on section v3_subca
4583112192:error:22075075:X509 V3 routines:v2i_GENERAL_NAME_ex:unsupported
option:crypto/x509v3/v3_alt.c:548:name=crlDistributionPoints
4583112192:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=@c
t found a way to disable this check.
>>
>> Our root CA does not have a 'crlDistributionPoints' setting, is it
>> possible to add this without having to re-issue the CA?
>
>
> crlDistribution point goes in End Entity certificates - (Server or
> User certificat
t CA does not have a 'crlDistributionPoints' setting, is it
> possible to add this without having to re-issue the CA?
crlDistribution point goes in End Entity certificates - (Server or User
certificates), so you don't have to touch anything in the Root CA, you just
have to include
I've discovered that Microsoft Exchange 2007, presumably also 2010,
expects to have/check a CRL when setting up TLS for an SMTP connection.
So far, I have not found a way to disable this check.
Our root CA does not have a 'crlDistributionPoints' setting, is it
possible to a
Hello Björn;
On January 28, 2010 05:40:57 am Björn Lantz wrote:
> Dear listreaders,
>
> I have a question about whos/which CRL the crlDistributionPoints in a
> certificate should point out. I have spent a few days looking for a
> recommendation or common practice, but without succe
Dear listreaders,
I have a question about whos/which CRL the crlDistributionPoints in a
certificate should point out. I have spent a few days looking for a
recommendation or common practice, but without success.
The alternatives for a certificate are of course to point out its own
crl, the
It is quite bad idea to use assert here. You are analyzing
certificate.
External data which are passed to you by some other party, and you at
this moment cannot be sure that this party is trusted, because you've
not completed validation procedure yet.
I agree completely. This is a code snip
y is trusted, because you've
not completed validation procedure yet.
If somebody would send you certificate without crlDistributionPoints
extension (perfectly valid by all other means), your program would
crash.
This should be runtime error, which
On Oct 25, 2009, at 5:59 PM, Dr. Stephen Henson wrote:
It is rather simpler than that. You can get the decoded structure
for any
certificate extension using X509_get_ext_d2i(). You get additional
checks that
way such as seeing if the extension occurs more than once.
True enough, this redu
On Sun, Oct 25, 2009, Carl Harris wrote:
> On Oct 25, 2009, at 2:57 PM, Carl Harris wrote:
>
>> I'm looking for an example of decoding the crlDistributionPoints
>> extension; e.g. obtaining the specified URI (assuming that the value
>> specifies a URI, that is).
On Oct 25, 2009, at 2:57 PM, Carl Harris wrote:
I'm looking for an example of decoding the crlDistributionPoints
extension; e.g. obtaining the specified URI (assuming that the value
specifies a URI, that is). This seems like it should be easy. By
digging around in the archives of
I've looking for an example of decoding the crlDistributionPoints
extension; e.g. obtaining the specified URI (assuming that the value
specifies a URI, that is). This seems like it should be easy. By
digging around in the archives of this list, I've been able to figure
out I c
Hi,
I want to implement HTTP download of CRLs from cert's
CrlDistributionPoints in my application (if any) and
include them in the verify process.
What was best practice or best design to do this
with OpenSSL? Are there certain callbacks I should use?
Or even a sample I missed in the source
ust didn’t know what to do with it. ;)
When you generate a certificate request you need the following in the
openssl.cnf:
req_extensions = v3_req
[ v3_req ]
crlDistributionPoints = URI:http://192.168.0.2/my.crl
And when you issue the certificate from this request you’ll need in your
openssl.
; won’t try to set up a commercial CA or web-server using it. Only for
>> testing purposes isolated from the rest of the world.
For testing uses you can still generate the openssl.cnf containing the
crlDistributionPoints extension you need before issuing a cert...
>> By the way, another
> greetings domi
>
>
--
View this message in context:
http://www.nabble.com/crlDistributionPoints-in-a-certificate-request-tf3148251.html#a8780236
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL P
gt; stores the CRL as usual. But in addition the CA also sends a copy of the CRL
> to www.server.net, which stores the CRL wherever it wants. (Pushing or
> pulling the CRL is not important to me.)
The crlDistributionPoints extension (roundabout) says:
"I (the CA) declare that certifica
outsourced) part of the CA.
So the CA needs this list anyway and can incorperate it into all
certificates.
Letting the client set the crlDistributionPoints may lead to something
like:
To check if the security of www.server.net is compromised,
go to www.server.net and download the CRL.
But if the
rs that are
specially hardened for this usage.
These servers are a (potentially outsourced) part of the CA.
So the CA needs this list anyway and can incorperate it into all
certificates.
Letting the client set the crlDistributionPoints may lead to something
like:
To check if the security of www.server
>> O'Reilly). I can create certificate requests and issue certificate from
>> them. Now I want to do the following:
>>
>> The certificate request should include the crlDistributionPoints. (I'm
>> able
>> to enter the DP under certificate_extensions) Tha
rtificate from
> them. Now I want to do the following:
>
> The certificate request should include the crlDistributionPoints. (I'm able
> to enter the DP under certificate_extensions) Thats no problem so far.
> But now should the CA create the certificate without knowing the CRL
est should include the crlDistributionPoints. (I'm able
to enter the DP under certificate_extensions) Thats no problem so far.
But now should the CA create the certificate without knowing the CRL DP in
the forefront. The CA should take CRL DP entered by the user and put it into
the certificate.
Dr. Stephen Henson wrote:
> On Sun, Oct 29, 2006, Karsten Ohme wrote:
>
>
>>Hello,
>>
>>The example from:
>>
>>http://www.openssl.org/docs/apps/x509v3_config.html
>>
>
>
> Those docs are for 0.9.9-dev check the docs with your distribution.
OK, works better. Almost.
But I want to add an base D
On Sun, Oct 29, 2006, Karsten Ohme wrote:
> Hello,
>
> The example from:
>
> http://www.openssl.org/docs/apps/x509v3_config.html
>
Those docs are for 0.9.9-dev check the docs with your distribution.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core
Hello,
The example from:
http://www.openssl.org/docs/apps/x509v3_config.html
crlDistributionPoints=crldp1_section
[crldp1_section]
fullname=URI:http://myhost.com/myca.crl
CRLissuer=dirName:issuer_sect
reasons=keyCompromise, CACompromise
[issuer_sect]
C=UK
O=Organisation
CN=Some Name
--On Friday, January 16, 2004 10:06 PM +0100 "Dr. Stephen Henson"
<[EMAIL PROTECTED]> wrote:
What does:
opensssl x509 -in some_cert.pem -text
(where some_cert.pem is one you created) say?
bash: opensssl: command not found
:-)
Josh
--
Joshua Juran
Metamage Software Creations - Mac Software an
On Fri, Jan 16, 2004, Charles Harmon wrote:
> Hello all,
>
> I am desperately trying to get crlDistributionPoints stamped to my
> (server/client) certificates. For some reason it does not get added to
> any certificate I generate. I have read through the openssl.txt file
> a
It is set to
/usr/local/ssl/openssl.cnf
I even tried to use the -extensions usr_cert to specify the section to
pull the crlDistributionPoints parameter.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bommareddy, Satish
(Satish)
Sent: Friday, January
PROTECTED]
Subject: new CA & crlDistributionPoints
Hello all,
I am desperately trying to get crlDistributionPoints stamped to my
(server/client) certificates. For some reason it does not get added to
any certificate I generate. I have read through the openssl.txt file
and it just says to add
Hello all,
I am desperately trying to get crlDistributionPoints stamped to my
(server/client) certificates. For some reason it does not get added to
any certificate I generate. I have read through the openssl.txt file
and it just says to add the following to the x509_extensions section
Plenk wrote:
I've got a hint:
crlDistributionPoints= @testsection
[ testsection ]
URI.1="ldap://x500.test.de/CN=CA Test, OU=Test, O=Test-PKI,
C=DE?certificateRevocationList"
URI.2="http://crl.test.de/cert/linuxtestca_crl.crl";
thanks to Peter for the hint.
Odd, works OK her
On Thu, Nov 27, 2003, Martin Plenk wrote:
> I've got a hint:
>
> crlDistributionPoints= @testsection
> [ testsection ]
> URI.1="ldap://x500.test.de/CN=CA Test, OU=Test, O=Test-PKI,
> C=DE?certificateRevocationList"
> URI.2="http://crl.test.de/cert/linux
I've got a hint:
crlDistributionPoints= @testsection
[ testsection ]
URI.1="ldap://x500.test.de/CN=CA Test, OU=Test, O=Test-PKI,
C=DE?certificateRevocationList"
URI.2="http://crl.test.de/cert/linuxtestca_crl.crl";
thanks to Peter for the hint.
Martin
Martin Pl
On Thu, Nov 27, 2003, Martin Plenk wrote:
> Hello,
>
> In my crlDistributionPoints I need an LDAP-entry like
> ldap://x500.test.de/CN=CA Test, OU=Test, O=Test-PKI,
> C=DE?certificateRevocationList
>
> In Single-Line-Format openssl interprets the comma as Separators.
>
Hello,
In my crlDistributionPoints I need an LDAP-entry like
ldap://x500.test.de/CN=CA Test, OU=Test, O=Test-PKI,
C=DE?certificateRevocationList
In Single-Line-Format openssl interprets the comma as Separators.
It should be possible to get the commas with the multi line format.
I searched for
and it's apparently been rewritten to handle
> dirNames.
>
Yes that will work in 0.9.8-dev (this isn't supported in 0.9.7X). It can be
simplified to:
crlDistributionPoints=dirName:dir_name
[dir_name]
C=FI
O=SSH Communications Security Corp
CN=SSH Test CA 2 No Liabilities
Ste
t I used the patch from Oliver King a few
> years back in openssl dev mailing list. Please search the patch in the
> archive.
I guess this patch also adds support for dirName type attributes?
Regardless, support for it appears to be in the snapshot I'm using.
When I reported that Kiyosh
Hi,
> crlDistributionPoints = DirName:/C=FI/O=SSH Communications Security Corp/CN=SSH Test
> CA 2 No Liabilities
How about
crlDistributionPoints = @crl_dist
[ crl_dist ]
DirName = /C=FI/O=SSH Communications Security Corp/CN=SSH Test CA 2 No Liabilities
-Kiyoshi
Kiyoshi Wa
t Sentinel
to fetch CRLs automatically. To make a long story short, at
http://pki.ssh.com:8080/enroll-ca-list.html ssh.com provides some test
CAs whose certificates include crlDistributionPoints extensions of type
DirName, and I infer that I must do something similar to get Sentinel to
fetc
On Fri, Aug 16, 2002, Karl-Michael Werzowa wrote:
> Hello,
>
> You have to use "/" instead of the "," inside the LDAP-URI, because
> the "," delimits the URIs. The "?" does not do any harm, you can use
> it without change.
>
> (Besides, some time ago I read in a comment that openssl would not
IL PROTECTED]
[mailto:[EMAIL PROTECTED]]Im Auftrag von Jung-Ho Cha
Gesendet: Freitag, 16. August 2002 10:52
An: [EMAIL PROTECTED]
Betreff: How do I input ldap urls of the crlDistributionPoints URI value
in openssl.cnf ?
Hello,
I use OpenSSL 0.97 library.
I read the opensl.txt file and trying to
Hello,
I use OpenSSL 0.97 library.
I read the opensl.txt file and trying to use crlDistributionPoints
extention option.
But I met some problem to use crl repository point in ldap url format.
The below shows the error messages.
Error Loading extension section usr_cert
1704:error
"Hellan,Kim KHE" wrote:
>
> Thank you,
>
> You got me on the right track.
> One small question, though
> When reading text data from a ASN1_IA5STRING, is it then correct just to
> cast the "data" variable to a char pointer, like in this case:
> mystring = (char*) pGenName->d.ia5->data;
>
on to return the text?
Thanks,
Kim
-Oprindelig meddelelse-
Fra: Dr S N Henson [mailto:[EMAIL PROTECTED]]
Sendt: 13. februar 2002 14:36
Til: [EMAIL PROTECTED]
Emne: Re: crlDistributionPointshow to get values?
"Hellan,Kim KHE" wrote:
>
> Hi
>
> I have a c
"Hellan,Kim KHE" wrote:
>
> Hi
>
> I have a certificate with a crlDistributionPoint extension. Using OpenSSL
> terms, the extension consists of two DIST_POINT*.one of the type
> GEN_DIRNAME and the other of the type GEN_URI.
> In my code I have "parsed" these DIST_POINT* and what I end up wi
Hi
I have a certificate with a crlDistributionPoint extension. Using OpenSSL
terms, the extension consists of two DIST_POINT*.one of the type
GEN_DIRNAME and the other of the type GEN_URI.
In my code I have "parsed" these DIST_POINT* and what I end up with is a
GENERAL_NAME* for each distribu
Hi,
Is there any method of creating such crlDistributionPoints?
X509v3 extensions:
X509v3 CRL Distribution Points:
DirName:/C=JP/O=TEST/OU=CA TEST/CN=CRL
Thanks,
Tom
__
OpenSSL Project
That worked like a charm. Thanks very much
Mark Roach
-Original Message-
From: Dr S N Henson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 14, 2001 5:10 PM
To: [EMAIL PROTECTED]
Subject: Re: LDAP address in crlDistributionPoints has commas in it
"Roach, Mark R." wro
"Roach, Mark R." wrote:
>
> I can't sign any certificates if I have an LDAP address that includes commas
> (between dn components) under crlDistributionPoints... It works fine for
> http addresses and ldap addresses that don't have commas, but I'm stuck.
I can't sign any certificates if I have an LDAP address that includes commas
(between dn components) under crlDistributionPoints... It works fine for
http addresses and ldap addresses that don't have commas, but I'm stuck...
Are there escape codes I need to use '\' didn
ssl wrote:
>
> Don't know whether it helps :
> comment out the line :
> crl_extensions = crl_ext
> and the [crl_ext] section.
>
all ok, I forgot to upgrade my openssl tree
Thanks...
--
Dott. Sergio Rabellino
Technical Staff
Department of Computer Science
University of Torino (Ital
Don't know whether it helps :
comment out the line :
crl_extensions = crl_ext
and the [crl_ext] section.
On Fri, 2 Jul 1999, Sergio Rabellino wrote:
> ssl wrote:
> >
> > Sure it can, like my openssl.cnf :
> >
> > crlDistributionPoints=URI:http://sgiinda.csc.cuh
ssl wrote:
>
> Sure it can, like my openssl.cnf :
>
> crlDistributionPoints=URI:http://sgiinda.csc.cuhk.edu.hk/1.crl
>
> need not be https because the crl is signed by CA.
> And pretty good checked by IE and outlook express, if you
> click the check box "Check for
53 matches
Mail list logo