the cacert has pathlen:1 in its X509v3 Basic Constraints
Subject: Can't recognize intermediate CA
Date: Thu, 12 Mar 2009 15:00:47 -0700
From: rene.hol...@watchguard.com
To: openssl-users@openssl.org
I'm tearing my hair out trying to get an
. so at
this point, i dont have any ideas.
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Giang Nguyen
Sent: Thursday, March 12, 2009 3:49 PM
To: openssl-users@openssl.org
Subject: RE: Can't recognize intermediate CA
I used openssl with the intermediate CA to sign a separate cert, which
had a AKID keyid but no issuer, and that chain recongizes fine.
Could the problem be the fact that yahoo.pem has an AKID keyid AND
issuer? (onr or the other is sufficient, but I could find nothing that
said that both
I used openssl with the intermediate CA to sign a separate cert, which
had a AKID keyid but no issuer, and that chain recongizes fine.
Could the problem be the fact that yahoo.pem has an AKID keyid AND
issuer? (onr or the other is sufficient, but I could find nothing that
said that both
Sincerely,
Giang Nguyen
Date: Fri, 13 Mar 2009 00:22:56 +0100
From: st...@openssl.org
To: openssl-users@openssl.org
Subject: Re: Can't recognize intermediate CA
On Thu, Mar 12, 2009, Rene Hollan wrote:
Yeah, I just noticed that.
I've
what do you mean private certificate? you mean the server wants to verify its
own certificate before accepting connections? or the client wants to verify its
own certificate before initiating connections? (i guess it doesn't matter
either way, though.)
assuming you have the CA certs and the
if you have a certificate in a X509 object, the x509.h header mentions the
function:
EVP_PKEY *X509_get_pubkey(X509 *x);
From: binome_...@hotmail.com
To: openssl-users@openssl.org
Subject: get public Key from a certificate
Date: Tue, 24 Feb 2009 10:29:42 +
hello
how can i get the
i think it's because your my-cacert.pem is not considered a CA: it has
CA:FALSE
arch [temp]$ openssl x509 -in my-cacert.pem
-BEGIN CERTIFICATE-
MIIC9jCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJDQTET
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
I was under the impression that openssl allows loading multiple CRLs
for the same issuer. But, this does not seem to be the case as is
proved by using openssl verify.
$ ls -l ./ca/
total 24
lrwxrwxrwx 1 pshah users 10 Jan 28 21:56 ba4bb3b6.0 -
cacert.pem -
standards-conformance OpenSSL cannot change this behavior. (Nor can
it even offer an option to change it, since its job is to maintain
security-system interoperability, not capriciously make it less
secure.)
-Kyle H
2009/1/29 Giang Nguyen :
I was under the impression that openssl allows loading
you should try http://openssl.org/docs/crypto/RAND_add.html#
_
Windows Live™: E-mail. Chat. Share. Get more ways to connect.
the req man page mentions:
-subj arg
sets subject name for new request or supersedes the subject name
when processing a request. The arg must be formatted as
/type0=value0/type1=value1/type2=..., charac-
ters may be escaped by \ (backslash), no spaces are skipped.
I think I will go for the hack that misuses re-negotiation as a kind of
heartbeat, keep alive or echo request. I tried to avoid this hack at
first because it is a computational burden. AFAIK re-negotiation means
restarting from scratch which means that expensive public key operations
have to
I think Robin tested it, so yes it works... But you need the bugfixes
he sent to the list...
Robin: Am I right?
actually i referred to session resumptions with abbreviated handshakes.
i think the bugs/patches comment was in the context of renegotiations with
full handshakes.
Btw, does
if you have the X509 * object (in your code), then you can try
X509_set_pubkey() (in x509.h) to obtain the EVP_PKEY * object, then you can
use the various PEM_write_..._RSAPublicKey() (in pem.h).
_
Windows Live™ Hotmail®: Chat.
then you can try X509_set_pubkey() (in x509.h) to obtain the EVP_PKEY *
object
of course i meant X509_get_pubkey().
_
Windows Live™: Keep your life in sync.
Does the release of 0.9.8j also include the FIPS module support?
do you mean anything other than this?
http://www.mail-archive.com/openssl-users@openssl.org/msg55535.html
This is the first full release of OpenSSL that can link against the
validated FIPS module version 1.2
This actually addresses both the questions. In the distant past some
applications encoded certificate requests incorrectly and/or required an
incorrect encoding. That is there to tolerate and/or generate such stuff.
thanks.
_
First, background (questions at the end):
Version 2 of the pkcs 9 spec at
http://www.rsa.com/rsalabs/node.asp?id=2131 (PDF:
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-9-v2/pkcs-9.pdf) says in
section 5.4.1:
A challenge-password attribute must have a single attribute value.
At first I expected
i was messing around with (self-signed) certificate creation/signing
and ran into this. the following two certificates are the same except
for the serial number: with_serial has a serial number that is zero,
and no_serial does not have any serial number.
the with_serial certificate verifies ok,
sorry please ignore; this had been asked before:
http://www.mail-archive.com/openssl-users@openssl.org/msg41502.html
From: [EMAIL PROTECTED]
To: openssl-users@openssl.org
Subject: signature failure when certificate contains no serial number (ie,
not one that equals zero)?
Date: Sat, 29
nils
Frédéric Donnat wrote:
Hi,
Sorry for the mistake (nothing to deal with openssl.cnf file). I was just
looking for ca.txt file.
Is it normal behavior of openssl to be able to view a certificate without
serial number using (without any error mentioned):
openssl x509 -in
22 matches
Mail list logo
