g
Sent: Saturday, March 5, 2016 8:44 AM
Subject: Re: [openssl-users] verify certificate chain (in memory)
Lei Sun wrote:
> Hi:
> In my project I need to verify certificate chain sent from server.
> The chain has root->inter mediate -> server, 3 level chain. The
> server certifica
Lei Sun wrote:
> Hi:
> In my project I need to verify certificate chain sent from server.
> The chain has root->inter mediate -> server, 3 level chain. The
> server certificate files can be verified by "openssl verify" command:
>
> openssl verify -CAfile root.c
Hi Bob,
Yan, Bob wrote:
H All,
I used the following methods to load CRL hashed-directory into a SSL_CTX object to verify the client certificate against the CRL. The code works fine and it's able to verify the client certificate against the loaded CRLs.
X509_STORE *x509Store
H All,
I used the following methods to load CRL hashed-directory into a SSL_CTX object
to verify the client certificate against the CRL. The code works fine and it's
able to verify the client certificate against the loaded CRLs.
X509_STORE *x509Store = SSL_CTX_get_cert_store
Hi Jan,
The problem is due to the mis-matched version between openssl library (used by
application) and openssl executable. Basically the CA/Intermediate CA
certificate hash is calculated different between two versions.
Thank you for your help!
Bob
-Original Message-
From: openssl
Yan, Bob wrote:
Thanks Jan,
When I am using the CApath, I do have the symbolic hash link (with ".0" at the end hash) linked to my ca-root.pem certificate file and ca-intermediate.pem certificate. Any other issues which could cause this issue?
what happens if you run
openssl veri
certificate. But when I
bound the root CA and intermediate CA into a single pem file and
reload it from my application, the handshake is successful. Could
anybody help me resolve this issue? Below is the sample of my
application code for loading the CA certificates
beginning could cause
> it?
>
> Cheers,
> Frank
>
> Nicholas Mainardi <mainardinicho...@gmail.com>
> Monday, February 01, 2016 8:57 PM
> I wrote this small program which takes as input X509 certificates,
> base64-encoded, parse them and build a certificate chain, wh
e them and build a certificate chain, which is
eventually verified by |x509_Verify_cert()|. The last certificate is
added to the trusted store if it's self-signed, in order to avoid
OpenSSL policy about self.signed certificates, as it's recommended in
this post
<https://zakird.com/2013/10/13/ce
I wrote this small program which takes as input X509 certificates,
base64-encoded, parse them and build a certificate chain, which is
eventually verified by x509_Verify_cert(). The last certificate is added to
the trusted store if it's self-signed, in order to avoid OpenSSL policy
about
Thanks Jan,
When I am using the CApath, I do have the symbolic hash link (with ".0" at the
end hash) linked to my ca-root.pem certificate file and ca-intermediate.pem
certificate. Any other issues which could cause this issue?
-Original Message-
From: openssl-users [mail
Dear Sir/Madam,
I have an application which acting as SSL server. When the application loads
the root and intermediate CA files from a CA path, the handshake between my
application and openssl client was failed at the point when my application was
authenticating the client's certificate
"(c) 2006 thawte, Inc. - For authorized use only", CN =
> thawte Primary Root CA
> verify error:num=20:unable to get local issuer certificate
> ...
Despite the CN string, the certificate presented by that server on
the wire is not a root certificate. See the attached chain.
Issu
: Thursday, December 03, 2015 7:00 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Verify callback to ignore certificate expiry
On Thu, Dec 03, 2015 at 06:01:36AM +, Nou Dadoun wrote:
> Another quick question, I'm setting up a server ssl handshake on a device on
> which the certi
, December 03, 2015 9:08 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Verify callback to ignore certificate expiry
On Thu, Dec 03, 2015 at 05:00:12PM +, Nounou Dadoun wrote:
> Calling
> X509_STORE_CTX_set_error(ctx, X509_V_OK); Is actually what I'm doing
On Thu, Dec 03, 2015 at 05:00:12PM +, Nounou Dadoun wrote:
> Calling
> X509_STORE_CTX_set_error(ctx, X509_V_OK);
> Is actually what I'm doing already but I was worried that it would then
> ignore any other errors (e.g. bad signature etc.);
No, because is error is reported separately,
On Thu, Dec 03, 2015 at 06:01:36AM +, Nounou Dadoun wrote:
> Another quick question, I'm setting up a server ssl handshake on a device on
> which the certificate verification will sometimes fail not because the
> certificate is bad but because the time is not set properly on t
Another quick question, I'm setting up a server ssl handshake on a device on
which the certificate verification will sometimes fail not because the
certificate is bad but because the time is not set properly on the device.
I'm doing an ssl verify callback that is almost identical to one
Thanks Matt !
On Tue, Nov 3, 2015 at 4:29 PM, Matt Caswell <m...@openssl.org> wrote:
>
>
> On 03/11/15 23:33, Jayadev Kumar wrote:
> > Hi,
> >
> > Can i create DH-RSA and DH-DSS certificate using openssl ?
>
> Yes.
>
> >
> > If yes, Wh
Hi,
Can i create DH-RSA and DH-DSS certificate using openssl ?
If yes, Which openssl version has the support for it ?
Can i use DH-RSA and DH-DSS certificate with 'openssl s_server' application
?
Right now i am using openssl-1.0.1m and it is not working for me.
Thanks,
Jayadev
On 03/11/15 23:33, Jayadev Kumar wrote:
> Hi,
>
> Can i create DH-RSA and DH-DSS certificate using openssl ?
Yes.
>
> If yes, Which openssl version has the support for it ?
1.0.2
>
> Can i use DH-RSA and DH-DSS certificate with 'openssl s_server'
> application ?
On 5.10.2015 17:11, Dr. Stephen Henson wrote:
On Mon, Oct 05, 2015, Walter H. wrote:
Hello,
attached is the certificate and its chain of https://revoked.grc.com/
doing this:
openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url
http://ocsp2.globalsign.com/gsdomainvalg2
goves
Hello,
attached is the certificate and its chain of https://revoked.grc.com/
doing this:
openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url
http://ocsp2.globalsign.com/gsdomainvalg2
goves the following:
OCSP Request Data:
Version: 1 (0x0)
Requestor List
On Mon, Oct 05, 2015, Walter H. wrote:
> Hello,
>
> attached is the certificate and its chain of https://revoked.grc.com/
>
> doing this:
>
> openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url
> http://ocsp2.globalsign.com/gsdomainvalg2
>
>
I am trying to figure out what I have done wrong.
I have a certificate from PositiveSSL for my email server. I have the
root certificate and the intermediate certs installed in /etc/ssl/certs/.
However, I still cannot verify my certificate. I can't figure out what
I have done wrong. I've
On 10/04/2015 07:03 AM, Yan Seiner wrote:
I am trying to figure out what I have done wrong.
I have a certificate from PositiveSSL for my email server. I have the
root certificate and the intermediate certs installed in /etc/ssl/certs/.
However, I still cannot verify my certificate. I
On Sun, Oct 04, 2015 at 07:58:42AM -0400, Yan Seiner wrote:
> >I have a certificate from PositiveSSL for my email server. I have the
> >root certificate and the intermediate certs installed in /etc/ssl/certs/.
man c_rehash
> >However, I still cannot verify my cer
Hi,
how does OpenSSL scan/parse the certificate store?
Does it look for specific directory-/filenames (e.g. CA-identity =
.crt) or does it just parse ALL files in the certificate
store?
--
Best regards,
Renne
___
openssl-users mailing list
On 15/09/2015 08:28, Rene Bartsch wrote:
Hi,
how does OpenSSL scan/parse the certificate store?
Does it look for specific directory-/filenames (e.g. CA-identity =
.crt) or does it just parse ALL files in the certificate store?
See the documentation of the c_rehash program.
Basically
On Thu, Sep 03, 2015 at 04:35:00PM +, Salz, Rich wrote:
> > PEM_read_bio_X509() fails because of the missing newlines.
>
> The underlying base64 decoder is horrible. It accepts invalid 8bit chars,
> and silently enforces a line-length limit.
>
> Wanna rewrite it? :)
A large part of the
> PEM_read_bio_X509() fails because of the missing newlines.
The underlying base64 decoder is horrible. It accepts invalid 8bit chars, and
silently enforces a line-length limit.
Wanna rewrite it? :)
___
openssl-users mailing list
To unsubscribe:
On Thu, Sep 03, 2015 at 12:28:48PM -0400, Ken Goldman wrote:
> My application receives an X509 certificate string in PEM format (separators
> and base64 encoded certificate) with no newlines.
>
> PEM_read_bio_X509() fails because of the missing newlines.
>
> I can write some
My application receives an X509 certificate string in PEM format
(separators and base64 encoded certificate) with no newlines.
PEM_read_bio_X509() fails because of the missing newlines.
I can write some preprocessing code to add newlines every 72 characters
when writing the BIO.
I also
The following commit changed the behavior of checking the extended key
usage bits in a server certificate when using X509_PURPOSE_SSL_SERVER:
http://marc.info/?l=openssl-cvsm=132759007026375w=2
This commit was put into 1.0.2 on April 6, 2012. Therefore, 1.0.1 and
1.0.2 behave differently
Hi All,
Does *a**lternative chains certificate forgery** issue* affects the
OpenSSL stacks earlier than 1.0.1n releases Why I am asking this
question is affected code seems to be available in earlier versions as
well.
Thanks and Regards
Jayalakshmi
/21/2015 05:48 PM, Jayalakshmi bhat wrote:
Hi All,
Does *a**lternative chains certificate forgery** issue* affects the OpenSSL
stacks earlier than 1.0.1n releases Why I am asking this question is affected
code seems to be available in earlier versions as well.
Thanks and Regards
From: openssl-users On Behalf Of Salz, Rich
Sent: Sunday, July 05, 2015 11:56
[in response to message about 'ca']
the question: where does the serial number for this certificate come
from?
is it random by default when nothing is said about it?
It will be random if (a) the serial file
for this certificate come from?
is it random by default when nothing is said about it?
Quoting the man page for req(1) -- although depending on the packaging
which I don't know for CentOS it may be a different section like 1s or 1ssl --
and also on the web https://www.openssl.org/docs/apps/req.html
signed certificate instead of a certificate
request.
This is typically used to generate a test certificate or a self signed root CA.
The extensions added to the certificate (if any) are specified in the
configuration file. Unless specified using the set_serial option,
a large random number
./squidCA.pem -out
./squidCA.pem
the question: where does the serial number for this certificate come from?
is it random by default when nothing is said about it?
would this be also an option when using openssl like this:
openssl ca -batch -config any.cnf -name any_ca -md sha256 -startdate
From: openssl-users On Behalf Of Ben Humpert
Sent: Sunday, July 05, 2015 07:58
Take a look in your openssl.cnf and you should see the option serial
with a path / file specified. The serial number is taken from that
file. If the file doesn't exists or is empty when the very first
certificate
Take a look in your openssl.cnf and you should see the option serial
with a path / file specified. The serial number is taken from that
file. If the file doesn't exists or is empty when the very first
certificate is created then 01 is used as a serial for it.
Rich Salz recommended me this SSL
the question: where does the serial number for this certificate come from?
is it random by default when nothing is said about it?
It will be random if (a) the serial file does not exist; and (b) you specify
the -create_serial flag. Otherwise it opens the file, reads the number
(defaulting
On Sun, Jul 05, 2015, Salz, Rich wrote:
the question: where does the serial number for this certificate come from?
is it random by default when nothing is said about it?
It will be random if (a) the serial file does not exist; and (b) you specify
the -create_serial flag. Otherwise
Unless I'm misreading the code an absent serial number file is an error.
I was looking at load_serial() in apps.c, with the |create| parameter.
/r$
___
openssl-users mailing list
To unsubscribe:
such an e-mail and it could not be verified; Thunderbird
has shown an error; the certificate used for signing that e-mail
also used an sha256-hash, too;
at work I had a client capable of sending sha-256 hash signed e-mails,
but only a sha1 cert; and that mail could be verfied without problems
On 26/06/2015 21:41, Walter H. wrote:
Hello,
has anybody got a reliable source or knowledge about which
mail clients - especially which Thunderbird release - should be
capable of verifying such mails correctly?
I believe GlobalSign has a knowledge base article
listing this as far as they
Hello,
has anybody got a reliable source or knowledge about which
mail clients - especially which Thunderbird release - should be capable
of verifying such mails correctly?
this
openssl smime -verify -CAfile trusted.crt -in mail.eml
successfully verifies such an e-Mail;
Thanks,
Walter
--
From: openssl-dev On Behalf Of Nayna Jain
Sent: Wednesday, June 10, 2015 20:31
If I have a pem file with private key in that, how do I check if that is
RSA/DSA ?
If it uses a legacy format, the BEGIN line specifies the algorithm
-BEGIN RSA PRIVATE KEY-
-BEGIN DSA PRIVATE KEY-
On Thu, Jun 11, 2015 at 06:01:26AM +0530, Nayna Jain wrote:
I have similar concern for private key.
If I have a pem file with private key in that, how do I check if that is
RSA/DSA ?
In almost all cases don't check. Just load and use the key as a
generic EVP_PKEY.
--
Viktor.
Hi,
I am using openssl 1.0.2 on windows. as on windows, openssl could not
use os's default root ca folder as on ubuntu (/etc/ssl/certs).
and I do not use X509_STORE_add_cert() to add any root ca certificate files.
But when I use X509_verify_cert() to verify certificate that I get
from some url
-...@openssl.org
Date: 06/10/2015 10:18 AM
Subject:Re: [openssl-users] Is there openssl API to verify certificate
content is DER or PEM format ?
Sent by:openssl-users openssl-users-boun...@openssl.org
On Wed, Jun 10, 2015 at 08:48:41AM +0530, Nayna Jain wrote:
I
API to verify certificate
content is DER or PEM format ?
Sent by:openssl-users openssl-users-boun...@openssl.org
[ Please DO NOT post user questions to openssl-dev, that's rude. ]
On Tue, Jun 09, 2015 at 09:51:52AM +0530, Nayna Jain wrote:
I need to verify if the certifiate
On Wed, Jun 10, 2015 at 08:48:41AM +0530, Nayna Jain wrote:
I think I will try with PEM_read_xxx and d2i_, then probably do not have
to read throu first character as 0x30.
That works, provided you rewind or re-open the file.
Are all d2i_xxx type of APIs for DER format.
Yes, they decode
Hi,
I need to verify if the certifiate I have received is having its content in
PEM/DER format.
Is there any API which if given file pointer like (fp) will tell me whether
it has valid format of certificate and if yes then whether it is PEM/DER
format ?
If no API, then what is the other way
whether
it has valid format of certificate and if yes then whether it is PEM/DER
format ?
If no API, then what is the other way to verify this ?
If the first character of the file is 0x30 (ASN.1 sequence) it is
likely in DER form. With stdio you can peek at that character and
use ungetc() to put
that it
asks for the Root CA certificate and with that selected I get a
different error message than with any other certificate so I guess it
is the right cert.
I want the users to validate the RADIUS server's certificate.
Which OpenSSL version is the EAP_TLS code using to
verify
documentation as well as other sources say that it
asks for the Root CA certificate and with that selected I get a
different error message than with any other certificate so I guess it
is the right cert.
I want the users to validate the RADIUS server's certificate.
Which OpenSSL version
2015-05-27 14:02 GMT+02:00 Jakob Bohm jb-open...@wisemo.com:
Just to clarify: The log messages in your original post,
were those from Android or from the server?
These are from the RADIUS server debug output.
___
openssl-users mailing list
To
On 27/05/2015 01:21, Ben Humpert wrote:
Hi everybody,
I have my RADIUS server running and Windows as well as MacOS and iOS
can successfully authenticate using EAP-PEAP, EAP-TTLS or EAP-TLS each
with server certificate validation. However, Android 4.4.4 can not and
I can't figure out why
On 26/05/15 04:17, Jerry OELoo wrote:
Hi.
I found there is a website which has https support.
https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp
and browser can show its certificate chain.
but when I use openssl to connect website, it returns fail.
openssl s_client -connect www.ib
After I set -tls1 -servername, I can get certificate chain information.
But in my code. I have used SSL_set_tlsext_host_name() to set host
name, but it can not get certificate chain.
On Tue, May 26, 2015 at 1:32 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Mon, May 25, 2015 at 11:17 PM, Jerry
On Tue, May 26, 2015 at 4:09 AM, Matt Caswell m...@openssl.org wrote:
On 26/05/15 04:17, Jerry OELoo wrote:
Hi.
I found there is a website which has https support.
https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp
and browser can show its certificate chain.
but when I use openssl
On Tue, May 26, 2015 at 7:21 PM, Ben Humpert b...@an3k.de wrote:
Hi everybody,
I have my RADIUS server running and Windows as well as MacOS and iOS
can successfully authenticate using EAP-PEAP, EAP-TTLS or EAP-TLS each
with server certificate validation. However, Android 4.4.4 can not and
I
Hi everybody,
I have my RADIUS server running and Windows as well as MacOS and iOS
can successfully authenticate using EAP-PEAP, EAP-TTLS or EAP-TLS each
with server certificate validation. However, Android 4.4.4 can not and
I can't figure out why.
The complete Cert Chain:
Root CA
Hi.
I found there is a website which has https support.
https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp
and browser can show its certificate chain.
but when I use openssl to connect website, it returns fail.
openssl s_client -connect www.ib-channel.net:443
CONNECTED(0003)
write:errno=104
On 26 mai 2015, at 05:17, Jerry OELoo wrote:
Hi.
I found there is a website which has https support.
https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp
and browser can show its certificate chain.
but when I use openssl to connect website, it returns fail.
Openssl works great here
On Mon, May 25, 2015 at 11:17 PM, Jerry OELoo oylje...@gmail.com wrote:
Hi.
I found there is a website which has https support.
https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp
and browser can show its certificate chain.
but when I use openssl to connect website, it returns fail
of trust may or may not be the self-signed certificate.
But it?s probably always fine to omit the self-signed certificate.
No, not always.
Any reason this would be problematic? It'd be a simple change to add
for the TLS 1.3 spec that would align things better with real-world usage.
None
Alexandre Arantes wrote:
one of them asked me why did I choose not to add the client hostname to the
Client Certificate, thus making it usable only by that specific client.
There are no standardized naming rules for client certs like the TLS server
hostname check implemented at the client
Bonjour,
NID_name correspond to the OID id-at-name. There's no equivalent field
in a certificate that maps to an OID.
The OID id-at-name designs the attribute supertype name, which
shouldn't be present in a certificate, but can nevertheless be present.
Anywhere.
--
Erwann ABALEA
Le 29/04
and, testing my proof-of-concept has shown that if
one of the pieces is missing from the equation (CA, Server, Client
certificates), the communication ceases.
But once I showed my work to people in my company, one of them asked me why did
I choose not to add the client hostname to the Client Certificate
But once I showed my work to people in my company, one of them asked me why
did I choose not to add the client hostname to the Client Certificate, thus
making it usable only by that specific client.
You put to put the client name or ipaddr in the subjectAltName extension field.
Then you'd
Hi,
Can some one let me know what is the equivalent field in a certifcate that
maps to NID_Name?
Thank you,
Tom
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi Jakob,
Thanks for the feedback, what you say makes sense, so I'll try and
avoid the non-standard Microsoft thing.
Apologies for the top - posting, I get so used to pressing reply.
Kinds regards,
Andy
___
openssl-users mailing list
To
Hi Jeff,
Thanks a lot for the detailed explanation. Since I have a requirement to
use the certificate public/private keys for encryption/decryption I believe
I should be able to use ECDHE based approach.
Regards
Jayalakshmi
On Sun, Apr 26, 2015 at 11:41 PM, Jeffrey Walton noloa...@gmail.com
Thanks Rich, Jakob.
So, can I use openssl as it is to query the values of the extension on an
existing certificate do you think? The usual issue seems that people want to
use openssl to form a request and insert the ms CA template name in there
otherwise it complains. I don't want to do
is also checked) to check all the
specific certificate properties (extensions, basic
settings, name forms etc.) against the requirements.
Tests such as:
Does it include the required set of key usages and
extended key usages?
Does it include any neither required nor optional
(and thus unwanted) key
Hi All,
First time post, be gentle :-)
I know this has come up before, but not recently, and there aren't any
answers that seem conclusive.
I have need to identify a Microsoft generated certificate's template
name, I believe as part of oid 1.3.6.1.4.1.311.21.7
Can anybody shed any light on how
I have need to identify a Microsoft generated certificate's template name, I
believe as part of oid 1.3.6.1.4.1.311.21.7
Where, in a cert OtherName field?
___
openssl-users mailing list
To unsubscribe:
On 28/04/2015 02:59, Salz, Rich wrote:
I have need to identify a Microsoft generated certificate's template name, I
believe as part of oid 1.3.6.1.4.1.311.21.7
Where, in a cert OtherName field?
It is an extension. Microsoft certificate server (their
bundled CA software) puts the name
On Mon, Apr 27, 2015 at 12:54 AM, Jayalakshmi bhat
bhat.jayalaks...@gmail.com wrote:
Hello All,
I am working on a project where there is need to encrypt and decrypt certain
data using certificate public/private key pair. So far we were using RSA
based certificates. OpenSSL provides good
Hello All,
I am working on a project where there is need to encrypt and decrypt
certain data using certificate public/private key pair. So far we were
using RSA based certificates. OpenSSL provides good number of API's for RSA
based encryption/decryption operation.
Now we are planning to support
How do we use `openssl req` and a CONF file to add the information
(assuming we already have the certified timestamps)?
Ouch, that's gonna be nasty. Look at ASN1_generate_nconf.pod Most likely have
to use the SEQUENCE type, recursively. Ouch indeed.
A patch to let you specify the DER
On Mon, Apr 20, 2015 at 01:57:47PM +, Salz, Rich wrote:
How do we use `openssl req` and a CONF file to add the information
(assuming we already have the certified timestamps)?
Ouch, that's gonna be nasty. Look at ASN1_generate_nconf.pod Most likely
have to use the SEQUENCE type,
On Mon, Apr 20, 2015, Salz, Rich wrote:
A patch to let you specify the DER directly would be useful.
No patch required:
Looks like a doc bug then.
Err...
https://www.openssl.org/docs/apps/x509v3_config.html#ARBITRARY-EXTENSIONS
Steve.
--
Dr Stephen N. Henson. OpenSSL project core
On Mon, Apr 20, 2015, Salz, Rich wrote:
How do we use `openssl req` and a CONF file to add the information
(assuming we already have the certified timestamps)?
Ouch, that's gonna be nasty. Look at ASN1_generate_nconf.pod Most likely
have to use the SEQUENCE type, recursively. Ouch
A patch to let you specify the DER directly would be useful.
No patch required:
Looks like a doc bug then.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
https://www.openssl.org/docs/apps/x509v3_config.html#ARBITRARY-
EXTENSIONS
Oops.
I on ly looked at asn1_generate. Should there be a cross-link?
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Browsers are starting to enforce Certificate Transparency (CT).
Below is a sample of CT Precertificate SCTs, which is required for CT.
It includes a new certificate extension with an OID of
1.3.6.1.4.1.11129.2.4.2.
How do we use `openssl req` and a CONF file to add the information
(assuming we
Modulus:
00:9a:18:ca:4b:94:0d:00:2d:af:03:29:8a:f0:0f:
The leading zero is so that you don't confuse it with a sign bit.
___
openssl-users mailing list
To unsubscribe:
On 04/04/2015 07:18, Jakob Bohm wrote:
On 04/04/2015 04:07, Mabry Tyson wrote:
I happened to notice what seems to be an output glitch in the textual
output of a certificate.
I received a copy of the QuoVadis Root CA 2 certificate as a file.
When I examined the certificate via
openssl
I happened to notice what seems to be an output glitch in the textual
output of a certificate.
I received a copy of the QuoVadis Root CA 2 certificate as a file. When
I examined the certificate via
openssl x509 -text -in /tmp/QV.cer(using OpenSSL 1.0.1 14 Mar
2012 as installed
On 04/04/2015 04:07, Mabry Tyson wrote:
I happened to notice what seems to be an output glitch in the textual
output of a certificate.
I received a copy of the QuoVadis Root CA 2 certificate as a file.
When I examined the certificate via
openssl x509 -text -in /tmp/QV.cer(using
parameterize a %db DSA key, KEY_LEN);
if (0 == DSA_generate_key(keypair))
LOG_OpenSSL(Cannot generate a %db DSA key, KEY_LEN);
if (unlikely(0 == EVP_PKEY_assign_DSA(pkey_m, keypair)))
LOG_OpenSSL(Cannot attach a DSA to an EVP_PKEY);
, then try to create a certificate
On Mon, Mar 30, 2015 at 03:05:04AM +, K V wrote:
EVP_PKEY_t *pkey_m;
...
DSA *keypair; // Also contains other stuff
...
if (0 == X509_set_pubkey(x509, keypair.pkey_m))
LOG_OpenSSL(Cannot set keypair);
That second argument can't be keypair.pkey_m? That
(Resending because I accidentally sent this
reply from the wrong addresslast week, and
yes, this is the correct mailing list).
No, don't dump the CA certificate. Dump one
of the *old* *issued*certificates.
There is nothing to diff against, you need to
see in what ways the *old**issued
Hi
Is this the right mailing list to ask this question ?
Can somebody suggest a better ML
Thanks
From: Alex Samad - Yieldbroker
Sent: Wednesday, 18 March 2015 2:21 PM
To: openssl-users@openssl.org
Subject: RE: [openssl-users] question about resigning a certificate
Hi
I have done
Subject: Re: [openssl-users] question about resigning a certificate
On 16/03/2015 02:46, Alex Samad - Yieldbroker wrote:
Hi
I had a sha1 signed CA and I issued other identity and CA certificates from
this CA.
With the deprecation of sha1 coming, I resigned my original CA (self signed
On 16/03/2015 02:46, Alex Samad - Yieldbroker wrote:
Hi
I had a sha1 signed CA and I issued other identity and CA certificates from
this CA.
With the deprecation of sha1 coming, I resigned my original CA (self signed) as
sha512, with the same creation and expiry dates. I believe the only
601 - 700 of 5730 matches
Mail list logo