A very important adjunct to step 4 is getting the
private key associated with the certificate into
the server. If step 1 is done ON THE SERVER
COMPUTER and it is not reinitialized in the meantime
etc etc then in step 4 the association between the
certificate and key should be recognized.
Should not be that bad, since all the gore happens at the
beginning of the connection, so when the data is actually
flowing it's just a standard symmetric encryption which is
usually one-to-one - however there is some overhead as the
session key is periodically recomputed.
You could do an
I should think generation of the renewed root certificate
would be the easy part, compared with migrating the new
certificate out to all your relying parties?
Stephan Tesch wrote:
Hi everyone,
$subject says it all :-)
I currently have a Root CA certificate, issued with openssl, that expires in a
and sign the new
certificate?
It would be helpful to have an example to work with.
Thanks again Charles, I'll figure this thing out
sooner or later. OH, I'll grab the new docs and see
what juicy morsels can be found!
--- Charles Cranston [EMAIL PROTECTED] wrote:
OK, the problem you will run
Zerg wrote:
Hi.
I have such problem.
The client side need to get certificate from server side.
But there is no possibility to generate a certificate request
on client. So the server have to do it by itself.
Why? If client can create a key pair, which requires both a
good random number
The place to look for the answer to this is the various
ways strings can be encoded. IIRC there are several
variants like PrintableString and IA5 or something like
that, but the allowable characters vary from string type
to string type and it is possible that + is not in the
default one.
As an
OOPS, sorry, should have read the original posting more fully.
You already have the OpenSSL certificate and OpenCA cannot
seem to deal with it? I guess you could do the experiment
to find out if the + is the culprit. It may be that the
inclusion of the + triggered a different kind of string
type
OK, the problem you will run into is that the Certificate
Signing Request (CSR) is a DN and Public Key combination
that is signed by the private key. Since this is done by
your client, you will not have access to the private key.
The OpenSSL software, as written, uses this signing as
proof that
List the certificate: openssl x509 -noout -text -in certfilename
List the key: openssl rsa -noout -text -in keyfile
Make sure the fields in PublicKey (Modulus and Public Exponent)
match between the two.
Note that if private key is encrypted you will need to give
the password for the
In an earlier version of the diagram I had one more level of
certificate between the bridge certificates and the end-user
certificates, but I was trying to make it simpler. If there is
one more certificate between (Bridge)QSign and (QSign)End User
it could be supplied by the Q offerer.
The cost
Hmm, it's been 10 years since I worked for the networking group
here, and we used to use the term multi-homed to describe
deviation from the old one machine, one IP address paradigm.
But I guess I don't really know which of the following four
situations multi-homed really refers to:
1. Having
Usually not. Do the two have the same DNS name?
Can the new server correctly decrypt the private
key (if it is pass-phrase encrypted)?
I guess to go much further we should know what kind
of server software is in use. If it is apache,
what does the log file say at at startup?
You can ensure the
It's not hard at all to use openssl s_client to try to
make a connection and to see the certificate that is
being presented by the server. If you use the -showcerts
option it will even show the entire certificate chain being
presented by the server, instead of just the end-user cert.
I have good
Are there any interesting messages at startup time in
the apache log file?
Matthew Bradford wrote:
Hello
I am new to the list and have tried going through the archives a bit, but i
could not easily find the answer to my question... at any rate, here it is:
OpenSSL does not seem to properly
..\openssl genrsa -out mcg.key -des3 2048
..\openssl req -out mcg.csr -new -key mcg.key
..\openssl req -out mcg.crt -x509 -key mcg.key -in mcg.csr
..\openssl pkcs12 -export -in mcg.crt -inkey mcg.key \
-out mcg_openssl.p12 -name MCG_GestiĆ³n
But i need that the Sigature Algoritme will be
[EMAIL PROTECTED] wrote:
Hi everyone!
I've got to write a plugin for Adobe Acrobat to make a digital signature
of a pdf receiving a PKCS#7 in input...I must admit I still haven't figured
out how that works.I mean...there should be two different cert the former
with the private key the latter with
I'd like to set the value of the SubjectAltName in openssl.cnf as a
variable, in order to create different certificates without changing the
SubjectAltName value in openssl.cnf at anytime. I'd like to set the
value during starting the openssl command from the shell. Is this possible?
If you
Well, make that hard choice: do you want to have your software fail
when an up-to-date CRL is not available, or do you want to make your
software susceptible to a denial-of-service attack on the CRL distro
process?
Same question if your OCSP request fails without prejudice. If you
go ahead and
Is /usr/local/apache/conf/ssl.crt/server.crt indeed the
correct filename for the file containing the certificate?
AFAICR the only weirdness I ever saw was that you cannot
use the command macro to restart the server in place, you
have to stop and then start -- I assumed it was because
once the
Why would you want to do this? OpenSSL comes installed in these
systems and other pieces may well require it. Have you thought
through what things might and would stop working if you were
actually able to accomplish this???
(Yeah. FUD. In overcoming my enemy I become him...)
Sasha Nash wrote:
I'm calling it using exec and a lot of weird Unix specific
pipeline stuff. I've posted just about all of my source
code to this list in the past year or so, so you could
probably get a lot of good stuff out of the archives.
Or I can send you some examples privately. Let me know.
Short example
It's not THAT hard to modify your $MANPATH variable to include the
nonstandard man page areas. This is some code I use in my .cshrc file
on Solaris:
=
# there is always a way
set path=( \
${HOME}/bin \
${HOME}/src/script \
/bin \
/usr/bin \
/usr/local/bin \
/usr/sbin \
/opt/SUNWspro/bin \
22 matches
Mail list logo