Re: odd error for ECDSA key in REQ.

2020-08-07 Thread Frank Migge
xopaMzFDWSwKNtBT8x069u0Y+1 > T0dHud/G22q8cVVh8sVcpLUortLxxesEXCddpx/EeuxP+MN/RymHTMrjoAAwCgYI > KoZIzj0EAwIDSQAwRgIhAO+K+TFCdYxQg7aT+B3wIVa6CCYxM/mL4/WHSrwXujJy > AiEA7UsbQT/YRKaFDPn/U9jdrJaUmKsqKJvGwN7YVaMGdeo= > -END CERTIFICATE REQUEST- -- Frank Migge http://fm4dd.com | pub...@frank4dd.com

Re: [openssl-users] Combining certificate and key in PEM format into a P12 file without knowing the key password?

2018-02-20 Thread Frank Migge
Hi Toby, >> the question remains: Is there a way to reuse an already-encrypted privkey? I'd say yes it *could* work, but not with OpenSSL API functions. You'd have to roll your own code for the PKCS12 creation. OpenSSL's PKCS12_create() function expects an unencrypted EVP_PKEY object. But,

Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

2018-01-19 Thread Frank Migge
ck first. I am not fully sure, but believe that Extended Key Usage should *not* be there. Frank > Frank Migge <mailto:f...@frank4dd.com> > Saturday, January 20, 2018 11:29 AM > Hi Robert, > >>> error 26 : unsupported certificate purpose > > It seems the cert gets

Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

2018-01-19 Thread Frank Migge
Hi Robert, >> error 26 : unsupported certificate purpose It seems the cert gets declined because of a problem with cert extensions. "keyUsage" or "extendedKeyUsage" are typical candidates. In your case, the leaf certificate "CAPF-91d43ef6" has two extensions: Object 00: X509v3 Key Usage

Re: [openssl-users] Doubt regarding O-SSL and setting the duration of certificates

2017-09-12 Thread Frank Migge
This is an interesting statement. >> should use the GeneralizedTime value 1231235959Z (10) in the notAfter field ... >> Solutions verifying a DevID are expected to accept this value indefinitely Isn't using that large a time value in certificates problematic? Not all systems can handle it

Re: [openssl-users] RSA Key generation time

2017-01-28 Thread Frank Migge
Hi Mithun, >> I have a embedded board P1010 RDB running openssl on VXWORKS 5.4 . >> I am generating RSA 2048 and 3072 bit key pairs. >> I am providing entropy to openssl by using RAND_seed from a HW RNG. >> My average generation time for RSA 2048 key pair is 2 Minutes and 3072 is 8 minutes.

Re: [openssl-users] Missing documentation

2016-11-08 Thread Frank Migge
Hi Joachim, >> It seems like the documentation for SSL_set_tlsext_host_name is gone. >> Does anyone know where I can find the documentation? I am interested in the return values right now. If I got it right: 1) ssl/tls1.h (line 334ff): # define SSL_set_tlsext_host_name(s,name) \ 334

Re: [openssl-users] Certificate Chain Verify Error

2016-02-01 Thread Frank Migge
Hi Nicholas, Not calling OpenSSL_add_all_algorithms(); at the beginning could cause it? Cheers, Frank Nicholas Mainardi Monday, February 01, 2016 8:57 PM I wrote this small program which takes as input X509 certificates, base64-encoded, parse them and

Re: [openssl-users] d2i_RSAPrivateKey not working on a private key

2015-10-13 Thread Frank Migge
Hi David, I didn't spot the error in your code. But since d2i_RSAPrivateKey() fails on the DER data, how about a workaround? If your remaining code works fine, you could extract the RSA key from the EVP_PKEY object (which you are getting with d2i_PrivateKey), e.g. RSA *rsakey; rsakey

Re: [openssl-users] d2i_RSAPrivateKey not working on a private key

2015-10-09 Thread Frank Migge
? d2i_RSAPrivateKey() is not reading PEM, just making sure... Best wishes, Frank Migge David Lobron <mailto:dlob...@akamai.com> Saturday, October 10, 2015 12:33 AM Hello openssl people, I am trying to read a private key of a certificate into memory using d2i_RSAPrivateKey. I'm able to read the certi

Re: multi-byte subject DN display

2013-09-12 Thread Frank Migge
Hi Bin, # openssl x509 -in test.pem -noout -text -nameopt oneline,show_type Subject: C = PRINTABLESTRING:US, ST = PRINTABLESTRING:California, O = T61STRING:\C3\A6\C2\B7\C2\84\C3\A5\C2\8D\C2\9A\C3\A7\C2\BD\C2\91\C3\A7\C2\BB\C2\9C, OU = PRINTABLESTRING:QA, CN =

Re: asn1 encoding routines error: x509_extension, from ssl3_get_server_cert

2013-08-07 Thread Frank Migge
Dear Mithun, I came across this thread by researching the same question: Does openssl support S/MIME Capabilities certificate extension? For the following shortened code: /* display the cert extension list here */ for (i=0; isk_X509_EXTENSION_num(ext_list); i++) {