Proper way to "update" an expired CA certificate

and continue to use unexpired certificate/key pairs signed by the expired CA certificate.  I did some research and found "openssl x509 -in ca.crt -days 3650 -out new-ca.crt -signkey ca.key" which seems to work but want to make sure there aren't any less-than-obvious issues i

Re: [openssl-users] Issue on Windows Server 2003 Resigning Expired CA certificate

On Fri, Feb 3, 2017 at 12:37 PM, Brandon Shiers wrote: > I have a client that has a CA certificate that has expired. > > They are running Windows Server 2003 and OpenSSL 0.9.8d and FreeRadius for > authentiaction. Their certificate expired yesterday afternoon and I've been &

[openssl-users] Issue on Windows Server 2003 Resigning Expired CA certificate

I have a client that has a CA certificate that has expired.  They are running Windows Server 2003 and OpenSSL 0.9.8d and FreeRadius for authentiaction.  Their certificate expired yesterday afternoon and I've been trying to get it resigned but I'm getting the following eerrors:E:\OpenS

Re: [openssl-users] Retrieving Root CA certificate using "openssl s_client -showcerts" command

Hi Salz, Thanks for your reply and clarification. Best Regards, Mofassir On Wednesday, 9 November 2016 1:48 AM, "Salz, Rich" wrote: #yiv7868915218 -- filtered {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv7868915218 p.yiv7868915218MsoNormal, #yiv7868915218 li.yiv7868915218M

Re: [openssl-users] (SPAM) Retrieving Root CA certificate using "openssl s_client -showcerts" command

> On Nov 8, 2016, at 4:26 AM, Erwann Abalea wrote: > > The root certificate is not expected to be sent by the server, as it already > needs to be known and trusted by the client. > However, you’re free to configure your server to send it, for debugging or > informational pu

Re: [openssl-users] (SPAM) Retrieving Root CA certificate using "openssl s_client -showcerts" command

Haque mailto:mofassir_ha...@yahoo.com>> a écrit : Hi All, The output of "openssl s_client -showcerts -connect ..." command dose not include Root certificate (which is expected behaviour). However, is it possible to configure Server to return Root CA certificate also ? Than

Re: [openssl-users] Retrieving Root CA certificate using "openssl s_client -showcerts" command

Yes, just put the entire chain in the server’s PEM file. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] A self-signed CA certificate in the CA files *sometimes* stops verification working

will teach me not to make assumptions! Regards, John. -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: 06 September 2016 21:14 To: openssl-users@openssl.org Subject: Re: [openssl-users] A self-signed CA certificate in t

Re: [openssl-users] A self-signed CA certificate in the CA files *sometimes* stops verification working

On Tue, Sep 06, 2016 at 10:52:32PM +0200, Jakob Bohm wrote: > Could this be related to the recent work to treat the list of > certificates as a SET of potentially relevant certificates > rather than as an ordered list of certificates that must form > the trust chain? No, just a violation of the P

Re: [openssl-users] A self-signed CA certificate in the CA files *sometimes* stops verification working

[mailto:openssl-users-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: 06 September 2016 18:47 To: openssl-users@openssl.org Subject: Re: [openssl-users] A self-signed CA certificate in the CA file *sometimes* stops verification working On Sep 6, 2016, at 11:53 AM, John Unsworth wrote: I

Re: [openssl-users] A self-signed CA certificate in the CA files *sometimes* stops verification working

On Tue, Sep 06, 2016 at 06:10:42PM +, John Unsworth wrote: > This seems to me to be very easy to validate by just inserting a self-signed > certificate at the front of a CAfile that works. > > Attached are the 3 certificate files. > > _CAcerts.good is the first file with two certs the secon

Re: [openssl-users] A self-signed CA certificate in the CA files *sometimes* stops verification working

(sec) Verify return code: 0 (ok) -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: 06 September 2016 18:47 To: openssl-users@openssl.org Subject: Re: [openssl-users] A self-signed CA certificate in the CA file *somet

Re: [openssl-users] A self-signed CA certificate in the CA file *sometimes* stops verification working

the CA certificates are ordered the connect works OK. > 3 Add a self-signed CA certificate in the file before the one for server A. > The connect fails ‘Verify return code: 21 (unable to verify the first > certificate)’. > 4 Move the self-signed CA certificate after the one for server A

[openssl-users] A self-signed CA certificate in the CA file *sometimes* stops verification working

OK. 3 Add a self-signed CA certificate in the file before the one for server A. The connect fails 'Verify return code: 21 (unable to verify the first certificate)'. 4 Move the self-signed CA certificate after the one for server A. The connect works OK. Why should the self-signed c

Re: [openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error

2015-05-27 14:02 GMT+02:00 Jakob Bohm : > Just to clarify: The log messages in your original post, > were those from Android or from the server? These are from the RADIUS server debug output. ___ openssl-users mailing list To unsubscribe: https://mta.ope

Re: [openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error

other sources say that it asks for the Root CA certificate and with that selected I get a different error message than with any other certificate so I guess it is the right cert. I want the users to validate the RADIUS server's certificate. Which OpenSSL version is the EAP_TLS code usi

Re: [openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error

ay that it asks for the Root CA certificate and with that selected I get a different error message than with any other certificate so I guess it is the right cert. I want the users to validate the RADIUS server's certificate. > Which OpenSSL version is the EAP_TLS code using to > verify

Re: [openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error

ificate in it's server.crt file. When I do not select any CA certificate in Android WiFi Setup but just a User certificate EAP-TLS connection works fine. If I use the same configuration but now select a CA certificate I get two different errors. Maybe the Android user interface is really asking about

Re: [openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error

t sends the CA cert first and thus RADIUS / OpenSSL errors > because it expected a client cert. Sadly I can't select the client > cert as a CA certificate or vice-versa. > > Any help is much appreciated! > Maybe related The mother of all process is Zygote. An Android Activity is ef

[openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error

ot CA - Intermediate CA1 - Intermediate CA2 - Intermediate CA3 - Signing CA - RADIUS Server Cert - Android Client Cert RADIUS server has the complete Certificate Chain in it's CA.crt file and it's own certificate in it's server.crt file. When I do not selec

Re: How to create intermediate CA certificate with openssl

Jerry, When you create the intermediate certificate, you need to add the following attribute :- basicConstraints=CA:true Otherwise, the intermediate CA certificate can not issue server certificates. Best regards, John Mok On Thu, Nov 27, 2014 at 3:43 PM, Jerry OELoo wrote: > Hi All: >

How to create intermediate CA certificate with openssl

Hi All: Now I want to create a certificate chain by myself. It will looks like as below: Server Certificate -> Intermediate CA -> Root CA. Now I am using openssl command to create these certificate files. # Create CA openssl genrsa -out ca.key 4096 openssl req -new -x509 -nodes -sha1 -days 1825

Re: Do I have to regenerate my own CA certificate because of Heartbleed???

wrote: > Dear, I have a CA implemented in a Debian Wheezy server and the versión of > Openssl (1.0.1) is affected by the Hearthbleed vulnerability at time to > generate our own CA certificate and the requested certificates for all the > web servers from our company. > > > &g

RE: Do I have to regenerate my own CA certificate because of Heartbleed???

Ø do I have to regenerate my CA certificate created with the former openssl version because of the Hearthbleed vulnerability ??? There should never be any reason for your web server to read the private key of the CA. So, no. -- Principal Security Engineer Akamai Technology Cambridge, MA

Do I have to regenerate my own CA certificate because of Heartbleed???

Dear, I have a CA implemented in a Debian Wheezy server and the versión of Openssl (1.0.1) is affected by the Hearthbleed vulnerability at time to generate our own CA certificate and the requested certificates for all the web servers from our company. I've just upgrade the openssl version

Re: CA certificate bundle bogus certs

Am 25.11.2013 17:14, schrieb Sassan Panahinejad: > Hi, > > I am dealing with a CA certificate bundle, similar to this one: > https://github.com/twitter/secureheaders/blob/master/config/curl-ca-bundle.crt, > like the example, the one I am dealing with was automatically generated &

Re: [openssl-users] CA certificate bundle bogus certs

Hi, > Thanks for your response. I'm sorry my question wasn't clearly defined > (it was "will this file work correctly? If so, why?"), but you seem to > have answered nonetheless, thank you. > > As a followup question, is there a way to include these certs in the way > originally intended by the

Re: [openssl-users] CA certificate bundle bogus certs

Excellent, just what I was looking for and incidentally a source I can cite to my client. Many thanks! On 25 November 2013 17:24, Ralph Holz wrote: > Hi, > > > > Thanks for your response. I'm sorry my question wasn't clearly defined > > (it was "will this file work correctly? If so, why?"), but

Re: [openssl-users] CA certificate bundle bogus certs

san On 25 November 2013 17:03, Erwann Abalea wrote: > Bonjour, > > Le 25/11/2013 17:14, Sassan Panahinejad a écrit : > > I am dealing with a CA certificate bundle, similar to this one: > https://github.com/twitter/secureheaders/blob/master/config/curl-ca-bundle.crt, > like t

Re: [openssl-users] CA certificate bundle bogus certs

Bonjour, Le 25/11/2013 17:14, Sassan Panahinejad a écrit : I am dealing with a CA certificate bundle, similar to this one: https://github.com/twitter/secureheaders/blob/master/config/curl-ca-bundle.crt, like the example, the one I am dealing with was automatically generated from mozilla&#

Fwd: CA certificate bundle bogus certs

Hi, I am dealing with a CA certificate bundle, similar to this one: https://github.com/twitter/secureheaders/blob/master/config/curl-ca-bundle.crt, like the example, the one I am dealing with was automatically generated from mozilla's certdata.txt. Consider the certificate labelled &

CA certificate bundle bogus certs

Hi, I am dealing with a CA certificate bundle, similar to this one: https://github.com/twitter/secureheaders/blob/master/config/curl-ca-bundle.crt, like the example, the one I am dealing with was automatically generated from mozilla's certdata.txt. Consider the certificate labelled &

Re: Is it possible to grab CA certificate?

On Tue, Jun 18, 2013 at 04:50:06PM -0400, Dave Thompson wrote: > > From: owner-openssl-us...@openssl.org On Behalf Of Carl Young > > Sent: Tuesday, 18 June, 2013 07:10 > > > Sorry for top-post - webmail :( > > > > In TLS, the server should not send the root certificate - it > > sends the chain

RE: Is it possible to grab CA certificate?

is shown is the server > certificate, the server is not providing the certificate > chain, only the server certificate. This way, you wont be > able to get the CA certificate from the SSL connection. Maybe > your network admins want to fix that too. > If it's for

Re: Is it possible to grab CA certificate?

2013 11:43 > > To: openssl-users@openssl.org > > Subject: Re: Is it possible to grab CA certificate? > > > > > > > > > > If the only certificate that is shown is the server certificate, the > server is not providing the certificate chain, only the server ce

RE: Is it possible to grab CA certificate?

ian Thiago Moecke [cont...@cristiantm.com.br] Sent: 18 June 2013 11:43 To: openssl-users@openssl.org Subject: Re: Is it possible to grab CA certificate? If the only certificate that is shown is the server certificate, the server is not providing the certificate chain, only the ser

Re: Is it possible to grab CA certificate?

If the only certificate that is shown is the server certificate, the server is not providing the certificate chain, only the server certificate. This way, you wont be able to get the CA certificate from the SSL connection. Maybe your network admins want to fix that too. What is strange is that

Re: Is it possible to grab CA certificate?

mport it into fx I get: "This is not a certificate authority certificate, so it can't be imported into the certificate authority list." So I think this is not CA certificate but a server certificate. And about recurring errors on the same site: I have a number of server exceptions in &q

RE: Is it possible to grab CA certificate?

at it > From: owner-openssl-us...@openssl.org On Behalf Of A A > Sent: Monday, 17 June, 2013 20:58 > Unfortunately fx doesn't let me to export CA certificate. I can only > view server side certificate and export it. Also, marking the It works for me (in 20.1, I'm a litt

Re: Is it possible to grab CA certificate?

Sorry for top posting, damm gmail web interface did that. I don't have mutt installed on this machine and it hurts. __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: Is it possible to grab CA certificate?

Unfortunately fx doesn't let me to export CA certificate. I can only view server side certificate and export it. Also, marking the exception as permanent doesn't make fx remember this setting and I need to accept the certificate warning every time I go to a new SSL site. I tried to

Re: Is it possible to grab CA certificate?

Ok, we have too much "maybe"s on an very open discussion that depends on so many variables... My intention is not to enter on a long discussion on security policies, I dont think the author of the first email is the network manager or the one that will deal with changing security policies, he only

RE: Is it possible to grab CA certificate?

Ø because from a workstation people may access external websites too. Like banks And perhaps they shouldn't. Have you seen the size of the built-in browser CA trust lists recently? And really, which is more likely: an in-house CA leads you astray, or you bring some external malware from the

Re: Is it possible to grab CA certificate?

Well... trusting a CA means you trust it for any website you access from the workstation. Adding exceptions means you trust it only for those specific sites. I would not recommend adding an untrustworthy in-house CA, because from a workstation people may access external websites too. Like banks, fo

RE: Is it possible to grab CA certificate?

Ø By the way, I would NOT recommend add a in-house probably unprotected CA as a trusted one. The exception is much better to deal with such cases. If it's a work machine, then absolutely trust the in-house CA, no matter how it is managed and protected. /r$ -- Principal Securi

Re: Is it possible to grab CA certificate?

certificate/Details/Export. > > That would solve your problem, but if you want to do it the openssl way, > you could use openssl s_client -showcerts -connect HOSTNAME:443 and copy > the PEM encoded certificate to a file. > > > On Mon, Jun 17, 2013 at 12:49 PM, A A wrote: > >>

Re: Is it possible to grab CA certificate?

rab a CA certificate with openssl? I don't mean a > remote server certificate but a local Certificate Authority > certificate that is used when connecting to a SSL wep page. I need > because a special kind of certificate is used in a place where I work > that is signed by the comp

Is it possible to grab CA certificate?

Is it possible to grab a CA certificate with openssl? I don't mean a remote server certificate but a local Certificate Authority certificate that is used when connecting to a SSL wep page. I need because a special kind of certificate is used in a place where I work that is signed by the co

Error generating a self-signed CA certificate with openssl-1.0.1c

I am using the following command inside a Perl program: $ /opt/openssl/bin/openssl req -passout stdin < /tmp/6I0ZLcltuD \ -config CA-default.org/ca-ssl.conf -out CA-default.org/certs/cacert.pem \ -outform PEM -newkey rsa -x509 -batch -verbose and get the following response, quote: Using con

Re: Distinguishing a CA certificate from an end entity certificate Reg.

On 2012-02-24 00:58 +0530 (Fri), Ashok C wrote: > We too have the use cases of those four certificates. Now what would be the > best programmatic way to find out for sure if a given certificate is a CA > certificate or not, be it a v3 or a v1. Well, in the end, given your conditions,

Re: Distinguishing a CA certificate from an end entity certificate Reg.

Thanks Jakob, We too have the use cases of those four certificates. Now what would be the best programmatic way to find out for sure if a given certificate is a CA certificate or not, be it a v3 or a v1. Regds, Ashok On Feb 24, 2012 12:51 AM, "Jakob Bohm" wrote: > On 2/23/2012 10

Re: Distinguishing a CA certificate from an end entity certificate Reg.

On 2/23/2012 10:49 AM, Ashok C wrote: Hi, What would be the most efficient and easiest way to distinguish a CA certificate from an actual server/client(end entity) certificate? We were thinking of identifying the CA with the "CA:TRUE" constraint from the text display, but again

Re: Distinguishing a CA certificate from an end entity certificate Reg.

On 02/23/2012 10:49 AM, Ashok C wrote: Hi, What would be the most efficient and easiest way to distinguish a CA certificate from an actual server/client(end entity) certificate? We were thinking of identifying the CA with the "CA:TRUE" constraint from the text display, but again

Distinguishing a CA certificate from an end entity certificate Reg.

Hi, What would be the most efficient and easiest way to distinguish a CA certificate from an actual server/client(end entity) certificate? We were thinking of identifying the CA with the "CA:TRUE" constraint from the text display, but again this check does not cover x509 v1 certific

Re: Year 2038 and CA certificate

On 12.10.2011 22:38, Jakob Bohm wrote: On 10/10/2011 3:02 PM, Dr. Stephen Henson wrote: On Mon, Oct 10, 2011, Felix Brack (Mailinglist) wrote: On 10.10.2011 13:14, Dr. Stephen Henson wrote: If you use OpenSSL 1.0.0 or later you shoudln't see the 2038 issue on any platform because OpenSSL uses

Re: Year 2038 and CA certificate

On 10/10/2011 3:02 PM, Dr. Stephen Henson wrote: On Mon, Oct 10, 2011, Felix Brack (Mailinglist) wrote: On 10.10.2011 13:14, Dr. Stephen Henson wrote: If you use OpenSSL 1.0.0 or later you shoudln't see the 2038 issue on any platform because OpenSSL uses its own internal date routines to bypas

Re: Year 2038 and CA certificate

On Mon, Oct 10, 2011, Felix Brack (Mailinglist) wrote: > On 10.10.2011 13:14, Dr. Stephen Henson wrote: > > > >If you use OpenSSL 1.0.0 or later you shoudln't see the 2038 issue on any > >platform because OpenSSL uses its own internal date routines to bypass the > >limitations of system routines.

Re: Year 2038 and CA certificate

On 10.10.2011 13:14, Dr. Stephen Henson wrote: On Mon, Oct 10, 2011, Felix Brack (Mailinglist) wrote: Hello, My PKI is currently running on a 32 bit machine with Open SSL version 0.9.8 suffering from the Y2038 bug. Another 64 bit machine does not show that bug. What I need for now is a CA

Re: Year 2038 and CA certificate

On Mon, Oct 10, 2011, Felix Brack (Mailinglist) wrote: > Hello, > > My PKI is currently running on a 32 bit machine with Open SSL > version 0.9.8 suffering from the Y2038 bug. Another 64 bit machine > does not show that bug. > > What I need for now is a CA certificate for

Year 2038 and CA certificate

Hello, My PKI is currently running on a 32 bit machine with Open SSL version 0.9.8 suffering from the Y2038 bug. Another 64 bit machine does not show that bug. What I need for now is a CA certificate for signing which should have a validity that extends beyond 2038, say 2050. I can create

Re: How to embed a CA certificate in a program ?

Hi Albrecht, I'm still wondering though how I could have found that out myself. :-( Unfortunately reads: "Currently no detailed documentation on how to use the X509_STORE object is available." Is there some more documentation avail

Re: How to embed a CA certificate in a program ?

Hi Michel, many thanks for this very quick reply ! On 06.06.2011 14:20, Michel (PAYBOX) wrote: Hi Albrecht, I might be wrong, but I think you should use instead SSL_CTX_get_cert_store() and then *X509_STORE_add_cert* to add the certificate to the list of trusted ones that will be used for ve

Re: How to embed a CA certificate in a program ?

works well, if I use certificate files. Now I'd like to embed the CA certificate in the client's code for easier installation. Hence I'm (naively?) looking for a replacement of this line of code: SSL_CTX_load_verify_locations(ctx, "ca.crt", NULL); where "ca.crt&quo

How to embed a CA certificate in a program ?

Hi, I'm creating a client/server application with OpenSSL, using self-signed certificates. The client and server shall verify each other's certificate, and this works well, if I use certificate files. Now I'd like to embed the CA certificate in the client's code for easier

How to get intermediate CA certificate?

Hi, I want to validate a CA signed certificate against its CRL. I have root certificate from CA. I have downloaded CRL for entity certificate (using URI in CRL Distribution Points field). Intermediate CA certificate is also required to verify entity certificate against CRL. Is there any way I

RE: How I can find URI for this ca certificate?

Hi Akash, -Original Message- > From: Akash Deo > Sent: Monday, May 02, 2011 7:19 AM > To: openssl-usersSubject: How I can find URI for this ca certificate? > > Hi, > I am trying to verify whether a ca signed certificate is revoked. > > Openssl verify option requi

How I can find URI for this ca certificate?

Hi, I am trying to verify whether a ca signed certificate is revoked. Openssl verify option requires following parameters: - cert : A ca signed certificate to be verified. - cafile: FilePath to ca certificate used to sign the certificate (cert). *How I can find URI for this ca

RE: TLS trust of a chain of certificates up to a root CA. Certificate Sign extenstion not set

Hi Mourad, -Original Message- > From: On Behalf Of Mourad Cherfaoui > Sent: Wednesday, October 28, 2009 6:23 AM > To: openssl-users@openssl.org > Subject: TLS trust of a chain of certificates up to a root CA. Certificate > Sign extenstion not set > I have a chain of ce

Re: TLS trust of a chain of certificates up to a root CA. Certificate Sign extenstion not set

On Tue, Oct 27, 2009, Mourad Cherfaoui wrote: > > Hi,   I have a chain of certificates C->B->A->RootCA. The TLS client only > presents C during the TLS handshake. RootCA has the Certificate Sign > extension set but not B and A.   The TLS server fails the TLS handshake > because of the absence of

TLS trust of a chain of certificates up to a root CA. Certificate Sign extenstion not set

Hi,   I have a chain of certificates C->B->A->RootCA. The TLS client only presents C during the TLS handshake. RootCA has the Certificate Sign extension set but not B and A.   The TLS server fails the TLS handshake because of the absence of the Certificate Sign extension in B and A.   My first

Re: add extension to an existing (signed) CA certificate

jehan procaccia a écrit : Peter Sylvester a écrit : well, if one takes the standard configuration of openssl, it sets the authoritykey_identifier both the hash and issuer serial, no exception for the root. comment says that pkix recommends that. yes , and the thread you refered me on this list

Re: TLS CA Certificate Loading in DER format

I think the desired function is X509_STORE_add_cert SSL_CTX_use_certificate is to select you own certificate. Francois Dupressoir wrote: Hello Ram, You may be interested in the d2i_X509_fp() function [http://openssl.org/docs/crypto/d2i_X509.html#] in conjunction with SSL_CTX_use_certific

Re: TLS CA Certificate Loading in DER format

Hello Ram, You may be interested in the d2i_X509_fp() function [http://openssl.org/docs/crypto/d2i_X509.html#] in conjunction with SSL_CTX_use_certificate() [http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html#]. Cheers, Francois ramaswamy.bm wrote: Hi, I am to use TLS for sec

TLS CA Certificate Loading in DER format

Hi, I am to use TLS for securing an application's data transfer. For development purposes I have been using a dummy set of certificates in PEM format. The currently used "SSL_CTX_load_verify_locations" API requires that the certificate be in PEM format. However, in real time sc

Re: TLS CA Certificate Loading in DER format

d2i_X509_fp() Chaitra Shankar wrote: Hi, I am to use TLS for securing an application's data transfer. For development purposes I have been using a dummy set of certificates in PEM format. The currently used "SSL_CTX_load_verify_locations" API requires that the certificate be in

TLS CA Certificate Loading in DER format

Hi,     I am to use TLS for securing an application's data transfer. For development purposes I have been using a     dummy set of certificates in PEM format.     The currently used  "SSL_CTX_load_verify_locations" API requires that the certificate be in PEM format.     However, in real time

Re: add extension to an existing (signed) CA certificate

rfcs. at least there is a length paragraph for roots to have an exception, and nowhere it is said you must have both link types. an AKI identifies the KEY, not the certificate btw I am not sure that the issuer/serial logic is correctly implementing this in all implementations. It doesn't mean

Re: add extension to an existing (signed) CA certificate

Ok, the advice sounds clear ;-) but how could I re-generate my root CA certs without breaking the chain, knowing that the sub-CA does reference root CA serial ? sub-Ca X509 extension Authority Key Identifier is : $ openssl x509 -in /etc/pki/tls/certs/itca.crt -text X509v3 Authority Key Identif

Re: add extension to an existing (signed) CA certificate

an exception, and nowhere it is said you must have both link types. an AKI identifies the KEY, not the certificate btw I am not sure that the issuer/serial logic is correctly implementing this in all implementations. It doesn't mean that the verifying CA certificate must have this issuer/combin

Re: add extension to an existing (signed) CA certificate

Never, ever, ever, ever, ever under any circumstances issue the same serial number twice. You tried to issue the same serial to both roots -- badbadbadbadbadDONOT. -Kyle H On Tue, Sep 1, 2009 at 8:56 AM, jehan procaccia wrote: > jehan procaccia a écrit : >> >> I finally found it ! >> >> [proca..

Re: add extension to an existing (signed) CA certificate

jehan procaccia a écrit : I finally found it ! [proca...@anaconda ~] $ openssl s_client -host svnext.it-sudparis.eu -port 443 -CAfile /etc/pki/tls/certs/new_it_root_ca10.crt -verify 3 verify depth is 3 CONNECTED(0003) depth=3 /CN=Institut TELECOM Root class1 Certificate Authority/O=Instit

Re: add extension to an existing (signed) CA certificate

Jehan PROCACCIA a écrit : Le 28/08/2009 02:57, Patrick Patterson a écrit : Now I removed all my mozilla (firefox, seamonkey ) profiles on my test client that's what you mean by "replacing root CA certificate on your client " ? since I erased profiles (and hence stored

Re: add extension to an existing (signed) CA certificate

"Not After" Not After : Aug 23 09:37:00 2024 GMT I wonder if browsers do read root CA from SSLCACertificateFile or if the deduce it from SSLCertificateFile /etc/pki/tls/certs/svnext.pem !? in that case it means that I will have to re-sign all my servers :-( ? Did you r

Re: add extension to an existing (signed) CA certificate

) > although it should read > [r...@svnext /etc/pki/tls/certs] > $ openssl x509 -in newitrootca.crt -text | grep "Not After" > Not After : Aug 23 09:37:00 2024 GMT > > I wonder if browsers do read root CA from SSLCACertificateFile or if the > deduce it

Re: add extension to an existing (signed) CA certificate

Le 26/08/2009 22:16, Patrick Patterson a écrit : Hi there: Ok, then in my case $PREFIX is it_root_ca.crt (PKI public cert) and $CAPREFIX it_root_ca.key (PKI private key) . but here's what I get : [pkiitr...@localhost ~/New_IT_ROOT_CA/pki/ca] $ openssl x509 -set_serial 01 -clrext -extfile

Re: add extension to an existing (signed) CA certificate

Hi there: > > Ok, then in my case $PREFIX is it_root_ca.crt (PKI public cert) and > $CAPREFIX it_root_ca.key (PKI private key) . > but here's what I get : > > [pkiitr...@localhost ~/New_IT_ROOT_CA/pki/ca] > $ openssl x509 -set_serial 01 -clrext -extfile openssl.cnf -days 3650 > -CA it_root_ca.key

Re: add extension to an existing (signed) CA certificate

On 08/26/2009 04:24 PM, Peter Sylvester wrote: Jehan PROCACCIA wrote: Le 26/08/2009 12:17, Peter Sylvester a écrit : OK, then how do I re-issue my root CA certificate with my already existing ca.key ? If I could have a sample commande line for openssl it would help me . something like

Re: add extension to an existing (signed) CA certificate

Jehan PROCACCIA wrote: Le 26/08/2009 12:17, Peter Sylvester a écrit : OK, then how do I re-issue my root CA certificate with my already existing ca.key ? If I could have a sample commande line for openssl it would help me . something like OPENSSL x509 -set_serial $SERIAL -clrext -extfile

Re: add extension to an existing (signed) CA certificate

Le 26/08/2009 12:17, Peter Sylvester a écrit : OK, then how do I re-issue my root CA certificate with my already existing ca.key ? If I could have a sample commande line for openssl it would help me . something like OPENSSL x509 -set_serial $SERIAL -clrext -extfile CA-EXTENSION.prm -days

Re: add extension to an existing (signed) CA certificate

OK, then how do I re-issue my root CA certificate with my already existing ca.key ? If I could have a sample commande line for openssl it would help me . something like OPENSSL x509 -set_serial $SERIAL -clrext -extfile CA-EXTENSION.prm -days $DURATION -CA $CAPREFIX-ca.cacert -CAkey

Re: add extension to an existing (signed) CA certificate

Le 25/08/2009 20:09, Patrick Patterson a écrit : The only way to add this extension to your root cert is to re-issue your Root CA certificate (you can use the same private keys, so you wouldn't have to change or re-do any of the other certificates in your trust chain, as long as your Certif

Re: add extension to an existing (signed) CA certificate

If you want to get an OID branch, you can get one by applying for a "Private Enterprise Number" from the IANA, at http://pen.iana.org/pen/PenApplication.page . You will be assigned a number. This number will show up at http://www.iana.org/assignments/enterprise-numbers . This becomes your OID --

Re: add extension to an existing (signed) CA certificate

Second, I doubt your organisation is authoritative for the OID arc 1.1.1.1.1 - from what documentation I can find, the 1.1 arc is used for examples, and shouldn't be used in production. You should have your organisation register with IANA to be issued its own correct OID arc (or, I think the

Re: add extension to an existing (signed) CA certificate

.. V1 certificates don't have an extensions section, so this isn't a problem. > So I suspect and hope that I can change, alter, my running root CA > certificate !?, can you tell me how ? As I said above, you can't alter a signed structure - that's why you sign it

add extension to an existing (signed) CA certificate

can change, alter, my running root CA certificate !?, can you tell me how ? Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Auto

RE: CA certificate renewal

Broken_Heart (Adeel) wrote: > Hi all, I had deployed the CA with 365 days, but the certificate > issue by that were valid for days 500. I want to renew my CA > certificate, so that the same CA can be used in future instead > deploying the new one as many of the application have trust

CA certificate renewal

Hi all, I had deployed the CA with 365 days, but the certificate issue by that were valid for days 500. I want to renew my CA certificate, so that the same CA can be used in future instead deploying the new one as many of the application have trusted that CA, so creating new one after the CA get

signin CA certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 i have a self signed certificare autority , would lite to grow my ssl web of trus , but ignore the procedure . A link would hel a lot and also (i cam from pgp experience) what's the procedure for the two way signing ? Thanks! - -- sec 1024D/BC4F942

Reading CA Certificate using memory instead of File to verify the peer..

Hi All, I want to read CA certificate from certificate bundle to verify the peer. So I dumped the CA certificate bundle in memory instead of reading from file. BIO *in; STACK_OF(X509_INFO) *inf; in = BIO_new_mem_buf(file, -1); if(!in) { X509err

How to verify peer certificate using self signed root CA certificate.

Dear All, I have self signed root certificate I want to verify the peer certificate. Please tell me how to verifying. What API I need to call. Thank you. Regards, --Ajeet Kumar Singh

  1   2   3   >