC = edu emailAddress = $ENV::CERTMAIL The prompt=no makes openssl not prompt for information (which I think is one of the problems you are trying to solve?). You didn't say anything about what system you are using, but you did mention a .bat file, which might be an indication of an Evil Microsoft operating system. I'm leaving Saturday for a week on Guadalupe, so I might not get back to this conversation for some time. Bon chance mes amis! -- Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]