On 08/17/2017 05:38 PM, Salz, Rich wrote:
declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You should not set it and see if that works
organizationalUnitName = "." puts a . in it. So I have to
On 08/17/2017 07:01 PM, Jakob Bohm wrote:
On 18/08/2017 00:09, Robert Moskowitz wrote:
On 08/17/2017 05:38 PM, Salz, Rich wrote:
declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You should not set
On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz wrote:
I guess I am making progress. I am not getting SAN into the root cert. my
cnf has in it:
[ req ]
# Options for the `req` tool (`man req`).
default_bits=
On 18/08/2017 00:09, Robert Moskowitz wrote:
On 08/17/2017 05:38 PM, Salz, Rich wrote:
declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You should not set it and see if
that works
On 08/17/2017 04:17 PM, Robert Moskowitz wrote:
On 08/17/2017 04:09 PM, Salz, Rich wrote:
Use the –batch flag to avoid all prompting
I commented out the prompt line and tried again:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
> -new -x509 -days 7300 -sha256
On 08/17/2017 04:17 PM, Robert Moskowitz wrote:
On 08/17/2017 04:09 PM, Salz, Rich wrote:
Use the –batch flag to avoid all prompting
I commented out the prompt line and tried again:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
> -new -x509 -days 7300 -sha256
I guess I am making progress. I am not getting SAN into the root cert.
my cnf has in it:
[ req ]
# Options for the `req` tool (`man req`).
default_bits= 2048
prompt = no
distinguished_name = req_distinguished_name
string_mask = utf8only
req_extensions =
> declare -x organizationalUnitName=""
> routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You should not set it and see if that works
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
ARGH!!!
On 08/17/2017 05:38 PM, Salz, Rich wrote:
declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You should not set it and see if that works
So now I have to figure out how to handle an empty
On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz wrote:
> I guess I am making progress. I am not getting SAN into the root cert. my
> cnf has in it:
>
> [ req ]
> # Options for the `req` tool (`man req`).
> default_bits= 2048
> prompt = no
>
I just had to ask Dr. Google the right question:
openssl subjectaltname in a selfsigned certificate
Afterall, a root cert is a selfsigned cert.
And I learned to put SAN in the [ v3_ca ] section, rather than the [ req
] section then all it takes is what I already had:
openssl req -config
It IS working with -selfsign. So this step is done.
openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 -notext
-md sha256 \
-selfsign -in csr/ca.csr.pem -out certs/ca.cert.pem
openssl x509 -in certs/ca.cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
On 08/17/2017 12:56 AM, Jeffrey Walton wrote:
On Thu, Aug 17, 2017 at 12:28 AM, Robert Moskowitz wrote:
I have skimmed through a few RFCs following today's postings and a few web
sites. It would seem to me that I should:
Remove commonName and emailAddress completely
AFAIK it must.
Regards,
Uri
Sent from my iPhone
> On Aug 17, 2017, at 09:21, Robert Moskowitz wrote:
>
> Should digitalSignature be included in keyusage in CA certs?
>
>
> https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
>
> Includes
Bonjour,
> Le 17 août 2017 à 15:20, Robert Moskowitz a écrit :
>
> Should digitalSignature be included in keyusage in CA certs?
It depends on what you plan to do with the corresponding private key.
If you want this private key to sign messages other than certificates and
And RFC 5280, which is still the standard, says serial# must be <= 20 bytes.
Which means, you want to make sure the high bit is off, else the DER encoding
will make it 21 bytes.
So the new –rand_serial flag I am adding to the CA command will make call
RAND_bytes to get 18 bytes.
On 8/17/17,
On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote:
> > Remove commonName and emailAddress completely from the cnf file. They no
> > longer belong in any cert, root or intermediate CA certs, server or user
> > certs.
>
> CommonName is supplied for viewing by tools like certificate
I have been researching serial number in cert based on Jakob's comment:
"- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
standalone
numbers and as DER-encoded numbers. Note that this is not the default in
the openssl ca program.
- Serial numbers contain cryptographically
>> When you see a name like "example.com" in the CN, its usually a CA
>> including a domain name and not a hostname.
>
> That's nonsense.
If a certificate is issued under CA/B policies, and CN=example.com but
it _lacks_ SAN=example.com, then its a not a hostname and it should
not be matched.
I'm
https://cabforum.org/2016/07/08/ballot-164/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Should digitalSignature be included in keyusage in CA certs?
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
Includes it.
On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote:
And RFC 5280, which is still the standard, says serial# must be <= 20 bytes.
Which means, you want to make sure the high bit is off, else the DER encoding will
make it 21 bytes.
So the new –rand_serial flag I am adding to the CA
On 08/17/2017 10:49 AM, Karl Denninger wrote:
On 8/17/2017 09:40, Robert Moskowitz wrote:
I have been researching serial number in cert based on Jakob's comment:
"- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
standalone
numbers and as DER-encoded numbers. Note that
Viktor,
thanks for the reply.
On 08/17/2017 11:15 AM, Viktor Dukhovni wrote:
On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote:
Remove commonName and emailAddress completely from the cnf file. They no
longer belong in any cert, root or intermediate CA certs, server or user
> Le 17 août 2017 à 17:36, Jeffrey Walton a écrit :
>
> On Thu, Aug 17, 2017 at 11:34 AM, Erwann Abalea
> wrote:
>>
>>> Le 17 août 2017 à 17:26, Jeffrey Walton a écrit :
>>>
> When you see a name like "example.com" in
On Thu, Aug 17, 2017 at 11:34 AM, Erwann Abalea
wrote:
>
>> Le 17 août 2017 à 17:26, Jeffrey Walton a écrit :
>>
When you see a name like "example.com" in the CN, its usually a CA
including a domain name and not a hostname.
>>>
>>> That's
Bonjour,
> Le 17 août 2017 à 17:10, Robert Moskowitz a écrit :
>
>
>
> On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote:
>> And RFC 5280, which is still the standard, says serial# must be <= 20 bytes.
>> Which means, you want to make sure the high bit is off,
> Le 17 août 2017 à 17:26, Jeffrey Walton a écrit :
>
>>> When you see a name like "example.com" in the CN, its usually a CA
>>> including a domain name and not a hostname.
>>
>> That's nonsense.
>
> If a certificate is issued under CA/B policies, and CN=example.com but
>
Erwann,
thank you for your response.
On 08/17/2017 11:29 AM, Erwann Abalea via openssl-users wrote:
Bonjour,
Le 17 août 2017 à 17:10, Robert Moskowitz a écrit :
On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote:
And RFC 5280, which is still the standard,
Kind of...
Does not put SAN in CA cert:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem
Does put SAN in CA cert:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -sha256
NO does not work. It worked because I had the old root CA cert there.
Without it it fails.
I tried adding -selfsign and that did something, but did not create a
trusted cert...
On 08/17/2017 08:44 PM, Robert Moskowitz wrote:
Kind of...
Does not put SAN in CA cert:
openssl req -config
Thank you for your response.
I am basically skipping 20 years of PKI development and trying to get to
current best practices...
On 08/17/2017 09:50 AM, Erwann Abalea via openssl-users wrote:
Bonjour,
Le 17 août 2017 à 15:20, Robert Moskowitz a écrit :
Should
On 8/17/2017 09:40, Robert Moskowitz wrote:
> I have been researching serial number in cert based on Jakob's comment:
>
> "- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
> standalone
> numbers and as DER-encoded numbers. Note that this is not the
> default in
> the openssl
In the [ ca ] section I have:
prompt = no
If I leave the = out I get an error, so I am assuming I got the format
of this right.
Then I have
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = $ENV::countryName
In the CA section, you have to specify which fields you need/want in the DN.
This is the “policy” identifier which points to a section that names the RDN’s
you want/need.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 08/17/2017 03:39 PM, Salz, Rich via openssl-users wrote:
In the CA section, you have to specify which fields you need/want in the DN.
This is the “policy” identifier which points to a section that names the RDN’s
you want/need.
I have that:
[ ca ]
# `man ca`
default_ca = CA_default
[
Use the –batch flag to avoid all prompting
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 08/17/2017 04:09 PM, Salz, Rich wrote:
Use the –batch flag to avoid all prompting
I commented out the prompt line and tried again:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
> -new -x509 -days 7300 -sha256 -batch -extensions v3_ca -out
certs/ca.cert.pem
Enter
38 matches
Mail list logo