subject:"problem signing spkacs"

Re: problem signing spkacs

2001-10-18 Thread Ravi Prakash B.V.


Hi,

Your process is correct. But the output certificate is in DER
format. Thatswhy u r unable to see  BEGIN CERTIFICATE tags...

The mime type is also correct..

How u r downloading to netscape browser?

Ravi Prakash B.V.

On Thu, 18 Oct 2001, Christopher L. Everett wrote:

> Hello:
> 
> I'm trying to use the "openssl ca" command inside a mod_perl 
> handler (I borrowed Perl code from http://www.pseudonym.org/ssl/) 
> to sign netscape spkacs, and I'm running into a very funky 
> problem.  
> 
> The docs say that the signed cert wil come out in PEM form.  
> As I understand it, PEM certs look like
> 
> -BEGIN CERTIFICATE-
> 
> -END CERTIFICATE-
> 
> and what I get coming out is soemthing very different.  When
> I try to download it to a netscape browser using a mime type
> of 'application/x-x509-user-cert', Netscape won't load it.
> 
> My environment is 
> 
> Debian Potato dist with Linux kernel 2.4.9
> openssl 0.9.6b
> 
> The command I use is
> 
> /usr/local/bin/openssl ca -batch \
> -config /var/ssl/PhysempCA/request.cnf \
> -out /var/ssl/PhysempCA/newcerts/72ff92dd0ca7e7a8309435072ed478.pem \
> -spkac /var/ssl/PhysempCA/newcerts/72ff92dd0ca7e7a8309435072ed478.spkac
> 
> The output to STDOUT is :
> 
> Using configuration from /var/ssl/PhysempCA/request.cnf 
> Check that the SPKAC request matches the signature 
> Signature ok 
> The Subjects Distinguished Name is as follows 
> countryName :PRINTABLE:'US' localityName :PRINTABLE:'Mexico' 
> organizationName :PRINTABLE:'Audrain Medical Center' 
> commonName :PRINTABLE:'Michele Trammell' 
> emailAddress :IA5STRING:'[EMAIL PROTECTED]' 
> Certificate is to be certified until Oct 17 18:47:20 2002 GMT (366 days) 
> 
> Write out database with 1 new entries 
> Data Base Updated 
> 
> Here is the SPKAC (inserted newlines for readability):
> 
> SPKAC=MIIBOjCBpDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwpvydCd+jgvlAkbVa
> TI+OAhaTLunUKN0ov5pvSm+TS0RxvbqhO2olCTp7dV9urim10EE2dUe/JuTo9tlUblgjVO5
> m2ZAA35fKYXyEQhFQdkAvErXS2GMF0PxHUUAXEMGHuureCjSw8xzR4RaytmEPS0HFslbIHM
> FC8fdBnNN/8kCAwEAARYAMA0GCSqGSIb3DQEBBAUAA4GBADIDIjM2gVP0Go/OhpnYA6XgNE
> HMkXX//YX01VrY+vu9oaBxohSSMfismi9nUoPZ00EYh4uQa08jf+tUCrAYvGmGED1e5Y4/F
> WQ3SsHzfMqxkaNilln2xEKYlFWrB984/u/fkLpCqjanqxokINbgUAcpDzIlDgdhs35Z2/RM
> X47D 
> C=US
> SP=Missouri
> L=Mexico
> O=Audrain Medical Center
> CN=Michele Trammell
> [EMAIL PROTECTED]
> 
> And here is my config file:
> 
> [ ca ] 
> 
> default_ca = PhysempCA # The default ca section 
> 
> [ PhysempCA ] 
> 
> dir = /var/ssl/PhysempCA
> certs   = /var/ssl/PhysempCA/certs 
> crl_dir = /var/ssl/PhysempCA/crl
> database= /var/ssl/PhysempCA/index.txt
> new_certs_dir   = /var/ssl/PhysempCA/newcerts
> certificate = /var/ssl/PhysempCA/cacert.pem
> serial  = /var/ssl/PhysempCA/serial
> crl = /var/ssl/PhysempCA/crl.pem
> private_key = /var/ssl/PhysempCA/private/cakey.pem.decoded
> RANDFILE= /var/ssl/PhysempCA/private/.rand  
> x509_extensions = usr_cert 
> default_days= 366
> default_md  = md5
> preserve= no
> policy  = policy_anything 
> 
> [ policy_anything ] 
> 
> countryName= optional 
> stateOrProvinceName= optional 
> localityName   = optional 
> organizationName   = optional 
> organizationalUnitName = optional 
> commonName = optional 
> emailAddress   = optional 
> 
> [ req ] 
> 
> default_bits   = 1024 
> default_keyfile= privkey.pem 
> distinguished_name = req_distinguished_name 
> attributes = req_attributes 
> prompt = no 
> string_mask= nombstr 
> req_extensions = v3_req 
> 
> [ req_distinguished_name ] 
> 
> countryName_default = US 
> stateOrProvinceName_default = Missouri 
> localityName_default= Mexico 
> organizationName_default= Audrain Medical Center 
> commonName_default  = Michele Trammell 
> emailAddress_default= [EMAIL PROTECTED] 
> 
> [ req_attributes ] 
> 
> challengePassword = 
> unstructuredName  = Michele Trammell 
> 
> [ usr_cert ] 
> 
> basicConstraints = CA:FALSE 
> nsCertType = client, email 
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment 
> nsComment = "OpenSSL Generated Certificate Issued by Physician's
> Employment CA" 
> subjectKeyIdentifier = hash 
> authorityKeyIdentifier = keyid,issuer:always 
> subjectAltName = email:copy 
> issuerAltName = issuer:copy 
> 
> [ v3_req ]
> 
> basicConstraints = CA:FALSE 
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> 
> 
> If any one needs to see the resulting cert, I'd be more than
> happy to email it as an attachment.
> 
> 
> 
>   --Christopher
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTE

problem signing spkacs

2001-10-17 Thread Christopher L. Everett


Hello:

I'm trying to use the "openssl ca" command inside a mod_perl 
handler (I borrowed Perl code from http://www.pseudonym.org/ssl/) 
to sign netscape spkacs, and I'm running into a very funky 
problem.  

The docs say that the signed cert wil come out in PEM form.  
As I understand it, PEM certs look like

-BEGIN CERTIFICATE-

-END CERTIFICATE-

and what I get coming out is soemthing very different.  When
I try to download it to a netscape browser using a mime type
of 'application/x-x509-user-cert', Netscape won't load it.

My environment is 

Debian Potato dist with Linux kernel 2.4.9
openssl 0.9.6b

The command I use is

/usr/local/bin/openssl ca -batch \
-config /var/ssl/PhysempCA/request.cnf \
-out /var/ssl/PhysempCA/newcerts/72ff92dd0ca7e7a8309435072ed478.pem \
-spkac /var/ssl/PhysempCA/newcerts/72ff92dd0ca7e7a8309435072ed478.spkac

The output to STDOUT is :

Using configuration from /var/ssl/PhysempCA/request.cnf 
Check that the SPKAC request matches the signature 
Signature ok 
The Subjects Distinguished Name is as follows 
countryName :PRINTABLE:'US' localityName :PRINTABLE:'Mexico' 
organizationName :PRINTABLE:'Audrain Medical Center' 
commonName :PRINTABLE:'Michele Trammell' 
emailAddress :IA5STRING:'[EMAIL PROTECTED]' 
Certificate is to be certified until Oct 17 18:47:20 2002 GMT (366 days) 

Write out database with 1 new entries 
Data Base Updated 

Here is the SPKAC (inserted newlines for readability):

SPKAC=MIIBOjCBpDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwpvydCd+jgvlAkbVa
TI+OAhaTLunUKN0ov5pvSm+TS0RxvbqhO2olCTp7dV9urim10EE2dUe/JuTo9tlUblgjVO5
m2ZAA35fKYXyEQhFQdkAvErXS2GMF0PxHUUAXEMGHuureCjSw8xzR4RaytmEPS0HFslbIHM
FC8fdBnNN/8kCAwEAARYAMA0GCSqGSIb3DQEBBAUAA4GBADIDIjM2gVP0Go/OhpnYA6XgNE
HMkXX//YX01VrY+vu9oaBxohSSMfismi9nUoPZ00EYh4uQa08jf+tUCrAYvGmGED1e5Y4/F
WQ3SsHzfMqxkaNilln2xEKYlFWrB984/u/fkLpCqjanqxokINbgUAcpDzIlDgdhs35Z2/RM
X47D 
C=US
SP=Missouri
L=Mexico
O=Audrain Medical Center
CN=Michele Trammell
[EMAIL PROTECTED]

And here is my config file:

[ ca ] 

default_ca = PhysempCA # The default ca section 

[ PhysempCA ] 

dir = /var/ssl/PhysempCA
certs   = /var/ssl/PhysempCA/certs 
crl_dir = /var/ssl/PhysempCA/crl
database= /var/ssl/PhysempCA/index.txt
new_certs_dir   = /var/ssl/PhysempCA/newcerts
certificate = /var/ssl/PhysempCA/cacert.pem
serial  = /var/ssl/PhysempCA/serial
crl = /var/ssl/PhysempCA/crl.pem
private_key = /var/ssl/PhysempCA/private/cakey.pem.decoded
RANDFILE= /var/ssl/PhysempCA/private/.rand  
x509_extensions = usr_cert 
default_days= 366
default_md  = md5
preserve= no
policy  = policy_anything 

[ policy_anything ] 

countryName= optional 
stateOrProvinceName= optional 
localityName   = optional 
organizationName   = optional 
organizationalUnitName = optional 
commonName = optional 
emailAddress   = optional 

[ req ] 

default_bits   = 1024 
default_keyfile= privkey.pem 
distinguished_name = req_distinguished_name 
attributes = req_attributes 
prompt = no 
string_mask= nombstr 
req_extensions = v3_req 

[ req_distinguished_name ] 

countryName_default = US 
stateOrProvinceName_default = Missouri 
localityName_default= Mexico 
organizationName_default= Audrain Medical Center 
commonName_default  = Michele Trammell 
emailAddress_default= [EMAIL PROTECTED] 

[ req_attributes ] 

challengePassword = 
unstructuredName  = Michele Trammell 

[ usr_cert ] 

basicConstraints = CA:FALSE 
nsCertType = client, email 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment 
nsComment = "OpenSSL Generated Certificate Issued by Physician's
Employment CA" 
subjectKeyIdentifier = hash 
authorityKeyIdentifier = keyid,issuer:always 
subjectAltName = email:copy 
issuerAltName = issuer:copy 

[ v3_req ]

basicConstraints = CA:FALSE 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment


If any one needs to see the resulting cert, I'd be more than
happy to email it as an attachment.



  --Christopher
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: problem signing spkacs

problem signing spkacs

2 matches

Site Navigation

Mail list logo

Footer information