Re: ECC Certificate Signing Request

On Wed, May 28, 2014, Matt Caswell wrote: > On 28 May 2014 11:06, Sverre Moe wrote: > > I used the following openssl command for my ECC private key and CSR. > > openssl ecparam -name secp521r1 -genkey -param_enc explicit -out > > private-key.pem > > openssl req -new -key private-key.pem -nodes -s

Re: ECC Certificate Signing Request

ts secp521r1. > > > While we are on the subject on ECC. Could my ECC certificate work with > browsers that does only support RSA authentication, like TLS_ECDHE_RSA or > TLS_DHE_RSA? No. You will need an RSA certificate for this. Matt _

Re: ECC Certificate Signing Request

curve. In this case its secp521r1. While we are on the subject on ECC. Could my ECC certificate work with browsers that does only support RSA authentication, like TLS_ECDHE_RSA or TLS_DHE_RSA? 2014-05-28 10:45 GMT+02:00 Matt Caswell : > On 28 May 2014 08:47, Sverre Moe wrote: > > When

Re: ECC Certificate Signing Request

On 28 May 2014 08:47, Sverre Moe wrote: > When creating a ECC Certificate Signing Request I noticed the CSR from > OpenSSL was quite different from the one I generated with Java Keytool. > > Checking the CSRs with: openssl req -in ecc.csr -text -noout > > OpenSSL CSR has the fo

ECC Certificate Signing Request

When creating a ECC Certificate Signing Request I noticed the CSR from OpenSSL was quite different from the one I generated with Java Keytool. Checking the CSRs with: openssl req -in ecc.csr -text -noout OpenSSL CSR has the following attributes: Subject Public Key Info: Public Key Algorithm

RE: Verification of a certificate chain

newServerCert is no problem. After some time, users would move trust to > > newRoot and I can "disable" oldRoot. > > > > This doesn't seem possible, if I understand your answers correct. > > > > Is there another/better/default way of smoothly cha

Re: Verification of a certificate chain

The X.509-canonical way to do this is to have the old trust anchor sign a new certificate containing the new public key, using the same Issuer name and a different AuthorityKeyIdentifier. This is called "key rollover", but it retains the security level of the old key (meaning, if th

RE: Verification of a certificate chain

> This doesn't seem possible, if I understand your answers correct. > > Is there another/better/default way of smoothly changing a trust anchor? > I.e. by cross-signing the newRoot by itself and the oldRoot? Just add the new root-CA certificate to all relevant truststores.

Re: Verification of a certificate chain

Hi, thank you all for the clarification. As most users do not have OpenSSL 1.0.2, this doesn't seem to solve my problem. What I want to achieve is having a new rootCA, which replaces an oldRootCA, which I am using until now. So far the trust chain is: oldRoot -> oldServerCert. What I thought sh

Re: Verification of a certificate chain

On Tue, May 27, 2014, Viktor Dukhovni wrote: > On Tue, May 27, 2014 at 03:44:46PM +0200, Sven Reissmann wrote: > > > But, should't it also be possible to only verify the trust chain up to > > the subCA (i.e., if I fully trust this CA)? I would have expected that > > this will verify sucessfully:

Re: Verification of a certificate chain

ot;error 2 at 1 depth lookup:unable to get issuer > certificate" > > What do I miss? The chain construction code in X509_verify_cert() is currently limited to self-signed trust anchors. -- Viktor. __

Re: Verification of a certificate chain

Hello, On Tue, May 27, 2014 15:44, Sven Reissmann wrote: > Hi, > > I'm having a comprehension question on certificate verification. > > Having a trustchain like this: > > rootCA -> subCA -> subCA2 > > I can verify the subCA2 certificate using the command:

Verification of a certificate chain

Hi, I'm having a comprehension question on certificate verification. Having a trustchain like this: rootCA -> subCA -> subCA2 I can verify the subCA2 certificate using the command: openssl verify -CAfile rootCA.pem -untrusted subCA.pem subCA2.pem But, should't it also be

Re: Re?: How to make a secure tcp connection without using certificate

On Sun, May 25, 2014 at 02:22:34PM +0200, Hanno B?ck wrote: > > Typically, leaving SSLv3 enabled is just fine if both ends support > > something stronger they'll negotiate that. > > That's not always true. In a browser fallback (only relevant here if the OP is implementing an HTTP server) nothin

Re: Re?: How to make a secure tcp connection without using certificate

On Fri, 23 May 2014 16:32:15 + Viktor Dukhovni wrote: > On Fri, May 23, 2014 at 06:11:05PM +0200, nicolas@free.fr wrote: > > > use at the very least TLSv1 (and preferably TLSv1_2) protocol if > > you want to use SSLv23_server_method(), don't forget to disable > > SSLv2 and 3 protocols (a

Re: Verify that certificate does not change, in the verify_callback

I don't specifically know the behavior of the code, so I have no means of answering your question directly. That said, it would certainly work if you stored a copy of the certificate during your VerifyCallback(), and compared with the version you copied out yourself. You might wish to ba

Re : Re: Re?: How to make a secure tcp connection without using certificate

fline prior any communication Nico - Mail d'origine - De: Viktor Dukhovni À: openssl-users@openssl.org Envoyé: Fri, 23 May 2014 18:32:15 +0200 (CEST) Objet: Re: Re?: How to make a secure tcp connection without using certificate On Fri, May 23, 2014 at 06:11:05PM +0200, nicolas@f

Re: Re?: How to make a secure tcp connection without using certificate

On Fri, May 23, 2014 at 06:11:05PM +0200, nicolas@free.fr wrote: > use at the very least TLSv1 (and preferably TLSv1_2) protocol if you want > to use SSLv23_server_method(), don't forget to disable SSLv2 and 3 protocols > (and maybe TLSv1) with the command > > SSL_CTX_set_options(ctx, SSL_OP_

Re : How to make a secure tcp connection without using certificate

#x27;t garantee at all that no one is spying on your packets on the network, not even that you are talking to the good computer... To prevent the first you need to encrypt your data (and thus use a key at some point), and to prevent the second you need a certificate (which basically contains a pu

RE: How to make a secure tcp connection without using certificate

Technology Specialist, Micro Focus From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Subrata Dasgupta Sent: Friday, 23 May, 2014 08:17 To: openssl-users@openssl.org Subject: How to make a secure tcp connection without using certificate Hello Sir / Madam,

Re: How to make a secure tcp connection without using certificate

Am 23.05.2014 14:16, schrieb Subrata Dasgupta: Hello Sir / Madam, I am very much new to openssl programming. I want to make a TCP connection secure using openssl. I do not want to use any certificate or keys.. Is it possible to make a TCP connection secure without using certificate or keys

How to make a secure tcp connection without using certificate

Hello Sir / Madam, I am very much new to openssl programming. I want to make a TCP connection secure using openssl. I do not want to use any certificate or keys.. Is it possible to make a TCP connection secure without using certificate or keys?? I am using openssl-0.9.7a. To make a TCP

Re: Verify that certificate does not change, in the verify_callback

The same question in much more specific terms: int VerifyCallback(X509_STORE_CTX *store_ctx, void *arg) Is the certificate stored in store_ctx the *new* one that the peer sends in case of *renegotiation*? Is the certificate stored in the SSL struct (obtained via SSL_get_peer_certificate

Verify that certificate does not change, in the verify_callback

Hello list, I'm using SSL_CTX_set_cert_verify_callback(empty_callback) to bypass all certificate chain walking and validation. I extract and validate the RSA key *after* handshake and verify only that. However I believe this callback can be called arbitrary times after initial handshak

Re: How to check if certificate is a EV-SSL certificate?

There is no single OID for Extended Validation. The members of CA/Browser Forum (CABF) define their own, and then petition the browsers for EV acceptance. The browsers then add the root certificate to their internal EV tables, along with the OID they use for EV. Since OpenSSL does not include

Re: How to check if certificate is a EV-SSL certificate?

> I'm building an iOS application and trying to check if a certificate, that a https-connection uses, is a EV certificate. Why? Wikipedia notes "The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a dif

RE: How to check if certificate is a EV-SSL certificate?

Ø X509_get_ext_d2i(certificateX509, NID_certificate_policies, NULL, NULL) Ø ​which returns some data depending of the NID provided. Since it is a void-pointer, I don't know, which data type it returns. According to x509v3/pcy_cache.c, it returns a pointer to CERTIFICATEPOLICIES. According to

How to check if certificate is a EV-SSL certificate?

Hi everyone, I'm building an iOS application and trying to check if a certificate, that a https-connection uses, is a EV certificate. Does the OpenSSL-libary have a method that gives me that information, if a given certificate is a EV certificate? I found the method X509_get_ex

Using same SSL certificate for Apache and socketio web server for same application

s are same for main URL and socketio's URL. If I use two different SSL certificates all goes fine. However if I try to use the same certificate , application is unable to connect to socket io server. I want to use the same certificate for both the URLs (same host , different ports ). Is

Re: how to configure common name(CN) field, while creating certificate

On Fri, May 2, 2014 at 7:05 AM, krinalishah wrote: > > ... > I have created two seperate certificates for my server and client (here > client is a web browser). > Now my question is, when I create .crt certificate signed by CA, via > openSSL, it asks me for Common Name. >

Re: whichever certificate loading first wins

On 02/05/14 15:38, foxtrot wrote: 3) Here is the new cert we are trying to introduce (sales.1d.qb.com) Certificate: Data: Version: 1 (0x0) X.509v1 rather than X.509v3. Could that be the problem? -- Rob Stradling Senior Research & Development Scientist COMODO - Creating T

how to configure common name(CN) field, while creating certificate

Hi, I have an HTTP server named thttpd, on ARM platform. I use stunnel to redirect http requests to https, with openSSL secure certification. I have created two seperate certificates for my server and client (he re client is a web browser). Now my question is, when I create .crt certificate

RE: OpenSSL / GnuTLS / Certificate Installation HowTo

> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Frederic Nivor > Sent: Friday, 02 May, 2014 11:18 > To: openssl-users@openssl.org > Subject: OpenSSL / GnuTLS / Certificate Installation HowTo > > I would like to create a TCP c

RE: whichever certificate loading first wins

> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of foxtrot > Sent: Friday, 02 May, 2014 11:47 > > I open my browser on my client windows workstation. I open the URL to > webserver1 and the certificate on that server shows a green l

RE: whichever certificate loading first wins

t is an X.509v1 certificate - why isn't it v3? I admit I don't understand the problem description from the original note, but it doesn't seem to match what we have with these three certificates. -- Michael Wojcik Technology Specialist, Micro Focus This message has been s

Re: whichever certificate loading first wins

I open my browser on my client windows workstation. I open the URL to webserver1 and the certificate on that server shows a green lock, no warnings...allows me access. I open a 2nd browser tab with the URL of webserver2 and I get an SSL Error and cannot get there...not even a warning...just

Re: whichever certificate loading first wins

to be read fails. Thoughts? Ideas? What do you mean by "at the same time". Barring SNI, a single server can have at most one private key + leaf certificate per algorithm: * One RSA certificate * One ECDSA certificate * One DSS certificate Additional RSA leaf certificates can

OpenSSL / GnuTLS / Certificate Installation HowTo

certificate. So from now, I don't know how to install and configure everything in order to work properly: - from the SSL certificate installation (if I need to), - how to use GnuTLS in my client/server program with those certificates (if needed), - ... Can somebody explain the all thing p

RE: whichever certificate loading first wins

Nothing jumps out at me, sorry. Hopefully others will find something. -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz __ OpenSSL Project

Re: whichever certificate loading first wins

no. I posted the text versions of our CA and both certs. -- View this message in context: http://openssl.6102.n7.nabble.com/whichever-certificate-loading-first-wins-tp49869p49896.html Sent from the OpenSSL - User mailing list archive at Nabble.com

RE: whichever certificate loading first wins

: 9c:bc:bf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 24::B4

RE: whichever certificate loading first wins

> We have a webserver with an SSL self-signed certificate that uses our company > CA cert in its chain I can't parse that -- either it's self-signed (usually only done by root CA's), or it's using an internal company CA. Can you post "x509 -text" for both

Re: Revoking a suspended certificate

A further related question: Is there some way to remove a suspended certificate from a CRL without manually editing the index file? Using the "- crl_reason removeFromCRL" option on the ca command does not work. cheers Mat On Friday 02. May 2014 14:35:23 you wrote: > Hy! &

Revoking a suspended certificate

Hy! If I have suspended (crlReason=certificateHold) a certificate in the past an now want to really revoke it using "openssl ca", I get an error message "ERROR:Already revoked, serial number 01". Is there some way to make openssl automaticalls "upgrade" the s

Re: whichever certificate loading first wins

Did you give them the same serial number? Because that will break things. On Thu, May 1, 2014 at 2:37 PM, foxtrot wrote: > We have a webserver with an SSL self-signed certificate that uses our > company > CA cert in its chain to authenticate along with a user certificate on the

whichever certificate loading first wins

We have a webserver with an SSL self-signed certificate that uses our company CA cert in its chain to authenticate along with a user certificate on the client browser. The Client cert loads and shows issued to and the only other chain portion is our Self-Signed CA Cert. This has been working

Re: Increment certificate serial numbers randomly

t; Tuesday, 29 April, 2014 16:32 > To: openssl-users@openssl.org > Subject: Re: Increment certificate serial numbers randomly > > On 30/04/2014 6:05 AM, Walter H. wrote: > On 29.04.2014 21:38, d...@deadhat.com<mailto:d...@deadhat.com> wrote: > > > This all seems unecessaril

Re: Increment certificate serial numbers randomly

On 29.04.2014 22:32, Tim Hudson wrote: On 30/04/2014 6:05 AM, Walter H. wrote: On 29.04.2014 21:38, d...@deadhat.com wrote: This all seems unecessarily complex. Make the serial number a 256 bit or greater true random number. There will be no collisions. the serial

Re: Increment certificate serial numbers randomly

t; I want just come back to Jakob Bohm "I seem to (vaguely) recall that there was once an option or standard for using a certificate-contents-related hash as the serial number, but I can't seem to find it right now." if he has already found this - I'd use it for a totally dif

Re: Increment certificate serial numbers randomly

On Wed, Apr 30, 2014 at 6:59 AM, Michael Wojcik wrote: > All of these approaches have already been suggested in this thread. Is it > really necessary that we go through them again? > > What hasn't been suggested is giving each server, etc. its own sub-CA signed by the root. Then there won't be a

RE: Increment certificate serial numbers randomly

any of the other proposals. Michael Wojcik Technology Specialist, Micro Focus From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Tim Hudson Sent: Tuesday, 29 April, 2014 16:32 To: openssl-users@openssl.org Subject: Re: Increment certificate serial number

Re: Increment certificate serial numbers randomly

256 bit is quite too big .. > In X.509 terms the serial number is an ASN1 integer value so there is no real length limit. It is also pretty common to see the output of a HASH operation used as a serial number in a certificate. However in the context of everyone separately picking an RNG output

Re: Increment certificate serial numbers randomly

On 29.04.2014 21:38, d...@deadhat.com wrote: This all seems unecessarily complex. Make the serial number a 256 bit or greater true random number. There will be no collisions. the serial number has maximum length ..., 256 bit is quite too big .. smime.p7s Description: S/MIME Cryptographic Sig

Re: Increment certificate serial numbers randomly

> On 29.04.2014 20:15, Jakob Bohm wrote: >> I seem to (vaguely) recall that there was once an option or standard for >> using a certificate-contents-related hash as the serial number, but I >> can't seem to find it right now. > Hi, > could you please try to find thi

Re: Increment certificate serial numbers randomly

On 29.04.2014 20:15, Jakob Bohm wrote: I seem to (vaguely) recall that there was once an option or standard for using a certificate-contents-related hash as the serial number, but I can't seem to find it right now. Hi, could you please try to find this; I would be interested in such -

Re: Increment certificate serial numbers randomly

entally growing serial numbers (which is actually bad by itself) but from distinct ranges. I seem to (vaguely) recall that there was once an option or standard for using a certificate-contents-related hash as the serial number, but I can't seem to find it right now. As for the use of a widely s

RE: Increment certificate serial numbers randomly

> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Salz, Rich > Sent: Monday, 28 April, 2014 09:37 > > If you are comfortable with the key existing (online?) in multiple places, > make the serial number be a UUID treated as a BIGNUM. Yes, that's a muc

RE: Increment certificate serial numbers randomly

If you are comfortable with the key existing (online?) in multiple places, make the serial number be a UUID treated as a BIGNUM. -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz

RE: Increment certificate serial numbers randomly

> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Mat Arge > Sent: Monday, 28 April, 2014 04:54 > > I agree with Walter, that it is not exactly good practise to have a CA key > lying around on multiple servers. But anyway, if you need to do it you hav

Re: Increment certificate serial numbers randomly

On Apr 28, 2014, at 1:53 AM, Mat Arge wrote: > You'd still have incrementally growing serial numbers > (which is actually bad by itself) but from distinct ranges. ...or perhaps random within the range. smime.p7s Description: S/MIME cryptographic signature

Re: Increment certificate serial numbers randomly

I agree with Walter, that it is not exactly good practise to have a CA key lying around on multiple servers. But anyway, if you need to do it you have to create the random serial number externally by some script and write it into the serial file (as set in the openssl configuration file used) pr

Re: Increment certificate serial numbers randomly

g_mask = utf8only" \ "prompt = no" \ "distinguished_name = dn" \ "CN=$cn") } req key.pem csr.pem foo.example.com Variants of this can be used that avoid generating intermediate files, with the output of "req"

Re: Increment certificate serial numbers randomly

On 26.04.2014 05:52, csa321 wrote: We've generated our own CA for self-signing certificates. The issue is that we package up the openssl install for installation on multiple servers. Therefore, the root CA we create is part of the package as well. the private key of the root CA should only

Increment certificate serial numbers randomly

ad of incrementing by 1, which it now defaults to? That way we can have the same root CA installed on multiple machines and not run the chance of generating identical serial numbers for certificates. Thanks in advance -- View this message in context: http://openssl.6102.n7.nabble.com/Increment-certif

Re: [1.0.1f] Building a certificate request with RSA-OAEP as Public Key Algorithm

a HSM with PKCS #11). This key pair will be used to wrap/unwrap symmetric keys with RSAES-OAEP. RFC 4055 specifies some algorithm identifiers for use with CMS, RSAES-OAEP being one of them (§4). I'm making a certificate signing request for the public key, and of course I'd want its Public K

Re: [1.0.1f] Building a certificate request with RSA-OAEP as Public Key Algorithm

Hello all, Trying to build a Certificate Signing Request using external means for crypto operations (eg key pair generation, signing). I'm relying on demos/x509/mkreq.c and the code in crypto/x509/. What I want to do is: - use external engine to generate RSA key pair - build X509_REQ a

Re: Free StartSSL certificate not trusted

Thanks you are right. I got it to work now adding the ca_bundle to it. BR. Allan 2014-04-16 10:28 GMT+02:00 Eisenacher, Patrick : > > > > -Original Message- > > From Allan Nielsen > > > > I have installed an ubuntu server with dovecot and a free certific

RE: Free StartSSL certificate not trusted

> -Original Message- > From Allan Nielsen > > I have installed an ubuntu server with dovecot and a free certificate from > startssl, but I get: > verify error:num=20:unable to get local issuer certificate > and > verify error:num=21:unable to verify the first c

Aw: Re: Re: Converting a root certificate from md5 to sha1

um 22:28 Uhr Von: "Kyle Hamilton" An: openssl-users Betreff: Re: Re: Converting a root certificate from md5 to sha1 Stephan, It depends on how pedantic your clients are. If you aren't rekeying, it shouldn't matter, though. X.509 has a "Subject" and an "Iss

Free StartSSL certificate not trusted

Hi all, I have installed an ubuntu server with dovecot and a free certificate from startssl, but I get: verify error:num=20:unable to get local issuer certificate and verify error:num=21:unable to verify the first certificate Any idea why? Tanks in advance, Allan My dovecot conf

Free StartSSL certificate not trusted

Hi all, I have installed an ubuntu server with dovecot and a free certificate from startssl, but I get: verify error:num=20:unable to get local issuer certificate and verify error:num=21:unable to verify the first certificate Any idea why? Tanks in advance, Allan My dovecot conf

Free StartSSL certificate not trusted

Hi all, I have installed an ubuntu server with dovecot and a free certificate from startssl, but I get: verify error:num=20:unable to get local issuer certificate and verify error:num=21:unable to verify the first certificate Any idea why? Tanks in advance, Allan My dovecot conf

Re: Re: Converting a root certificate from md5 to sha1

Stephan, It depends on how pedantic your clients are. If you aren't rekeying, it shouldn't matter, though. X.509 has a "Subject" and an "Issuer". The Issuer of a certificate is the Subject of the certificate which private key was used to sign it. If the Issuer doe

Aw: Re: Converting a root certificate from md5 to sha1

>You need to generate a new certificate with the same data (except a >different serial number and a reference to sha1WithRSAEncryption), >containing the same public key, and signed with the same private key. > >I'd recommend sha256WithRSAEncryption, but that's possib

Re: Converting a root certificate from md5 to sha1

You need to generate a new certificate with the same data (except a different serial number and a reference to sha1WithRSAEncryption), containing the same public key, and signed with the same private key. I'd recommend sha256WithRSAEncryption, but that's possibly not an option for you.

Re: Converting a root certificate from md5 to sha1

I don't know the answer to your main question, but: On Tue, 15 Apr 2014 10:41:20 +0200 steff...@gmx.de wrote: > I need to change this do sha1 because I have clients that do not > accept md5 anymore. If you use SHA256 you won't have to do this again in a few years. (Microsoft announced to depreca

Converting a root certificate from md5 to sha1

Hello world, I am running my own little CA and the root certificate was created using md5: Signature Algorithm: md5WithRSAEncryption I need to change this do sha1 because I have clients that do not accept md5 anymore. Is there any way to convert the existing cert from md5 to sha1 ? I tried

Re: overview of server certificate mechanism with open ssl

Hi, A certificate is not secret information itself. It may be distributed over LAN or Internet as free. A certificate doesn't contain a private key. A certificate can not be stolen. Every certificate has a special field inside it - fingerprint. This field contain sha-1 or md5 digest value

overview of server certificate mechanism with open ssl

'm on linux and windows, in c++, using libneon. I have to discuss with a server using a self signed certificate (server and clients will be in a LAN, not over internet). I know how to check in my app whether the certificate is valid or not, as it is self-signed and as i didn't configurate nothi

Re: Do I have to regenerate my own CA certificate because of Heartbleed???

You do not have to regenerate the CA key or certificate. You do have to regenerate the web server keys and certificates. https://www.cloudflarechallenge.com/heartbleed has had multiple people independently obtain their private key. -Kyle H On Fri, Apr 11, 2014 at 12:59 PM, Jeronimo L. Cabral

RE: Do I have to regenerate my own CA certificate because of Heartbleed???

Ø do I have to regenerate my CA certificate created with the former openssl version because of the Hearthbleed vulnerability ??? There should never be any reason for your web server to read the private key of the CA. So, no. -- Principal Security Engineer Akamai Technology Cambridge, MA

Do I have to regenerate my own CA certificate because of Heartbleed???

Dear, I have a CA implemented in a Debian Wheezy server and the versión of Openssl (1.0.1) is affected by the Hearthbleed vulnerability at time to generate our own CA certificate and the requested certificates for all the web servers from our company. I've just upgrade the openssl version

Reading an "otherName" value from a "subjectAltName" certificate extension

It looks like OpenSSL always shows "unsupported" for a subjectAltName of "otherName". The string that was written (both via M2Crypto, and directly at the commandline via openssl.cnf): 1.2.3.4;UTF8:some other identifier Dumped (openssl x509 -in test.crt -noout -text): c3:

Re: applying usb token generated signature to certificate request (csr)

o) and I am trying to use > a third part pkcs11 library to sign a certificate signing request (csr). > > The private and public keys are generated and stored on a usb token, and > there is no way of accessing them as files or blobs, but only attributes. > > I have created

applying usb token generated signature to certificate request (csr)

Hi I am using OpenSSL 1.0.2 on Windows 7 (Visual Studio) and I am trying to use a third part pkcs11 library to sign a certificate signing request (csr). The private and public keys are generated and stored on a usb token, and there is no way of accessing them as files or blobs, but only

Client certificate verification

Hi, We are switching to our own CA for in house networking. To test I've used it to sign a server certificate and a client certificate. The subject and issuer output for all three certificates is... ...CA: $ openssl x509 -subject -issuer -noout -in gandalf_cacert.pem subject= /O=myCo

Re: How to add intermediate certificate chain in SSL_CTX using OpenSSL API

On Thu, Mar 13, 2014 at 12:07:09PM +0530, Harshal Talele wrote: > I have now added server cert, private key and intermediate certificates > in one file and reading them using SSL_CTX_use_certificate_chain_file() > API. > > But one thing I want to understand. My server certificate

Re: How to add intermediate certificate chain in SSL_CTX using OpenSSL API

Thanks Victor. I believe this was the problem. I have now added server cert, private key and intermediate certificates in one file and reading them using SSL_CTX_use_certificate_chain_file() API. But one thing I want to understand. My server certificate is self-signed. And intermediate

Re: How to add intermediate certificate chain in SSL_CTX using OpenSSL API

On Mon, Mar 10, 2014 at 01:38:46PM +0530, Harshal Talele wrote: > As a matter of fact with use of with use of > SSL_CTX_use_certificate_chain_file() API SSL handshake continues to fail You must put all the PEM certificates (leaf certificate and intermediate CAs) in the *same* file. Wi

Re: How to add intermediate certificate chain in SSL_CTX using OpenSSL API

As a matter of fact with use of with use of SSL_CTX_use_certificate_chain_file() API SSL handshake continues to fail with error " As you have mentioned Victor, I am using SSL_CTX_use_certificate_file() API to read cert.pem which contains server certificate & private key. Now I have ano

certificate policies

I try to use the c interface to add the certificate policies and I have try this: I tried using following syntax for the same : - add_ext(x509OutCertificate, NID_certificate_policies, "Policy: 2.16.840.1.113733.1.7.54 ,CPS:https://www.verisign.com/cps";); -

Re: Extend SSL Certificate

On 09.03.2014 14:39, Michael Post wrote: last year i created my keys, certs and so on with the following steps for an openvpn server: the only certificate that is still valid is your self signed ca certificate; # Serverside openssl req -new -x509 -newkey rsa:2048 -keyout

Extend SSL Certificate

-config ./openssl.conf And today my certificate is invalid, cause due an "error" the servercert.pem is only valid 365 days. It should be 3650 days. # Serverside created, but copied to every client With the following commands i created the client certificates and keys openss

Re: How to add intermediate certificate chain in SSL_CTX using OpenSSL API

On Sat, Mar 08, 2014 at 08:26:54PM +0530, Harshal Talele wrote: > In my case cert.pem file contains private key too. > I wan to understand if I have to be use intermediate certificates in SSL > handshake is there any specific way in which we have to populate SSL_CTX > structure? > > I have tried

Re: How to add intermediate certificate chain in SSL_CTX using OpenSSL API

() API. Is this the right way? On Fri, Mar 7, 2014 at 11:30 PM, B. Meeker wrote: > Harshal, > > Check parameter 2 on SSL_CTX_use_PrivateKey_file(). It should be a > pointer to the name of the file that contains the private key, not the > certificate file. > > As an e

Re: How to add intermediate certificate chain in SSL_CTX using OpenSSL API

Harshal, Check parameter 2 on SSL_CTX_use_PrivateKey_file(). It should be a pointer to the name of the file that contains the private key, not the certificate file. As an example on my (working) prototype server I use the following: // Define whatever ciphers you want. I used AES-128

How to add intermediate certificate chain in SSL_CTX using OpenSSL API

} ret = SSL_CTX_load_verify_locations(sslctx, "/tmp/ca.pem", NULL); if(ret != 1) { return false ; } I have certs.pem file with root server certificate ca.pem file with CA certificate and chain.pem file with intermediate certificates. I tried to add these inte

Re: Server ECDSA certificate requirements for 1.0.1f?

OPENSSL_EC_NAMED_CURVE); Would you happen to know if its a problem with the key, the certificate, or both? I ask because I have my own validation routines, and I can add additional checks so the issue can be spotted early in code and logged to the appropriate place. __

Re: Server ECDSA certificate requirements for 1.0.1f?

On Tue, Mar 4, 2014 at 3:26 PM, Dr. Stephen Henson wrote: > On Tue, Mar 04, 2014, Jeffrey Walton wrote: > >> On Tue, Mar 4, 2014 at 2:25 PM, Dr. Stephen Henson wrote: >> ... >> > It is stored in the private key when the key is generated. How did you >> > generate it? >> > >> int nid = ... >>

RE: Certificate chain verification in-memory using X509's?

> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Jeffrey Walton > Sent: Sunday, 02 March, 2014 03:14 > > I'm trying to add some key and certificate validation code to help > diagnose potential issues. > > X509_verify al

<    5   6   7   8   9   10   11   12   13   14   >