Re: Need help with keytool
On Tue, Feb 24, 2009 at 03:11:29PM -0800, John Oliver wrote: On Tue, Feb 24, 2009 at 03:48:21PM -0500, Mark H. Wood wrote: I don't think Sun keytool will do thist step. You can export certificates but not private keys -- at least, I've never found a way to move private keys in or out using keytool. And there doesn't seem to be an option to transform one type of store into another. Well... this might be another case of my simply not knowing the correct terminology, but if this goofy Java tool will happily save as , or create, or export to, or whetever it's actually doing, to a .jks... it doesn't seem to me that that would be something that should be impossible for the real tool. I looked again. I was wrong: Sun did provide a way to import one store into another. (Terminology bit me too. import?) I think you could use this to transform the PKCS12 store into a JKS store: keytool -importkeystore \ -srckeystore certificate.p12 \ -srcstoretype pkcs12 \ -destkeystore subscriber.jks \ -deststoretype jks [it asks for the destination keystore password. Enter password.] I cobbled up a certificate and key using OpenSSL, and this seems to work. The part we haven't been told is why you have to start with a PKCS#12 bag if you have to end up with a JKS bag. Any procedure that requires generating a private key outside of Sun keytool is not going to work if it has to produce a JKS bag using keytool. The java.security.Keystore class appears to be able to store externally-provided keys, but keytool doesn't let you at that method. No idea. It's very likely that the answer is, Because that's the way Joe did it when he figured out how to create the keystore, and it worked, and nobody has cared to revisit the process since. If you could use -genseckey to let keytool generate the key, you could start with a .jks and there'd be no problem. I'm actually starting with a private key and a certificate for the server, both in PEM format. The PKCS12 is created like: openssl pkcs12 -export -chain -in cert.pem -CApath . -CAfile 14.pem -inkey key.pem -out certificate.p12 14.pem contains the PEM certificates for the CA that signed the cert for the host and the PEM for the Root CA that signed the intermediate CA. Aha! The reason for this dance is that it is a way to sneak an externally-generated private key into keytool, by going behind its back. You can manipulate a PKCS12 bag using OpenSSL, but not a JKS. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpiNppW5xhzb.pgp Description: PGP signature
Re: Need help with keytool
On Tue, Feb 24, 2009 at 03:17:52PM -0800, John Oliver wrote: On Tue, Feb 24, 2009 at 03:48:21PM -0500, Mark H. Wood wrote: On Tue, Feb 24, 2009 at 08:02:30AM -0800, John Oliver wrote: 10. Right click on the displayed keypair and Rename it to 'key' -changealias -alias OLDNAME -destalias key Question: When I did this with the GUI tool, the OLDNAME was something like a spastic orangutang had been given some crystal meth and then a few seconds on the keyboard. It didn't appear to have any relation to anything. Is there any way to read that value in, or say Whatever it was called before, I don't care, call it 'key' now? keytool -list -storetype pkcs12 -keystore certificate.p12 -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpdlxFqRMMJq.pgp Description: PGP signature
License for Certificate?
Hello, I am currently developing an interface to a 3rd party product that requires HTTPS support using an X.509 certificate. I have been given instructions on how to generate the certificate using openssl. While in development mode (this is a commercial product), do I need to include some license file or text? We would like to keep the openssl certificate for the development and testing environments. It would be up to OUR client to use an openssl license or another CA license. So, I would like to know if I have to include a license file or text for using the openssl certificate in these two cases basically (development/testing and production). Thanks, Gisella Saavedra Sr. Software Engineer gsaave...@navis.com mailto:gsaave...@navis.com 1000 Broadway, Suite 150, Oakland, CA 94607 | T+1 510 267 5123 T Main+1 510 267 5000 F+1 510 267 5100 | http://www.navis.com http://www.navis.com/ image001.gif
RE: License for Certificate?
Hello, I am currently developing an interface to a 3rd party product that requires HTTPS support using an X.509 certificate. I have been given instructions on how to generate the certificate using openssl. While in development mode (this is a commercial product), do I need to include some license file or text? Include in what? So, I would like to know if I have to include a license file or text for using the openssl certificate in these two cases basically (development/testing and production). Again, include in what? Gisella Saavedra I'm having a hard time understanding your question. All you tell us about what you're doing is that it requires HTTPS support using an X.509 certificate. If it requires a certificate, then you need one to use it. That's what requires means. My guess is that your question is about what certificate you should supply to the 3rd party product and where it should come from. There is no way to answer that question without knowing for what purpose the 3rd party product requires the certificate and what you're trying to do. Is it for client validation? Is it for server validation? What *exactly* does it need to validate? (For example, when I connect to amazon.com with a secure browser, what I need to validate and what amazon.com needs to validate are completely different.) If it uses it, for example, to securely identify the client, then you will need to set up a scheme in which the client has a certificate suitable for use for such secure identification. Depending on exactly what your question really is, it may get into deep issues about your security framework and threat models. Or it may be as simple as generate a self-signed certificate each time or go to a CA and get a certificate. It depends on what the certificate is doing in the security framework. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: License for Certificate?
thanks for the response. I just need the certificate to securely identify that a request is coming from who I think it is coming. My goal is that I can indistinctively use http or https while testing. I just want to set up my application server, Tomcat, so that requests can be received using https. I know that I have to upload the public certificate into the other party (to whom I am talking to). I do not expect to modify the application code because of https. Am I right? Regarding just using the certificate in the fashion mentioned above, will I need to include some license in some file or product brochure? The only case where I see mentioning the certificate authority would be in a System Diagnostics option, where we display the environment variables, so maybe we would want to display some info about who issued the certificate, when using one. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of David Schwartz Sent: Wednesday, February 25, 2009 10:19 AM To: openssl-users@openssl.org Subject: RE: License for Certificate? Hello, I am currently developing an interface to a 3rd party product that requires HTTPS support using an X.509 certificate. I have been given instructions on how to generate the certificate using openssl. While in development mode (this is a commercial product), do I need to include some license file or text? Include in what? So, I would like to know if I have to include a license file or text for using the openssl certificate in these two cases basically (development/testing and production). Again, include in what? Gisella Saavedra I'm having a hard time understanding your question. All you tell us about what you're doing is that it requires HTTPS support using an X.509 certificate. If it requires a certificate, then you need one to use it. That's what requires means. My guess is that your question is about what certificate you should supply to the 3rd party product and where it should come from. There is no way to answer that question without knowing for what purpose the 3rd party product requires the certificate and what you're trying to do. Is it for client validation? Is it for server validation? What *exactly* does it need to validate? (For example, when I connect to amazon.com with a secure browser, what I need to validate and what amazon.com needs to validate are completely different.) If it uses it, for example, to securely identify the client, then you will need to set up a scheme in which the client has a certificate suitable for use for such secure identification. Depending on exactly what your question really is, it may get into deep issues about your security framework and threat models. Or it may be as simple as generate a self-signed certificate each time or go to a CA and get a certificate. It depends on what the certificate is doing in the security framework. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
trying to compile libssh2 and get openssl error
I'm following instructions in this pdf: curl.haxx.se/libcurl/c/Using-libcurl-with-SSH-support-in-Visual-Studio-2008.pdf In compiling libssh2 per the instructions, I get this error in VSC++2008: Cannot open include file: 'openssl/opensslconf.h': No such file or directory In fact I get that same error repeated 16 times. But, the file is sitting there in the very place it's searching for it. The include path is correct. Has anyone been around this block? -- View this message in context: http://www.nabble.com/trying-to-compile-libssh2-and-get-openssl-error-tp22197487p22197487.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: License for Certificate?
thanks for the response. I just need the certificate to securely identify that a request is coming from who I think it is coming. Then you need some way to distribute a certificate to that endpoint and for the other end to know what certificate that endpoint has. My goal is that I can indistinctively use http or https while testing. I just want to set up my application server, Tomcat, so that requests can be received using https. I know that I have to upload the public certificate into the other party (to whom I am talking to). I do not expect to modify the application code because of https. Am I right? If you don't modify the application code, then what will make sure that the request is coming from who you think it is coming from? Some code will need to perform that check. Regarding just using the certificate in the fashion mentioned above, will I need to include some license in some file or product brochure? There's no way to answer that question without knowing how you plan your authentication to work. The only case where I see mentioning the certificate authority would be in a System Diagnostics option, where we display the environment variables, so maybe we would want to display some info about who issued the certificate, when using one. When you say securely identify that a request is coming from who I think it is coming, what *EXACTLY* do you mean? For example, you could mean: 1) I need to identify the actual human being who sent the request so I can hold them responsible for it. or 2) I need to identify that the request is coming from the same entity that some other request came from, and I'll authenticate that request by user/password. or 3) I need to know that the request is coming from someone authorized to send such requests, and the person who authorizes such requests will do so by issuing a certificate. It all depends on exactly what you're trying to do, what your threat model is, and so on. You probably won't get useful advice on a mailing list unless you go into much more detail. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: License for Certificate?
There is no requirement to include any license text in anything that simply uses the output of OpenSSL (including any certificate that is created by running OpenSSL). If you include any OpenSSL code in your product, you must include the three statements in the LICENSE file in your documentation somewhere. -Kyle H On Wed, Feb 25, 2009 at 9:51 AM, Saavedra, Gisella gsaave...@navis.com wrote: Hello, I am currently developing an interface to a 3rd party product that requires HTTPS support using an X.509 certificate. I have been given instructions on how to generate the certificate using openssl. While in development mode (this is a commercial product), do I need to include some license file or text? We would like to keep the openssl certificate for the development and testing environments. It would be up to OUR client to use an openssl license or another CA license. So, I would like to know if I have to include a license file or text for using the openssl certificate in these two cases basically (development/testing and production). Thanks, Gisella Saavedra Sr. Software Engineer gsaave...@navis.com 1000 Broadway, Suite 150, Oakland, CA 94607 | T+1 510 267 5123 T Main+1 510 267 5000 F+1 510 267 5100 | http://www.navis.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org