bit-size necessary in the command: openssl req -newkey rsa:bits?
Hello, I have got a question concerning the command openssl req -newkey rsa:bits …. which I use for creating a self-signed certificate for my small private CA. Some time ago I used the command like this with OpenSSL 0.9.7g (on Suse 10.0): openssl req –x509 –newkey rsa –out cacert.pem –outform PEM As you can see I did it without giving the bit-size because of the following section in my openssl.cnf: [ req ] default_bits = 2048 A few days ago I wanted to built up my CA on a different computer (Suse 10.2 with OpenSSL 0.9.8d). I did everything as I was used to. But this time I had to add the bit-size although I used the default_bits option again in my openssl.cnf: openssl req -x509 –newkey rsa:2048 –out cacert.pem –outform PEM As you can see there is no real problem as long as everything works as I want but I would like to know why I have to add the bit-size with the new version of OpenSSL. Is it a feature/fault of the version? Can the same be observed with a newer version? (I know that I could test it on my own with a newer version but I don`t want to because everything works quiet fine right now.) Of course I took a look into the news and the changelog on http://www.openssl.org/news/news.html but I wasn’t able to find an answer for my question. So I hope that somebody in this forum can help me. Best regards domi -- View this message in context: http://www.nabble.com/bit-size-necessary-in-the-command%3A-openssl-req--newkey-rsa%3Abits--tf3790387.html#a10719161 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: engines on an embedded device
Chris, On a related note to embedded openssl, but not pertaining to your question: I tried something similar in the past, and discovered there must be a provided source of randomness. I am not sure if your embedded device can provide this. If you do not have suitable hardware or /dev/random (or urandom?), you will probably have to provide a file with truly random data in it. Off the top of my head I do not recall where this goes, but I think details are in the man pages someplace. Just a friendly heads-up before you run the tests and see failures. ;) Regards, Sam -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Christopher Friedt Sent: Sunday, May 20, 2007 4:00 AM To: openssl-users@openssl.org Subject: engines on an embedded device Hello everyone, This is my first post to the list here, so please bear with me. I'm building OpenSSL for an embedded device that has no hardware crypto devices. As far as I understand, that means I don't need any of the 'engine' libraries, is that true? I'm assuming that the default 'openssl' engine is built directly into libssl. Obviously, my goal is to install openssl with only the bare minimums for what I need so that it takes up as little space as possible. For my purposes, and how I've done this in the past, involves only libssl and libcrypto as shared objects. I only need the actual openssl executable for a 1 time operation, but I've included it on my filesystem anyway. The relevent ./Configure options I use at the moment are: shared no-static no-cast no-md2 no-mdc2 no-rc2 no-rc4 no-rc5 no-dso no-idea no-krb5 no-ripemd I only need openssl for 1 thing actually - openvpn - but i'd rather have the shared objects on hand just in case i need to link anything else with it. Is there a Configure option / Makefile environment variable that will entirely skip the creation of extraneous engine libraries? Cheers, Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: engines on an embedded device
Hi Samuel, For what I'm doing at the moment, all of the random data is generated on our servers and only stored in a private / public key pair on the device. Thanks for the heads up though. ~/Chris Samuel Reed wrote: Chris, On a related note to embedded openssl, but not pertaining to your question: I tried something similar in the past, and discovered there must be a provided source of randomness. I am not sure if your embedded device can provide this. If you do not have suitable hardware or /dev/random (or urandom?), you will probably have to provide a file with truly random data in it. Off the top of my head I do not recall where this goes, but I think details are in the man pages someplace. Just a friendly heads-up before you run the tests and see failures. ;) Regards, Sam -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Christopher Friedt Sent: Sunday, May 20, 2007 4:00 AM To: openssl-users@openssl.org Subject: engines on an embedded device Hello everyone, This is my first post to the list here, so please bear with me. I'm building OpenSSL for an embedded device that has no hardware crypto devices. As far as I understand, that means I don't need any of the 'engine' libraries, is that true? I'm assuming that the default 'openssl' engine is built directly into libssl. Obviously, my goal is to install openssl with only the bare minimums for what I need so that it takes up as little space as possible. For my purposes, and how I've done this in the past, involves only libssl and libcrypto as shared objects. I only need the actual openssl executable for a 1 time operation, but I've included it on my filesystem anyway. The relevent ./Configure options I use at the moment are: shared no-static no-cast no-md2 no-mdc2 no-rc2 no-rc4 no-rc5 no-dso no-idea no-krb5 no-ripemd I only need openssl for 1 thing actually - openvpn - but i'd rather have the shared objects on hand just in case i need to link anything else with it. Is there a Configure option / Makefile environment variable that will entirely skip the creation of extraneous engine libraries? Cheers, Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Using OpenSSL certs in Kmail
Hi All, First message to the list! I have created a PKCS12 certificate and imported it into Kmail. However, when I try to select it as the preferred key for my email account, it comes up with a red x across the key symbol. I take this to mean that it is unsuitable. When I check it with Kleopatra I see this under Dump: keyType: 4096 bit RSA subjKeyId: [?] authKeyId: [?] keyUsage: [error: No value] extKeyUsage: [none] policies: [none] chainLength: [error: No value] crlDP: [error] authInfo: [error] subjInfo: [error] It also shows under Details: Can be used for signingNo Can be used for encryption No Can be used for certification No Can be used for authentication No gpgsm also spits out some errors: validity: 2007-05-19 18:12:12 through 2010-05-18 18:12:12 key type: 4096 bit RSA key usage: [error: No value] chain length: [error: No value] However, when I am examining the email.crt certificate I created with openssl x509, which I later fed into openssl pkcs12 to create the pkcs12 certificate everything seems to be in order: Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Any ideas what I've done wrong? -- Regards, Mick pgpdwzzLlEOuO.pgp Description: PGP signature