Re: [openssl-users] Fwd: CONGRATULATION____REF#87670

Fun Fact: (For me) Gmail often marks completely legit emails from mailing lists as spam and you manually have to mark them as "no spam". The fun comes in when you notice that actual spam is not marked as such at all. Looks like strong encryption is much easier to develop than a decent spam

Re: [openssl-users] Properly manage CA-signed certificates that have expired

I see. Thank you very much Jakob and Jeffrey! -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Properly manage CA-signed certificates that have expired

2016-03-31 18:09 GMT+02:00 Jakob Bohm : > On 31/03/2016 17:16, warron.french wrote: > 3. Then create new server certificates for the 2 servers again. > > Yep, and give the new ones a slightly different "full" > distinguished name (important for CRL and "ca" database). > My

Re: [openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

2015-12-13 22:57 GMT+01:00 Salz, Rich : > >> And we don't know on which client OP will have to use that pem file, thus >> give advise that works on all clients, not just OpenSSL or GnuTLS or >> whatever. > > It is quite reasonable to give openssl-specific answers on the

Re: [openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

2015-12-13 3:53 GMT+01:00 Viktor Dukhovni : > > In other words, you can concatenate all the trusted root CA > certs into the "cert.pem" file in that directory, but this > has a performance cost, as all the certificates are loaded > into memory and parse even though most

Re: [openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

2015-12-13 20:27 GMT+01:00 Viktor Dukhovni : > > This is both wrong and irrelevant. The OP should proceed as instructed. > OpenSSL's CAfile feature reads multiple certificates from a single file. Exactly that is the point. Only "linux based" tools will be able to read

Re: [openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

Hi, so if I understand you correctly you want to create one file that contains more than one CA certificate and can be installed onto Windows, Mac, etc.? You only can do that if you create a p12 file and that must contain a leaf certificate and its private key. openssl pkcs12 -export -in

Re: [openssl-users] sign sub CA issue

Tell the person who created the CSR that the value of the stateOrProvinceName field has to be HK. If that is not possible because the subCA is in a different country you can change your openssl.cnf to allow different values in that field so instead of stateOrProvinceName = match you have to use at

Re: [openssl-users] How do I configure my Certification Authority to pay attention to Subject Alternate Names

That guide is a little bit old and not very accurate. I setup my PKI using the OpenSSL Cookbook recommended to me by Rich Salz. This free guide / documentation is here: https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read Now" below the cover image). I also used various other

Re: [openssl-users] How do I configure my Certification Authority to pay attention to Subject Alternate Names

://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing 2015-11-04 16:06 GMT+01:00 Ben Humpert <b...@an3k.de>: > That guide is a little bit old and not very accurate. I setup my PKI > using the OpenSSL Cookbook recommended to me by Rich Salz. This free > guide / docume

Re: [openssl-users] Certificate serialnumber?

Take a look in your openssl.cnf and you should see the option serial with a path / file specified. The serial number is taken from that file. If the file doesn't exists or is empty when the very first certificate is created then 01 is used as a serial for it. Rich Salz recommended me this SSL

Re: [openssl-users] Bug 1.0.1f - selfsign ignores email_in_dn setting

2015-06-24 1:35 GMT+02:00 Jakob Bohm jb-open...@wisemo.com: On 19/06/2015 16:24, Ben Humpert wrote: When the CSR contains an email address and the email_in_dn setting in the config file is set to no the email address is actually present in the issuer DN but not in the subject DN. This causes

Re: [openssl-users] How to verify a cert chain using Openssl command line?

Do you use nameConstraints or have specified IP in subjectAltName? Because OpenSSL can't handle that correctly. 2015-06-29 22:51 GMT+02:00 David Li dlipub...@gmail.com: Hi, As a test, I have created a rootCA, a subCA (signed by the rootCA) and a client cert (signed by the subCA). Now I want

Re: [openssl-users] How to verify a cert chain using Openssl command line?

;DNS.0 = example.com client configuration file has subjectAltName: subjectAltName = DNS: www.cs.com So is this a mismatch? How come s_client/s_server test was okay? On Mon, Jun 29, 2015 at 2:12 PM, Ben Humpert b...@an3k.de wrote: Do you use nameConstraints or have specified IP

[openssl-users] Bug 1.0.1f - selfsign ignores email_in_dn setting

When the CSR contains an email address and the email_in_dn setting in the config file is set to no the email address is actually present in the issuer DN but not in the subject DN. This causes errors when verifying certificate chains since the subject hash is used to identify a cert but the issuer

Re: [openssl-users] OpenSSL.cnf File path

As a workaround try running openssl with the -config command line option. 2015-06-04 22:17 GMT+02:00 Cathy Fauntleroy cathy.fauntle...@vdtg.com: Hello, I have OpenSSL 1.0.2a installed on my Windows 7 box. I am attempting to generate a CSR so new security certificates can be issued and am

[openssl-users] Bug in OpenSSL nameConstraints validation

Hi, Based on https://tools.ietf.org/pdf/draft-wilson-wpkops-browser-processing-02.pdf section 3.3.1.2. I ran my own tests. I wrote an email (https://mta.openssl.org/pipermail/openssl-users/2015-May/001387.html) with the results (attachments in

Re: [openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error

2015-05-27 8:17 GMT+02:00 Jakob Bohm jb-open...@wisemo.com: Maybe the Android user interface is really asking about something other than the issuing CA cert. What are you trying to achieve by selecting a CA cert in the client UI? The official Google documentation as well as other sources say

Re: [openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error

2015-05-27 14:02 GMT+02:00 Jakob Bohm jb-open...@wisemo.com: Just to clarify: The log messages in your original post, were those from Android or from the server? These are from the RADIUS server debug output. ___ openssl-users mailing list To

[openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error

Hi everybody, I have my RADIUS server running and Windows as well as MacOS and iOS can successfully authenticate using EAP-PEAP, EAP-TTLS or EAP-TLS each with server certificate validation. However, Android 4.4.4 can not and I can't figure out why. The complete Cert Chain: Root CA -

[openssl-users] Vulnerability logjam downgrades TLS connections to 512 Bit

Technical report: https://weakdh.org/imperfect-forward-secrecy.pdf Check your browser (currently all are affected) at https://weakdh.org/ Check your Server at https://weakdh.org/sysadmin.html Deploying Guide: https://weakdh.org/sysadmin.html ___

Re: [openssl-users] x509_config nameConstraints

Ok, after plenty of testing and some googling: the name constraints extension is ... improvable. I ran plenty of tests but it looks like that the extension is not very well implemented in todays browsers. I have attached three txt files (DOS format) with the settings and results of each test run.

Re: [openssl-users] x509_config nameConstraints

I love that when it happens :) 2015-05-12 16:56 GMT+02:00 Ben Humpert b...@an3k.de: Ok, after plenty of testing and some googling: the name constraints extension is ... improvable. I ran plenty of tests but it looks like that the extension is not very well implemented in todays browsers. I

[openssl-users] x509_config nameConstraints

Hi, I read the OpenSSL Cookbook by Ivan Ristic and saw how he configured nameConstraints so I adapted it for my setup. First I tried the following but that doesn't work. permitted;DNS.0=lan permitted;DNS.1=local permitted;IP.0=10.0.0.0/255.0.0.0 permitted;IP.1=172.16.0.0/255.240.0.0

Re: [openssl-users] minor documentation errors

2015-05-09 21:47 GMT+02:00 Salz, Rich rs...@akamai.com: After getting into building and especially configuring my own CA again I'm nearly at the end and I've noticed some errors in the documentation I want to report. I like the again :) Yeah, once upon a time I had done a comprehensive

[openssl-users] minor documentation errors

Hello list! After getting into building and especially configuring my own CA again I'm nearly at the end and I've noticed some errors in the documentation I want to report. 1) On https://www.openssl.org/docs/apps/ca.html for the -md option not all possible values (sha256, sha384, etc.) are list