Michael -
Here is what I do to revoke a certificate:
REM this copy is necessary because -revoke command does not do it; maybe
this is a bug?
openssl ca -revoke .\subca1\subca1ee.crt -config test.cnf -name sub_ca1
copy .\subca1\index.txt.new .\subca1\index.txt
openssl ca -gencrl -name root_ca -
Title: Password Protected Certs
Try to decrypt it with the password. I am assuming
you are talking about a PKCS12 blob, if that's the
case see the PKCS12 test application for code examples on how to do this.
Ryan
-Original Message-
From: Andrew Finnell
[mailto:[EMAIL PROTEC
My Guess is its just sitting there reading your /dev/urandom (aka sounds
like a blocking/non-blocking issue), even on a 386 it should not take more
than a minute or so to generate the key. Take a look at the FAQ for
information on gathering entropy.
Ryan
-Original Message-
From: [EMAIL P
Title: Errors with CRL.
What CA generated the CRL? Are you sure it
is in PEM? Does it have the PEM armor (- BEGIN..., END)?
Ryan
-Original Message-
From: Eldi Espinosa (InfoSpace
Inc) [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 04, 2001
1:01 PM
To: '[EMAIL
Did you know that many of the new Intel desktop and server
chipsets have a built in Hardware Random Number generator? I did not until a
while ago. If your computer uses the Intel® 815 chipset, Intel® 820
chipset, Intel® 840 chipset, Intel® 850 chipset, or Intel® 860
chipset you have a excel
Use the OpenSSL command line tool to decrypt the key...
Ryan
-Original Message-
From: Travis Farmer [mailto:[EMAIL PROTECTED]]
Sent: Saturday, September 08, 2001 12:30 PM
To: [EMAIL PROTECTED]
Subject: non passworded server cert?
I got a CA cert now and made a working server certificat
decrypted key (seems to cause errors) or
use the current cert and the decrypted key?
~Travis
>From: Ryan Hurst <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>Subject: RE: non passworded server cert?
it it asks for a passphrase. You can
recreate a key without -des3 option so it stays unencrypted. But make sure
the
file is not world redable.
-Mehmet
On Sep 8, 12:34pm, Ryan Hurst wrote:
> Subject: RE: non passworded server cert?
> Use the OpenSSL command line tool to decrypt the key...
&g
linux/*bsd interface to the Intel rng
device.
Rya
-Original Message-
From: Rich Salz [mailto:[EMAIL PROTECTED]]
Sent: Saturday, September 08, 2001 1:38 PM
To: Ryan Hurst
Cc: Openssl-Dev ([EMAIL PROTECTED]); Openssl-Users
([EMAIL PROTECTED])
Subject: Re: OpemSSL Hardware Random Number G
, 2001 7:36 PM
To: Ryan Hurst
Cc: Openssl-Dev ([EMAIL PROTECTED]); Openssl-Users
([EMAIL PROTECTED])
Subject: Re: OpemSSL Hardware Random Number Generator (RNG) for Intel Chip
sets.
> I am not sure I understand what you are saying
You called the intel h/w rng "excellent." I beli
in detail and of the afore mentioned items.
Ryan
-Original Message-----
From: Ryan Hurst [mailto:[EMAIL PROTECTED]]
Sent: Saturday, September 08, 2001 7:42 PM
To: 'Rich Salz'
Cc: Openssl-Dev ([EMAIL PROTECTED]); Openssl-Users
([EMAIL PROTECTED])
Subject: RE: OpemSSL Hardware Random N
Valery --
This field in a certificate points to where the issuer will make its
certificate revocation list available. If you are using OpenSSL or OpenCA
(based off of OpenSSL) to issue your certificates you will want to probably
put up a web server or LDAP capable directory where you can
ate has been revoked?
Yours sincerely,
Valery
E-mail: [EMAIL PROTECTED]
- Original Message -----
From: "Ryan Hurst" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 26, 2001 10:15 PM
Subject: RE: Please help me!
> Valery --
>
> Thi
If you are looking for a software based solution the OpenSSL PRNG library is
good. There any many interesting software solutions for gathering seed for
the PRNG as well, egd.pl will use a plethora of system information (on unix)
to provide seed.
However hardware based entropy solutions are a bett
Try converting it to DER,
openssl crl -in .\main.crl -out .\main.crl -inform pem -outform der
The url is not reachable so I could not look to see what other problems
there might be..
Ryan
-Original Message-
From: Valery [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 01, 2001 1:05 A
Manoj -
The
current 9.7 branch has the OCSP code in it. It has both a client and server
however its server is just a proof of concept; it can not handle multiple concurrent
requests, etc.
Ryan
-Original Message-
From: Manoj Kumar
[mailto:[EMAIL PROTECTED]]
Sen
I briefly tried using the Eracom patch that was submitted with a LunaCA but
was un-successful. I did not spend any time diagnosing but the framework was
good enough to make it work it would just take some time which I did not
have.
Ryan
-Original Message-
From: Steven A. Bade [mailto:[EM
Do not get rid of this program or windows will stop operating This
program simply executes an entry point in a DLL and passes in a strings for
the arguments. It is used by many windows applications It is being
executed because the mime type associated with .cer/.crt is associated with
IE.
Tony, Outlook has a "multi-dimensional" certificate store. There are user
stores and machine stores. Within each store there are various compartments
my, intermediate, root, publishers, etc.
You may have problems if the certificate was imported into the incorrect
certificate store. Try using the
Additionally since it is a self signed certificate place it in both the "My"
store and the "Root" store.
Ryan
-Original Message-----
From: Ryan Hurst [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 14, 2001 4:33 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Im
Wooce --
Outlooks support of revocation checking is done through CrptoAPI,
see
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/WinXPPro/support/tshtcrl.asp to better understand how chaining and status
determination is done.
As for its OCSP
Incorrect, one concerned with the security of their keys and the
confidentiality of the data that is encrypted with it should protect their
keys; even going to the extent of protecting said keys using an HSM may be
necessary to meet their liability risk management needs.
As to the technical quest
Hello -
It has been some time since I visited these forums, I have searched for my
answer in the forums but did not find an answer; I have not yet looked at
the source to confirm behavior it is my hope that someone can easily answer
a question relating to how an application based on OpenSSL would
Anthony,
I am not a cryptographer, nor do I play one on TV; however I have read
papers that talk about models of doing this, I filed these works under the
category of "neat" because of the applicability limitations and noted
security risks; with that said I never looked into it in great detail
FYI ECC was added to Windows VISTA,
Ryan Hurst
Sent from my phone, please forgive the brevity.
On Jan 30, 2013, at 5:51 AM, "Dr. Stephen Henson" wrote:
> On Wed, Jan 30, 2013, cellecial wrote:
>
>> Hi,
>>
>> I write some code to generate an ECC ce
Also this might be useful for implementers:
http://msdn.microsoft.com/en-us/library/windows/desktop/bb931395(v=vs.85).as
px
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm
Sent: Tuesday, March 19, 2013 12:07 PM
To:
They are doing a CA signed OCSP response, this is legitimate.
We will do this in the not so distant future as well for many of our
responses also.
You basically need to look at the responderID and see if it's the same
entity that signed the certificate you are checking if so use that key
material
CA delegated.
Ryan Hurst
Chief Technology Officer
GMO Globalsign
twitter: @rmhrisk
email: ryan.hu...@globalsign.com
phone: 206-650-7926
Sent from my phone, please forgive the brevity.
On Jun 13, 2013, at 3:42 AM, Igor Sverkos wrote:
> Hi,
>
> Ryan Hurst wrote:
>> They are do
ohm
Sent: Friday, June 14, 2013 3:10 PM
To: openssl-users@openssl.org
Subject: Re: Why CA-signed OCSP responders are a bad idea [WAS:Is it me or
is ocsp.comodoca.com doing something wrong?]
On 6/13/2013 1:50 AM, Ryan Hurst wrote:
> They are doing a CA signed OCSP response, this is legitimate.
>
PM
To: openssl-users@openssl.org
Subject: Re: Why CA-signed OCSP responders are a bad idea [WAS:Is it me or
is ocsp.comodoca.com doing something wrong?]
On 6/15/2013 1:15 AM, Ryan Hurst wrote:
Thanks for your reply, just one tidbit that surprised me:
>
> CAs are required to produce respo
I forgot to respond the the 1 minute reference, we revoke right away and most
CAs do that is just different than pre producing all revoked responses when one
cert is revoked.
Ryan Hurst
Chief Technology Officer
GMO Globalsign
twitter: @rmhrisk
Sent from my phone, please forgive the brevity
Btw let me know if I can ever be of help.
Ryan Hurst
Chief Technology Officer
GMO Globalsign
twitter: @rmhrisk
email: ryan.hu...@globalsign.com
phone: 206-650-7926
Sent from my phone, please forgive the brevity.
On Jun 14, 2013, at 3:09 PM, Jakob Bohm wrote:
> On 6/13/2013 1:50 AM, R
This might be useful http://unmitigatedrisk.com/?p=194
Ryan Hurst
Sent from my phone, please forgive the brevity.
> On Oct 12, 2013, at 12:53 AM, Ted Byers wrote:
>
> I found a Linux FAQ dealing with this subject, but it is very dated
> (11.5 years old) and I do not know how much
Cant be done, though most CAs dont use this information from the request.
Can do something like this:
rem 8. CN, O, OU1, OU2, E, city and all SAN types /w SHA1 & 2048
echo [ req ]>test8.cnf
echo default_bits = 2048>>test8.cnf
echo prompt = no>>test8.cnf
echo encrypt_key = no>>test8.cnf
echo defau
Well I provided a windows example of the same approach but it's not purely from
the command line.
Ryan Hurst
Sent from my phone, please forgive the brevity.
> On Dec 3, 2013, at 5:20 PM, Viktor Dukhovni
> wrote:
>
>> On Tue, Dec 03, 2013 at 12:29:09PM -0800, Ryan Hurst w
You could use a different config file and reference it on the command line.
Reqexts is used to reference a section in a config file.
Ryan Hurst
Sent from my phone, please forgive the brevity.
> On Dec 3, 2013, at 5:19 PM, Anders Larsson wrote:
>
> Hmm somehow the e-mail got cut a
Steve,
Does the Foundation have a Bitcoin address?
Ryan
On Fri, Apr 11, 2014 at 8:09 AM, Steve Marquess <
marqu...@opensslfoundation.com> wrote:
> In a typical year the OpenSSL project receives about US$2000 in donations.
>
> This week we have received roughly 200 donations totaling nearly
> U
37 matches
Mail list logo
