Re: extended validation certificates
Jakob Grießmann wrote: Hello, does anyone have a howto on how to generate a self-signed extended validation certificate, or on how to set-up my own CA for local use that gives out EVN certificates? I know how to do this for normal certificates, but was unable to find more details on extended validation certificates... Just Providing you the simple steps on how to generate self signed SSL certificates. 1.Make sure OpenSSL is installed and in your PATH. 2. Run the following command, to create server.key and server.crt files: $ openssl req -new -x509 -nodes -out server.crt -keyout server.key These can be used as follows in your httpd.conf file: SSLCertificateFile/path/to/this/server.crt SSLCertificateKeyFile 3.It is important that you are aware that this server.key does not have any passphrase. To add a passphrase to the key, you should run the following command, and enter verify the passphrase as requested. $ openssl rsa -des3 -in server.key -out server.key.new $ mv server.key.new server.key Please backup the server.key file, and the passphrase you entered, in a secure location. - https://www.thesslstore.com/ SSL Certificates https://www.thesslstore.com/thawte.aspx Thawte SSL https://www.thesslstore.com/extended-validation-ssl-certificates.aspx EV SSL -- View this message in context: http://old.nabble.com/extended-validation-certificates-tp19143309p26125400.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: extended validation certificates
Hi Patrick, However, it should get you at least started. thanks a lot, that helps me out! Jakob __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: extended validation certificates
From what I'm told, Mozilla Firefox must be built with a special build-time option to allow an external text file to contain admin-approved EV roots. There is no specific OID for a policy extension used to identify EV. I honestly don't know how one would make it; there was a related discussion on Mozilla's dev-tech-crypto list a few days ago describing where to look in the source code for information on how to do it. It is likely that the documentation will also describe what extensions must be included to mark an end-entity certificate as EV. I don't know the details. I also don't know how to configure MSIE to do it, either. -Kyle H On Wed, Aug 27, 2008 at 4:52 AM, Jakob Grießmann [EMAIL PROTECTED] wrote: Hi, basically, I want to play around with EVN for documentation and development purposes, and the only way of getting a cheap certificate is creating one on my own... so a pointer would be welcome. Thanks Jakob __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: extended validation certificates
Hi, It is likely that the documentation will also describe what extensions must be included to mark an end-entity certificate as EV. I don't know the details. okay, I will dig deeper there. :-) Thanks! Does anyone has an instruction on how to generate a certificate with the needed OIDs? What parameters do I have to supply to OpenSSL? Thanks, Jakob __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: extended validation certificates
On August 28, 2008 01:54:50 pm Jakob Grießmann wrote: Hi, It is likely that the documentation will also describe what extensions must be included to mark an end-entity certificate as EV. I don't know the details. okay, I will dig deeper there. :-) Thanks! Does anyone has an instruction on how to generate a certificate with the needed OIDs? What parameters do I have to supply to OpenSSL? Take a look at the CA/Browser forum web site at: http://www.cabforum.org/ If you read their specifications at: http://www.cabforum.org/EV_Certificate_Guidelines_V11.pdf The information is in there: Essentially, you need to have the Subject DN formatted with O= The Organisation to whom the Certificate is being issued. businessCategory (OID 2.5.4.15) = one of the values on page 10 of the above PDF Locality (if required by the entities incorporation level): subject:jurisdictionOfIncorporationLocalityName (OID 1.3.6.1.4.1.311.60.2.1.1) ASN.1 - X520LocalityName as specified in RFC 3280 State or province (if required by the entities incorporation level): subject:jurisdictionOfIncorporationStateOrProvinceName (OID 1.3.6.1.4.1.311.60.2.1.2) ASN.1 - X520StateOrProvinceName as specified in RFC 3280 Country: subject:jurisdictionOfIncorporationCountryName (OID 1.3.6.1.4.1.311.60.2.1.3) ASN.1 - X520countryName as specified in RFC 3280 serialNumber = the Business Registration number of the Company asserted in the O= value. Number street (optional) subject:streetAddress (OID 2.5.4.9) City or town subject:localityName (OID 2.5.4.7) State or province (if any)subject:stateOrProvinceName (OID 2.5.4.8) Country subject:countryName (OID 2.5.4.6) Postal code (optional)subject:postalCode (OID 2.5.4.17) CN= the FQDN of the server or device that is being asserted. And the rest of the stuff is in Appendix B of the above PDF. For information on how to set up a CA and configure most of those parameters (aside from the DN), check out the whitepaper that my colleague published at: http://www.carillon.ca/library/howtos.php (The CertiPath OpenSSL howto - CertiPath's certificate profiles require many of the same settings as the CA/Browser forum) Now - OpenSSL doesn't yet know about a lot of the Subject fields - so you may have issues encoding them correctly. You can use the [new_oids] section of the openssl.cnf file to define the OID to name mapping, and then use that in the [req] sections to generate the original DN, however that may cause some of the entries to be formatted in not quite a standards compliant way (i.e.: it may generate IA5Strings instead of UTF-8 or printableString values). However, it should get you at least started. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: extended validation certificates
Hi, basically, I want to play around with EVN for documentation and development purposes, and the only way of getting a cheap certificate is creating one on my own... so a pointer would be welcome. Thanks Jakob __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
extended validation certificates
Hello, does anyone have a howto on how to generate a self-signed extended validation certificate, or on how to set-up my own CA for local use that gives out EVN certificates? I know how to do this for normal certificates, but was unable to find more details on extended validation certificates... Thanks Jakob __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: extended validation certificates
Hello Jakob On Monday 25 August 2008 08:51:42 Jakob Grießmann wrote: Hello, does anyone have a howto on how to generate a self-signed extended validation certificate, or on how to set-up my own CA for local use that gives out EVN certificates? I know how to do this for normal certificates, but was unable to find more details on extended validation certificates... I take it what you are really shooting for is the fancy make the location bar go green, and display the company name in a browser. Unfortunately, from my understanding, that's not possible (and that's what make EVSSL certs actually worth something). From my understanding, what tells the browser to give all of those visual clues to the user that EVSSL certs convey is as follows: 1: The Certificate is signed by an EVSSL provider, as certified by the CA/Browser forum. (The CA have to pass an audit showing they conform to the EVSSL Certificate policy, and submit the results to the browser writers) 2: The Certificate asserts one of the EV/SSL Certificate Policy OIDs from one of those CAs 3: The Certificate contains the correctly formatted DN as per the Certificate Policy promulgated by the CA/Browser forum. So, you COULD produce a certificate that has the correctly formatted DN in it, but aside from that, you're pretty much stuck, I'm afraid, unless you were to completely replace one of the EVSSL Certificate providers root CA certificate and all of the intermediate chains in the browser, and those CA certs were all correctly formatted, and the server certificate was also correctly formatted. And even then I'm not sure that it would work, as I've got no idea if the browsers have some sort of checksum or hash that they compare the CA certificate to. Even if you were to get all of the technical bits correct, and replace the appropriate bits in the browser, I imagine that some CA authority's legal department may want to have a word with you for corporate impersonation. So, no, you can't do this with a self signed certificate, no matter what the toolkit :) Have fun. -- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: extended validation certificates
Well, it sounds like there *is* another, more legally correct way: set up your own CA (easy!) and do what it takes to get it certified by the CA/Browser Forum (should be difficult). Then you'd legally have the privilege of coining the cert.s that you want. I seriously doubt that issuance of self-signed cert.s would pass the audit, but your CA doesn't have to work that way. The question then is whether the ability to issue EV cert.s yourself is worth the effort and expense of doing it properly. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is intuitive he means the exact opposite. pgpe9FNer5LRV.pgp Description: PGP signature
Re: extended validation certificates
Hi there, thanks for the fast replies! When you want to make your own non-EV CA recognized by the browser, it's easy, you just have to import your CA as trusted root, then it works. Isn't there a similar way for EV CAs, like producing your EV CA and simply adding it to the trusted root of the browser? Is it much more complicated? Thanks, Jakob __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: extended validation certificates
On August 25, 2008 11:38:36 am Jakob Grießmann wrote: Hi there, thanks for the fast replies! When you want to make your own non-EV CA recognized by the browser, it's easy, you just have to import your CA as trusted root, then it works. Isn't there a similar way for EV CAs, like producing your EV CA and simply adding it to the trusted root of the browser? Is it much more complicated? I believe that the list of OID's and their associated CA's that are Certified for EVSSL are hardcoded into the browser somewhere (perhaps in the executable, but I really have no idea). I do know that you can't just add a Root CA cert in somewhere, you also have to add your CA into the list of trusted EVSSL providers, which is much more complicated. This is one of the reasons that EV SSL certificates have value - it has been set up in such a way that it is very difficult (I don't like saying impossible, because someone always proves me wrong) for anyone to fake a properly issued EV SSL certificate. As Mark said in a previous reply - the only sure way to be recognised by the browsers is to set up an EVSSL CA according the the CA/Browser forum's Certificate Policy, and then pass the required audits that Microsoft, Mozilla KDE and Opera require. Hope that helps. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: extended validation certificates
thanks for the fast replies! When you want to make your own non-EV CA recognized by the browser, it's easy, you just have to import your CA as trusted root, then it works. Isn't there a similar way for EV CAs, like producing your EV CA and simply adding it to the trusted root of the browser? Is it much more complicated? Thanks, Jakob Your question is how can I make an extended validation certificate without extended validation? The answer is -- you can't, because going through extended validation is what makes an EV certificate an EV certificate. Now, if your question is how can I trick a browser into thinking a certificate is an EV certificate when it isn't, the answer would be that you'd have to exploit some bug or defect in the browser. No such bugs or defects are known, and if any were know, they would be fixed. What is your actual problem? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
