Hi Team,
My question was on openssl version 1.1.1d.
On Wed, Feb 23, 2022 at 10:25 PM Brahmaji K wrote:
> Hi Team,
>
> I have cert chain file as shown below:
> - BEGIN the CERTIFICATE -
> :
> :
> - the END the CERTIFICATE -
> - BEGIN the CERTIFICATE -
Hi Team,
I have cert chain file as shown below:
- BEGIN the CERTIFICATE -
:
:
- the END the CERTIFICATE -
- BEGIN the CERTIFICATE -
:
:
- the END the CERTIFICATE -
- BEGIN the CERTIFICATE -
:
:
- the END the CERTIFICATE -
Is it possible to convert
On 1/9/18 19:32, Viktor Dukhovni wrote:
This Key Usage is more appropriate. When the "Key Usage" is present in
a CA certificate, it*MUST* include "Certificate Sign".
That was indeed the problem. Thank you!! It seems strange to me that
OpenSSL will allow creation of a CA cert (CA:TRUE) that m
> On Jan 9, 2018, at 8:29 PM, Norm Green wrote:
>
> opensslx509 -in secondIntermedCa.pem -noout -text
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: 1.3.6.1.4.1.47749.1.1 = userCA, CN = EmeaCA
> Subject: 1.3.6.1.4.1.47749.1.1 = userCA, CN = KapitalCA
> X509
> On Jan 9, 2018, at 8:29 PM, Norm Green wrote:
>
> >Or correctly fails to verify?
> Perhaps. Hopefully you'll be able to tellme.
When you post machine-readable certificates, not just "-text" output.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/
>Or correctly fails to verify?
Perhaps. Hopefully you'll be able to tellme.
Here's the version info and a dump of the certs.
Thanks for your help.
Norm
openssl version -a
OpenSSL 1.1.0g 2 Nov 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
compiler: /usr/bin/gcc -D
> On Jan 9, 2018, at 7:28 PM, Norm Green wrote:
>
> It still doesn't verify correctly.
Or correctly fails to verify?
> To simplify, I tried it with 1 intermediate CA. Here's the chain:
>
> rootCa.pem - self-signed root cert. CN = rootCA
> firstIntermedCa.pem - intermediate CA cert signed by
It still doesn't verify correctly.
To simplify, I tried it with 1 intermediate CA. Here's the chain:
rootCa.pem - self-signed root cert. CN = rootCA
firstIntermedCa.pem - intermediate CA cert signed by rootCa.pem. CN = EmeaCA
secondIntermedCa.pem - intermediate CA cert signed by
firstIntermedCa
> On Jan 9, 2018, at 6:43 PM, Norm Green wrote:
>
> What is the correct order of intermediate CA certs in the untrusted chain
> file?
The untrusted CA list is a heap, the order is irrelevant.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/
Well that is not *at all* obvious from the documentation, but ok.
What is the correct order of intermediate CA certs in the untrusted
chain file?
On 1/9/2018 3:36 PM, Viktor Dukhovni wrote:
The correct way to verify a chain is to put the root CA in a CAfile,
intermediate CAs in an "untruste
> On Jan 9, 2018, at 6:04 PM, J Decker wrote:
>
> The certs are built into a stack... they are pushed... so element 0 is the
> last thing in the list.
> The chain starts with 0, and then can search the rest.
This is either false or irrelevant depending on what you intended
(too terse to know
> On Jan 9, 2018, at 5:55 PM, Norm Green wrote:
>
> Same result. The only way it seems to work is if the leaf cert appears at the
> end of the file.
You're badly mistaken. *ONLY* the first certificate in the file is verified.
When you put the leaf cert at the end, you're *ONLY* verifying the
The certs are built into a stack... they are pushed... so element 0 is the
last thing in the list.
The chain starts with 0, and then can search the rest.
On Tue, Jan 9, 2018 at 2:55 PM, Norm Green
wrote:
> On 1/9/2018 6:03 AM, Benjamin Kaduk wrote:
>
>> Did you try something like (with a 1.1.0
On 1/9/2018 6:03 AM, Benjamin Kaduk wrote:
Did you try something like (with a 1.1.0 installation):
openssl verify -CAfile RootCA.pem -untrusted chain.pem chain.pem
with the leaf certificate as the first one in chain.pem?
Same result. The only way it seems to work is if the leaf cert appears
On 01/08/2018 06:33 PM, Norm Green wrote:
> This question is regarding OpenSSL 1.1.
>
> Let's say I have this trust hierarchy:
>
> RootCA
> CA1
> CA2
> CA3
> userCert
>
>
> So userCert is signed by CA3, CA3 is signed by CA2, and so on up to
> RootCA, which is a self-signed root cert.
>
> If I combi
This question is regarding OpenSSL 1.1.
Let's say I have this trust hierarchy:
RootCA
CA1
CA2
CA3
userCert
So userCert is signed by CA3, CA3 is signed by CA2, and so on up to
RootCA, which is a self-signed root cert.
If I combine CA1,CA2,CA3 and userCert into single PEM file, chain.pem,
th
Hi there,
I have a question about certificate chain checkin when the chain
includes a root certificate.
The server I want to connect to with openssl s_client (Version 0.9.8zc)
sends this certificate chain:
0 s:Server's cert
i:Intermediate cert
1 s:Intermediate cert
i:Root 1 cert
2 s:Root
Ben,
I think you are right. My verify test is okay now if I match the
subjectAltName to the nameConstraints defined by the subCA.
Thanks.
David
On Mon, Jun 29, 2015 at 6:23 PM, Ben Humpert wrote:
> Yes, because nameConstraints are inherited.
>
> I don't know exactly where the bug lies but I st
Yes, because nameConstraints are inherited.
I don't know exactly where the bug lies but I strongly advise NOT to
use nameConstraints because while there is a standard nobody has
implemented full or correctly working support for it. I ran various
tests some weeks ago and the result was horrible. Se
The subCA has nameConstraints in the subCA configuration file:
[name_constraints]
permitted;DNS.0 = example.com
client configuration file has subjectAltName:
subjectAltName = DNS: www.cs.com
So is this a mismatch? How come s_client/s_server test was okay?
On Mon, Jun 29, 2015 at 2:12 PM, B
Do you use nameConstraints or have specified IP in subjectAltName?
Because OpenSSL can't handle that correctly.
2015-06-29 22:51 GMT+02:00 David Li :
> Hi,
>
> As a test, I have created a rootCA, a subCA (signed by the rootCA) and
> a client cert (signed by the subCA). Now I want to use verify,
>
Hi,
As a test, I have created a rootCA, a subCA (signed by the rootCA) and
a client cert (signed by the subCA). Now I want to use verify,
s_client and s_server to test them together.
However I searched and tried a number of times but still unsure about
the correct syntax format in verify command.
build out its own chain if necessary and possible.
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Fahim
Sent: Tuesday, January 07, 2014 14:15
To: openssl-users@openssl.org
Subject: RE: OpenSSL doesn't pass full cert chain
Hello Dave,
I wo
Hello Dave,
I would like to simplify the issue as following.
1. Both client and server performs SSL Handshake using cert chain.
2. In our case server responds correctly with the entire chain of cert
(Server is some proprietary system)
3. Client also expected to send the
ssert the peer should
trust these CAs when verifying you, then you ought to trust them also.
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Fahim
Sent: Saturday, January 04, 2014 12:36
To: openssl-users@openssl.org
Subject: OpenSSL doesn
Hello,
We are looking for a potential tweak or customization of openSSL for an
existing project, and I was wondering if I could get your input.
Summary: we want to alter or configure openSSL so that it will pass the
entire cert chain for authentication instead of just the first certificate
Hello,
We are looking for a potential tweak or customization of openSSL for an
existing project, and I was wondering if I could get your input.
Summary: we want to alter or configure openSSL so that it will pass the
entire cert chain for authentication instead of just the first certificate
On 15.03.2012 14:52, Rob Stradling wrote:
> On 15/03/12 13:11, Florian Pritz wrote:
>> Hi,
>>
>> When using lynx to access https://portfolio.iguw.tuwien.ac.at I got an
>> ssl cert validation error. Since it worked fine in firefox/chromium I
>> tried to use openssl directly and got the following, bu
On 15/03/12 13:11, Florian Pritz wrote:
Hi,
When using lynx to access https://portfolio.iguw.tuwien.ac.at I got an
ssl cert validation error. Since it worked fine in firefox/chromium I
tried to use openssl directly and got the following, but I fail to
understand what it means although I see that
Hi,
When using lynx to access https://portfolio.iguw.tuwien.ac.at I got an
ssl cert validation error. Since it worked fine in firefox/chromium I
tried to use openssl directly and got the following, but I fail to
understand what it means although I see that the chain looks strange
(0->1 i:TERENA is
Pritz"
To:
Sent: Thursday, March 15, 2012 3:11 PM
Subject: Verification error, weird cert chain for
portfolio.iguw.tuwien.ac.at
When using lynx to access https://portfolio.iguw.tuwien.ac.at I got an
ssl cert validation error. Since it worked fine in firefox/chromium I
tried to use openssl di
Hi,
When using lynx to access https://portfolio.iguw.tuwien.ac.at I got an
ssl cert validation error. Since it worked fine in firefox/chromium I
tried to use openssl directly and got the following, but I fail to
understand what it means although I see that the chain looks strange
(0->1 i:TERENA is
On Tue, Feb 14, 2012, Timothy Kay wrote:
> We have been baffled for a long time that curl cannot access websites that
> work just fine in the browser (unless we use --insecure, of course). The
> curl documentation points you to http://curl.haxx.se/docs/sslcerts.html,
> which explains that your ser
On 2/14/2012 6:46 PM, Timothy Kay wrote:
> We have been baffled for a long time that curl cannot
> access websites that work just fine in the browser
> (unless we use --insecure, of course). The curl
> documentation points you to
> http://curl.haxx.se/docs/sslcerts.html, which explains
> that you
On Tue, Feb 14, 2012, Timothy Kay wrote:
> Erik,
>
> Thanks for the pointer. It's very helpful.
>
> HOWEVER, I can give you dozens of different sites that do it wrong, yet
> they all work in the browsers. Clearly that particular part of the spec is
> no longer relevant, and openssl should be upd
On Tue, Feb 14, 2012 at 3:22 PM, Timothy Kay wrote:
>
> Thanks for the pointer. It's very helpful.
>
> HOWEVER, I can give you dozens of different sites that do it wrong, yet they
> all work in the browsers. Clearly that particular part of the spec is no
> longer relevant, and openssl should be up
t workaround was to repackage the .PFX.
>
> ** **
>
> Erik
>
>
>
> *Erik Tkal**
> *Juniper OAC/UAC/Pulse Development
>
>
>
>
>
> *From:* owner-openssl-us...@openssl.org [mailto:
> owner-openssl-us
rom: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Timothy Kay
Sent: Tuesday, February 14, 2012 12:46 PM
To: openssl-users@openssl.org
Subject: cert chain out of order breaks openssl
We have been baffled for a long time that curl cannot access websites that work
> From: owner-openssl-us...@openssl.org On Behalf Of David Coulson
> Sent: Wednesday, 30 March, 2011 10:24
> On 3/30/11 8:33 AM, Crypto Sal wrote:
> > David:
> >
> > Firefox caches that information, so that it can use them
> later if you
> > view a similar certificate hierarchy.
> >
> > If you v
On 3/30/11 8:33 AM, Crypto Sal wrote:
David:
Firefox caches that information, so that it can use them later if you
view a similar certificate hierarchy.
If you view the Firefox Certificate Manager you should see "Software
Security Device" vs. that of "Built in Object" next to each of the
On 03/29/2011 01:16 PM, David Coulson wrote:
On 3/29/11 12:58 PM, Bruce Stephens wrote:
Add the -showcerts option to the s_client commands and you'll see the
first server returns a chain of certificates where the second offers
only the end server certificate.
Okay, I see that - Makes sense. When
David Coulson writes:
> On 3/29/11 12:58 PM, Bruce Stephens wrote:
>> Add the -showcerts option to the s_client commands and you'll see the
>> first server returns a chain of certificates where the second offers
>> only the end server certificate.
> Okay, I see that - Makes sense. When I hit the
On 3/29/11 12:58 PM, Bruce Stephens wrote:
Add the -showcerts option to the s_client commands and you'll see the
first server returns a chain of certificates where the second offers
only the end server certificate.
Okay, I see that - Makes sense. When I hit the hostname w/ Firefox I'm
able to se
David Coulson writes:
[...]
> OpenSSL has other ideas. First one validates fine, second one does
> not. I can't for the life of me figure out what the difference is.
>
> Any ideas?
Add the -showcerts option to the s_client commands and you'll see the
first server returns a chain of certificates
Probably missing something simple, but I'm having a tough time
validating the CA chain for a certificate. There is a second
certificate, seemingly signed by the same CA which does validate.
I'm not sure how useful this tool is, but it seems to indicate both
certs were signed by the same CA.
On 12/20/2010 10:49 AM, travis+ml-open...@subspacefield.org wrote:
So a friend ran into this lately;
libnss, at least on Linux, checks that the signing cert (chain) is valid
at the time of signature - as opposed to present time. (It may check
present time as well - not sure on that)
This is
On Mon, Dec 20, 2010 at 10:49:57AM -0800, travis+ml-open...@subspacefield.org
wrote:
> libnss, at least on Linux, checks that the signing cert (chain) is valid
> at the time of signature - as opposed to present time. (It may check
> present time as well - not sure on that)
>
>
So a friend ran into this lately;
libnss, at least on Linux, checks that the signing cert (chain) is valid
at the time of signature - as opposed to present time. (It may check
present time as well - not sure on that)
This makes for problems if you renew the cert, since the new cert will
have a
else leak, but fails
return iRet;
}
...
I've been looking into the sources to find a place where the
cert chain checking is done in terms of the certs span of life.
Downwards the chain each cert should become valid while the issuers
cert is valid.
I thought the right place would be somewhere
the temporary items correctly.
Do you have any hints? Is the above approach reasonable?
==
I've been looking into the sources to find a place where the
cert chain checking is done in terms of the certs span of life.
Downwards the chain each cert should become valid while the issuers
cert is
Hi there,
i've been looking into the sources to find a place where the
cert chain checking is done in terms of the certs span of life.
Downwards the chain each cert should become valid while the issuers
cert is valid.
I thought the right place would be somewhere within x509_vfy.c,
perha
sing how to release the temporary items correctly.
Do you have any hints? Is the above approach reasonable?
==
I've been looking into the sources to find a place where the
cert chain checking is done in terms of the certs span of life.
Downwards the chain each cert should become valid while t
Hi,
I have the following certs
1) End user cert
subject: enduser whatever
issuer : Intermediate CA whatever
2) Intermediate CA cert
subject: Intermediate CA whatever
issuer : Actual CA whatever
3) Actual CA cert (self signed)
subject : Actual CA whatever
issuer : Actual CA whate
Hi,
I have the following certs
1) End user cert
subject: enduser whatever
issuer : Intermediate CA whatever
2) Intermediate CA cert
subject: Intermediate CA whatever
issuer : Actual CA whatever
3) Actual CA cert (self signed)
subject : Actual CA whatever
issuer : Actual CA whatever
I
Thanks Goetz, much appreciated!
Regards,
Usman.> Date: Sat, 5 May 2007 13:59:04 +0200> From: [EMAIL PROTECTED]> CC:
[EMAIL PROTECTED]> Subject: Re: How to Limit the Cert chain to some sepcified
number...> To: [EMAIL PROTECTED]> > Hello Usman,> > --On Mai 05, 2007
Hello Usman,
--On Mai 05, 2007 14:11:08 +0500 Usman Riaz <[EMAIL PROTECTED]> wrote:
I want to issue my customers certificate signed by my certificate
(a self-signed certificate). I want to limit the issued certificate to
not to act as a CA.
I would like to specify the cert chain
len
also uses openssl in the
background). I would like to specify the cert chain length in genrating my Root
CA (little bit easier for me :), don't know if it is possible) rather then when
creating the customer certs.
Any help/comments are highly appreciated.
Regards,
Hello,
> i have a question about this following method
>
> int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
>X509 *x509, STACK_OF(X509) *chain);
>
> if i understand this correctly the argument 'x509' is the cert that u want
> to be verified & the 'chain' is
from files containg pem certs ?
-kb
From: Marek Marcola <[EMAIL PROTECTED]>
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: Re: Validating Cert Chain
Date: Sat, 26 Aug 2006 01:22:19 +0200
Hello,
> Hi,
> How do i validate a certificate chain. is there a
You can also consider using function
int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk), if a stack of certs is
available.
Rick
From: Marek Marcola <[EMAIL PROTECTED]>
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: Re: Validating Cert Chain
Date: Sat,
Hello,
> Hi,
> How do i validate a certificate chain. is there a EVP api for it ?
> thanks
If we are talking about verifying X509 cert against CA certs this
may be done for example like:
-
FILE *fp;
X509_STORE * CAcerts;
X509 * cert;
X509_STORE_CTX ca_ctx;
char *strer
Hi,
How do i validate a certificate chain. is there a EVP api for it ?
thanks
Kunal
From: Marek Marcola <[EMAIL PROTECTED]>
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: Re: OpenSSL Generating Extra Packets
Date: Fri, 25 Aug 2006 23:51:45 +0200
Hello,
> I am workin
Orginally I was using SSL_get_peer_cert_chain() func, which I though
was giving me the cert chain built up
to verify the peer cert from the certs that i added to the
SSL_CTX->cert_store , but then I discovered that
it really is the cert chain given by the client during the TLS
handshake. T
Erwann,
Thanks for all the detailed comments!!
Jim
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
Bonjour,
Hodie pr. Non. Mar. MMV est, ohaya scripsit:
> This is the self-signed root CA cert. It is now V3, and has the AKI and
> SKI.
Good.
>It still has "Digital Signature", as I wasn't sure about what to
> do with that on the root CA cert:
It's useless, as you'll really use the Root certifi
Erwann and Steve,
Thanks for all the comments. Here're a new set of certs where I think
that I've taken care of the points raised by both of you. I'd
appreciate your review.
This is the self-signed root CA cert. It is now V3, and has the AKI and
SKI. It still has "Digital Signature", as I wa
On Sat, Mar 05, 2005, Erwann ABALEA wrote:
> Bonsoir,
>
>
> > X509v3 Authority Key Identifier:
> >
> > keyid:FF:78:E3:03:37:8D:EA:0F:1D:ED:B0:C7:D2:48:49:C6:90:D1:D5:B0
>
> Problem. The issuer of this certificate doesn't have any
> subjectKeyIdentifier extension, so
Bonsoir,
Hodie III Non. Mar. MMV est, ohaya scripsit:
> This is the SUB ROOT CA's Cert:
>
> Certificate:
[...]
> Validity
> Not Before: Mar 2 06:08:03 2005 GMT
> Not After : Feb 27 09:22:27 2008 GMT
A little less than 3 years for the duration is a bit short. Not
> > Per earlier messages from Steve Henson, the SUB ROOT CA (CN=ATEST5) has
> > "Basic Constraints" with "CA=TRUE", and "Digital Signature, Certificate
> > Sign, CRL Sign".
> >
>
> I can't recall saying the CA certificate needed "digital signature". It
> doesn't but if you sign with user certific
> The standards don't actually say much about the root CA at present. However it
> should really have those extensions. It is also a V1 and not a V3 certificate.
> This might be because you are following one of the old or inaccurate guides or
> even the odd book that gives incorrect instructions.
On Sat, Mar 05, 2005, ohaya wrote:
> Hi,
>
>
> Per earlier messages from Steve Henson, the SUB ROOT CA (CN=ATEST5) has
> "Basic Constraints" with "CA=TRUE", and "Digital Signature, Certificate
> Sign, CRL Sign".
>
I can't recall saying the CA certificate needed "digital signature". It
doesn't
It seems like this is working, i.e., I can issue client and server
certificates from the subroot CA, and they seem to work all right and I
can verify the cert chain from the end certificate back to the root CA
certificate.
But, I was looking at the CA certs that I ended up with, using "openssl
his
either in 3280 or the OpenSSL dox but cannot now remember.
Lucenius Jan wrote:
On Tue, 16 Nov 2004, David Schwartz wrote:
X509_verify_cert will construct the cert chain upto the ROOT CA and then
validates the chain and finally verify the self-certificate. What I
understand is that this funct
On Tue, 16 Nov 2004, David Schwartz wrote:
>
> > X509_verify_cert will construct the cert chain upto the ROOT CA and then
> > validates the chain and finally verify the self-certificate. What I
> > understand is that this function expects the ROOT CA to be
> > sel
> X509_verify_cert will construct the cert chain upto the ROOT CA and then
> validates the chain and finally verify the self-certificate. What I
> understand is that this function expects the ROOT CA to be
> self-signed and
> it MUST be present in the trusted list.
Rig
Hi all,
I hava a doubt regarding X509_verify_cert.
What I understand from the documentation of "verify" is that we need to
pass all the trusted certs and all the un-trusted certs.
X509_verify_cert will construct the cert chain upto the ROOT CA and then
validates the chain and fina
Hi all,
I hava a doubt regarding X509_verify_cert.
What I understand from the documentation of "verify" is that we need to
pass all the trusted certs and all the un-trusted certs.
X509_verify_cert will construct the cert chain upto the ROOT CA and then
validates the chain and finally
On Thu, Oct 02, 2003 at 02:56:44PM -0700, Dann Daggett wrote:
> In openssl-0.9.7c/demos/sign/sign.c the comments state (as does the
> man page):
>
> /* Just load the crypto library error strings,
>* SSL_load_error_strings() loads the crypto AND the SSL ones */
> /* SSL_load_error_strings()
Hi All,
In openssl-0.9.7c/demos/sign/sign.c the comments state (as does the
man page):
/* Just load the crypto library error strings,
* SSL_load_error_strings() loads the crypto AND the SSL ones */
/* SSL_load_error_strings();*/
ERR_load_crypto_strings();
Yet if I try to load the ssl st
ign] -> [my own cert]
>
>
> After loading 2 parent certs with SSL_CTX_load_verify_locations(), the
> verify callback does not complain anymore. However, that's not enough for
> me. I also have to provide a mechanism to examin the whole cert chain, check
> for problems and sa
(B
(B
(BAfter loading 2 parent certs with SSL_CTX_load_verify_locations(), the
(Bverify callback does not complain anymore. However, that's not enough for
(Bme. I also have to provide a mechanism to examin the whole cert chain, check
(Bfor problems and save them onto disk for later use, j
Richard Levitte - VMS Whacker wrote:
> Well, with my scheme, the "entire chain" goes from the leaf to your
> point of trust, not further. Checking CRLs between those two points
> makes sense, doesn't it? Henrik Nordström outlined the reasons to do
> so in message
> <[EMAIL PROTECTED]>.
Yes, of
In message <[EMAIL PROTECTED]> on Thu, 18 Sep 2003 16:04:28 +0200, "Mats Nilsson"
<[EMAIL PROTECTED]> said:
mats.nilsson> Sorry. Imprecise wording. I meant that since I would
mats.nilsson> like to be able to terminate the certificate validation
mats.nilsson> at a particular point in the certifica
On Wed, Sep 17, 2003, Mats Nilsson wrote:
> Hi
>
> Using OpenSSL-0.9.7b.
>
> We are building an application where we want to have a flexible model
> for certificate trust. In essence, we want to be able to say:
>
> CA0 (self signed) is explicitly trusted
> CA1 (signed by CA0)
Hi
Using OpenSSL-0.9.7b.
We are building an application where we want to have a flexible model
for certificate trust. In essence, we want to be able to say:
CA0 (self signed) is explicitly trusted
CA1 (signed by CA0) is explicitly trusted
CA2 (signed by CA1) is neutral
On Tue, 16 Sep 2003, Dann Daggett wrote:
> I understand. Are there options on how the chain is presented?
> In particular, is it always presented as a single (combined)
> response to the client, or can/does the client make a second
> request for the next cert up the chain if it finds it does not
>
Thank you Henrik, it's getting clearer :)
But, just a couple more questions? :)
> If the certificate is issues by a second level CA and the
> client trusts the higher level CA who issued the
> certificate for the second level CA then you must present
> the CA chain or else the client will not be
On Tue, 16 Sep 2003, Dann Daggett wrote:
> Now, when an outsider connects to my secure server, my server
> should present that client with a certificate right? Which
> certificate does it present? The server's cert, or the CA's?
The servers.
> Or does it need to present both?
It does not hurt t
Hello All,
I wonder if someone would be so kind as to provide a bit
more detail regarding certificate chains and how it affects
the openssl setup?
For this discussion, let's assume I've created my own CA
self-signed cert, and then created a cert for each of my
virtual servers and signed each with
On Tue, Jul 16, 2002 at 03:06:53PM -0700, Patrick Powell wrote:
> > From: Lutz Jaenicke <[EMAIL PROTECTED]>
> > OpenSSL itself uses hashes for comparison. If the hashes are identical,
> > so are the certificates.
>
> Ummm... is there an example piece of code that does the hash generation
> and th
> From [EMAIL PROTECTED] Thu Jul 11 07:26:50 2002
> Date: Thu, 11 Jul 2002 16:20:58 +0200
> From: Lutz Jaenicke <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Subject: Re: Getting the CERT chain
>
> On Thu, Jul 11, 2002 at 07:12:30AM -0700, Patrick P
ng the SSL connection process, if a user CERT has
>been presented, get the cert chain?
SSL_get_peer_cert_chain().
> Question 2:
>Now I just KNOW that I saw this, and everybody is going to laugh at this,
>but:
>
>If I have found a CERT using, say, peer = SSL_get_peer_
Question 1:
Is there a simple way using exported (i.e. - available
to general use via the openssl library and having definitions
in openssl.h) OpenSSL functions to do the following:
During the SSL connection process, if a user CERT has
been presented, get the cert chain?
Here is the code
oot ca in the html tree wherever you deem appropriate, and
request it from the browser.
Once you have installed it, and the cert chain is properly defined,
your browser should trust the server implicitly.
HTH
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :
Hi Louis,
I have a new question for you.
After making the certifiate chain,
Say, Root-CA --> Sub-CA --> User-Cert.
I want to publish this CAuthority chain in pkcs7 file.
Do you think it is the best format, if not which format
do you prefere for that?
And Which openssl's command do I need to us
Thanks. it works. Jeff
Dr S N Henson wrote:
>
>Jeff Smith wrote:
> >
> > ... and using -verbose option, the step (3) verify would produce:
> >
> > % openssl verify -verbose -CAfile ca.crt -untrusted ca2.crt user.crt
> >
> > error 18 at 0 depth lookup:self signed certificate
> > error 7 at 0 depth
Jeff Smith wrote:
>
> ... and using -verbose option, the step (3) verify would produce:
>
> % openssl verify -verbose -CAfile ca.crt -untrusted ca2.crt user.crt
>
> error 18 at 0 depth lookup:self signed certificate
> error 7 at 0 depth lookup:certificate signature failure
> 21970:error:0407006
... and using -verbose option, the step (3) verify would produce:
% openssl verify -verbose -CAfile ca.crt -untrusted ca2.crt user.crt
error 18 at 0 depth lookup:self signed certificate
error 7 at 0 depth lookup:certificate signature failure
21970:error:0407006A:rsa routines:RSA_padding_check_P
I forgot to mention that I could successfully verify ca2.crt after step (2)
using
% openssl verify -CAfile ca.crt ca2.crt
clnt1.crt: OK
In addition to the question I had, I am wondering if there is any
workaround. What I need is a 2-level ca hierarchy.
Thanks - Jeff
Jeff Smith wrote:
>
>
Sorry about the last message it was user error on my part. Please
disregard the previous message, as it was incomplete. This is the
finished version...
I'm trying to get a handle on what needs to be done to get a commercial
product I just started administrating to provide ssl access to three
di
1 - 100 of 102 matches
Mail list logo