On Thu, Nov 27, 2014 at 02:58:01PM +0800, Jerry OELoo wrote:
# Create CA
openssl genrsa -out ca.key 4096
openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt
Don't forget umask 077 or use a strong passpharse (no nodes).
Otherwise, the key is generally world-readable. By far
On Tue, Nov 03, 2009, Adam Rosenstein wrote:
I definitely get better results with the latest snapshot. However I still
don't get my 0 depth lookup:certificate revoked but instead get a 0 depth
lookup:CRL path validation error
Looking at the differences between my application logic and
...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Saturday, October 31, 2009 6:54 AM
To: openssl-users@openssl.org
Subject: Re: your mail
On Fri, Oct 30, 2009, Adam Rosenstein wrote:
Ahh, that explains it. Thanks for looking
On Fri, Oct 30, 2009, Adam Rosenstein wrote:
Ahh, that explains it. Thanks for looking into it.
The documentation on iCRLs was a little cryptic to me. It said that no
lookup methods were used (?). Now you say the store is also not used.
How
do I get the iCRL into the
...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Thursday, October 29, 2009 3:42 PM
To: openssl-users@openssl.org
Subject: Re: your mail
On Mon, Oct 26, 2009, Adam Rosenstein wrote:
You are correct, I made a paste error in the mail. The certs were correct
On Fri, Oct 30, 2009, Adam Rosenstein wrote:
Ahh, that explains it. Thanks for looking into it.
The documentation on iCRLs was a little cryptic to me. It said that no
lookup methods were used (?). Now you say the store is also not used. How
do I get the iCRL into the verification
Ahh, that explains it. Thanks for looking into it.
The documentation on iCRLs was a little cryptic to me. It said that no
lookup methods were used (?). Now you say the store is also not used.
How
do I get the iCRL into the verification process? Also, does the current
1.0.0 icrl
On Mon, Oct 26, 2009, Adam Rosenstein wrote:
You are correct, I made a paste error in the mail. The certs were correct
at the time I tested however (my test script just regenerates things each
time and I pasted an old ee with a new root ca).
I just tried openssl-SNAP-20091026.tar.gz and
-
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Friday, October 23, 2009 5:09 PM
To: openssl-users@openssl.org
Subject: Re: your mail
On Fri, Oct 23, 2009, Dr. Stephen Henson wrote:
On Wed, Oct 21
On Fri, Oct 23, 2009, Dr. Stephen Henson wrote:
On Wed, Oct 21, 2009, Adam Rosenstein wrote:
I'm using v1.0.0 Beta 3.
Hmm... there seems to be an SKID/AKID issue here:
There is also a bug in the verification code which means it was expecting to
find a CRL for the CRL signing
On Wed, Oct 21, 2009, Adam Rosenstein wrote:
I'm using v1.0.0 Beta 3.
Hmm... there seems to be an SKID/AKID issue here:
ROOT (CA0)
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Red Condor, OU=PKI, CN=CA0
Validity
Not Before:
On Wed, Oct 21, 2009, Adam Rosenstein wrote:
Hi, I'm trying to use indirect CRLs in my application. I cannot figure out
how to get the CRL signer's cert to be verified though. I keep getting CRL
path validation error
I do something like this:
cs_ctx = X509_STORE_CTX_new();
I'm using v1.0.0 Beta 3.
My code is perl xs glue but it looks something like this:
purpose= X509_PURPOSE_MIN - 1;
cert_store = X509_STORE_new();
revokes= crl_stack;
X509_STORE_set_flags(cert_store, 0);
vpm= X509_VERIFY_PARAM_new();
* Liam Whalen wrote on Sun, Sep 30, 2007 at 23:07 -0400:
How do I make sure that the ODBC username and password file is
secure? Should I encrypt that file with a public key and hard
code the private key into the server?
You mean, you want protect some local configuration file, because
you
On Sat, May 19, 2007, belguechi rima wrote:
Hello;
I have compiled the source code from the version OpenSSL 0.9.8e. Now I am
trying to use the libraries generated in the following program portion :
RSA *rsa=NULL;
RSA *ConstructedRSA = NULL;
unsigned char
On Mon, Dec 04, 2006 at 12:14:59PM +0100, Olivier Mascia wrote:
This will probably look like a dumb question, but anyway. Is there
any provision and way, in SSL and/or HTTP, to establish a SSL link
without trying to assert anything about the server identity?
TLS includes anonymous
On Wed, Dec 14, 2005, Vadim Godunko wrote:
Hello,
I am tring to use X509_ATTRIBUTE in X.509 attribute certificate, but I am
not undestand it usage. So, I use X509_ATTRIBUTE_create function for create
attribute, but this work only for simple ASN.1 types (INTEGER, for
example). Creatation of
Dr. Stephen Henson wrote:
The X509_ATTRIBUTE type uses an ASN1_TYPE structure to hold the attribute
data. A SEQUENCE (and other structured types) is contained in an embedded
ASN1_STRING structure whose contents are the complete encoding of the relevant
type.
So you pass V_ASN1_SEQUENCE
On Sat, Sep 04, 2004, Ganesh Godavari wrote:
hello group
i have generated client certificates using openssl. i instaalled
certficates in the microsoft internet explorer. I configured the apache
webserver to authenitcate the client. When i install openssl client
certificates, i can view
Hello!
AFAIK this list is about openssl. Openssl is a library for SSL operations,
and some utilities. What you are interested in, is more related
to mod_ssl, and apache in general.
cheers,
m.
p.s. there's a good book from wrox, on how to write apache modules.
On Mon, May 03, 2004 at
On Fri, Nov 14, 2003, [EMAIL PROTECTED] wrote:
somebody know if openssl manage the parallel multiple signature or the
cosign.
thanks
For what exactly? It can be done in S/MIME but the low level API is needed to
parallel signature generation. The S/MIME verify code should automatically
I don't sign file in openssl (I sign in windows machine with CAPICOM), I use it
only to verify on linux machine.
I searched a openssl command that return the number of signers.
If it don't exist, I will extract whit smime a file of all certificates and
after I parse it to counter a signers.
On Tue, Oct 07, 2003, [EMAIL PROTECTED] wrote:
Hello,
I'm a new openssl'user. I able to sign and verify file whit openssl.
I have the problem, I don't now as read information about the signer form a
signed file.
If you are using the smime utility to do the signing then he -signer option
could someone tell me how to extract the certification path from an ordinary
certificate (X509 certificate)
The certificate doesn't have a path, it just has the DN of its issuer.
You have to calculate the path yourself by getting the cert of
the issuer, following up the chain, and so on.
On Thu, Jan 02, 2003, Ed Harty wrote:
Hi,
I am generating a client cert for Apache using openssl with my own CA as
follows:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -CA myCA.cert -CAkey myCA.key -CAcreateserial
-in
On Fri, May 17, 2002 at 10:27:17PM +0200, Geert Van Muylem wrote:
I want to create a p12 file which holds the secret key and the complete
certificate chain:
What is the Standard CA store?
I've tried the following:
openssl pkcs12 -chain -export -in gvm_cert.pem -inkey gvm_sk.pem -out
:)
==
Greg Stark
[EMAIL PROTECTED]
==
- Original Message -
From: Michael Sierchio [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, December 05, 2001 7:59 PM
Subject: Re: your mail
Gregory Stark wrote:
A certificate can have multiple
Gregory Stark wrote:
Maybe you are confusing DN's with CN's. Phone home to find out
yes -- not used to this AZERTY keyboard.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
On Wed, Dec 05, 2001 at 02:47:39PM -0500, Jason Hendriks wrote:
I needed an SSL certificate for my POP3-SSL server (ipopd), so I created a
self-signed certificate using the CA.pl tool and openssl. It works fine, but my
question is since there are two domains for this machine's IP, how can I
Subject: Re: your mail
On Wed, Dec 05, 2001 at 02:47:39PM -0500, Jason Hendriks wrote:
I needed an SSL certificate for my POP3-SSL server (ipopd), so I created
a self-signed certificate using the CA.pl tool and openssl. It works fine,
but my question is since there are two domains
Same here, using self signed. I think IE 5 fer the Mac be broken.
Especially so knowing yers is signed with verisign. Thanks for the confo!
On Mon, 29 Oct 2001 [EMAIL PROTECTED] wrote:
I am very new to apache.
With that said.
I have set up a test key with Verisign and it works fine
On Thu, Jul 19, 2001 at 01:38:17PM -0400, Sundaram, Mani wrote:
I am in the process of porting OpenSSL to our platform that does not support
Unix sockets and does not have a /dev/urandom entropy device.
I am able to get the prngd daemon(to generate random numbers) to run on the
localhost at a
On Wed, Apr 25, 2001 at 06:05:47PM -, Judy Trent wrote:
I'm new to openSSL and I have a question. I'm trying to use openSSL with
visual basic. I want to create a small server/client program. I have been
successfull in calling some functions from visual basic, however, I ran into
a
IMHO you should tell your 3rd party to use SSH and you need to do a little "educating"
in your organisation.
On Wed, Nov 08, 2000 at 02:56:05PM +, Ian Diddams wrote:
I've been tasked into investigating a link a 3rd party may be making to our
servers shortly over SSL.
I've downloaded
From:
"raffa aste" [EMAIL PROTECTED]
There has been more than a little spam running through this list. Is
there some way we can block the hosts?
I'm thinking a link to orbs may be in order - or perhaps contact the relay
admin and / or the ISP that these jerks connect to.
I realise this might
Hi,
On Tue, Jun 13, 2000 at 09:49:38PM -0700, Derek DeMoro wrote:
Does anybody now how to make openSSL read certificates and keys created =
by IAIK?
I think they might implement different OIDs. OpenSSL cannot seem to recognize
my Iaik Private Key.
Are you using DSA keys? If so, I had
Try Thawte.
On Wed, 2 Feb 2000, Gregory Stark wrote:
Does anyone know of a commercial CA that will sign
with DSA a certificate containing a DH public key?
A similar question would be does there exist a commercial
CA that will sign PGP DSA/ElGamal public keys?
How about a CA that will sign
testing
I should not be able to post to the list from this address, as it's not
subscribed to the list.
I'm sure a million others have already told you, but it did work.
--
Joe Rhett Chief Technology Officer
[EMAIL PROTECTED]
38 matches
Mail list logo