Re: [openssl-users] Cant seem to get prompt no to work

On 08/17/2017 05:38 PM, Salz, Rich wrote: declare -x organizationalUnitName="" routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1 You are setting an empty OU. You should not set it and see if that works organizationalUnitName = "." puts a . in it. So I have to

Re: [openssl-users] Cant seem to get prompt no to work

On 08/17/2017 07:01 PM, Jakob Bohm wrote: On 18/08/2017 00:09, Robert Moskowitz wrote: On 08/17/2017 05:38 PM, Salz, Rich wrote: declare -x organizationalUnitName="" routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1 You are setting an empty OU. You should not set

Re: [openssl-users] Cant get the subjectALtName inot the root cert

On 08/17/2017 06:38 PM, Jeffrey Walton wrote: On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz wrote: I guess I am making progress. I am not getting SAN into the root cert. my cnf has in it: [ req ] # Options for the `req` tool (`man req`). default_bits=

Re: [openssl-users] Cant seem to get prompt no to work

On 18/08/2017 00:09, Robert Moskowitz wrote: On 08/17/2017 05:38 PM, Salz, Rich wrote: declare -x organizationalUnitName="" routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1 You are setting an empty OU. You should not set it and see if that works

Re: [openssl-users] Cant seem to get prompt no to work

On 08/17/2017 04:17 PM, Robert Moskowitz wrote: On 08/17/2017 04:09 PM, Salz, Rich wrote: Use the –batch flag to avoid all prompting I commented out the prompt line and tried again: openssl req -config openssl-root.cnf -key private/ca.key.pem \ > -new -x509 -days 7300 -sha256

Re: [openssl-users] Cant seem to get prompt no to work

On 08/17/2017 04:17 PM, Robert Moskowitz wrote: On 08/17/2017 04:09 PM, Salz, Rich wrote: Use the –batch flag to avoid all prompting I commented out the prompt line and tried again: openssl req -config openssl-root.cnf -key private/ca.key.pem \ > -new -x509 -days 7300 -sha256

[openssl-users] Cant get the subjectALtName inot the root cert

I guess I am making progress. I am not getting SAN into the root cert. my cnf has in it: [ req ] # Options for the `req` tool (`man req`). default_bits= 2048 prompt = no distinguished_name = req_distinguished_name string_mask = utf8only req_extensions =

Re: [openssl-users] Cant seem to get prompt no to work

> declare -x organizationalUnitName="" > routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1 You are setting an empty OU. You should not set it and see if that works -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

ARGH!!! On 08/17/2017 05:38 PM, Salz, Rich wrote: declare -x organizationalUnitName="" routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1 You are setting an empty OU. You should not set it and see if that works So now I have to figure out how to handle an empty

Re: [openssl-users] Cant get the subjectALtName inot the root cert

On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz wrote: > I guess I am making progress. I am not getting SAN into the root cert. my > cnf has in it: > > [ req ] > # Options for the `req` tool (`man req`). > default_bits= 2048 > prompt = no >

[openssl-users] FINAL simpler solution - Re: Solved - Re: Cant get the subjectALtName inot the root cert

I just had to ask Dr. Google the right question: openssl subjectaltname in a selfsigned certificate Afterall, a root cert is a selfsigned cert. And I learned to put SAN in the [ v3_ca ] section, rather than the [ req ] section then all it takes is what I already had: openssl req -config

Re: [openssl-users] Solved - Re: Cant get the subjectALtName inot the root cert

It IS working with -selfsign. So this step is done. openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 -notext -md sha256 \ -selfsign -in csr/ca.csr.pem -out certs/ca.cert.pem openssl x509 -in certs/ca.cert.pem -text -noout Certificate: Data: Version: 3 (0x2)

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

On 08/17/2017 12:56 AM, Jeffrey Walton wrote: On Thu, Aug 17, 2017 at 12:28 AM, Robert Moskowitz wrote: I have skimmed through a few RFCs following today's postings and a few web sites. It would seem to me that I should: Remove commonName and emailAddress completely

Re: [openssl-users] keyusage digitalSignature in CA certs

AFAIK it must. Regards, Uri Sent from my iPhone > On Aug 17, 2017, at 09:21, Robert Moskowitz wrote: > > Should digitalSignature be included in keyusage in CA certs? > > > https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html > > Includes

Re: [openssl-users] keyusage digitalSignature in CA certs

Bonjour, > Le 17 août 2017 à 15:20, Robert Moskowitz a écrit : > > Should digitalSignature be included in keyusage in CA certs? It depends on what you plan to do with the corresponding private key. If you want this private key to sign messages other than certificates and

Re: [openssl-users] More on cert serialnumbers

And RFC 5280, which is still the standard, says serial# must be <= 20 bytes. Which means, you want to make sure the high bit is off, else the DER encoding will make it 21 bytes. So the new –rand_serial flag I am adding to the CA command will make call RAND_bytes to get 18 bytes. On 8/17/17,

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote: > > Remove commonName and emailAddress completely from the cnf file. They no > > longer belong in any cert, root or intermediate CA certs, server or user > > certs. > > CommonName is supplied for viewing by tools like certificate

[openssl-users] More on cert serialnumbers

I have been researching serial number in cert based on Jakob's comment: "- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as standalone numbers and as DER-encoded numbers. Note that this is not the default in the openssl ca program. - Serial numbers contain cryptographically

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

>> When you see a name like "example.com" in the CN, its usually a CA >> including a domain name and not a hostname. > > That's nonsense. If a certificate is issued under CA/B policies, and CN=example.com but it _lacks_ SAN=example.com, then its a not a hostname and it should not be matched. I'm

Re: [openssl-users] More on cert serialnumbers

https://cabforum.org/2016/07/08/ballot-164/ -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] keyusage digitalSignature in CA certs

Should digitalSignature be included in keyusage in CA certs? https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html Includes it.

Re: [openssl-users] More on cert serialnumbers

On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote: And RFC 5280, which is still the standard, says serial# must be <= 20 bytes. Which means, you want to make sure the high bit is off, else the DER encoding will make it 21 bytes. So the new –rand_serial flag I am adding to the CA

Re: [openssl-users] More on cert serialnumbers

On 08/17/2017 10:49 AM, Karl Denninger wrote: On 8/17/2017 09:40, Robert Moskowitz wrote: I have been researching serial number in cert based on Jakob's comment: "- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as standalone numbers and as DER-encoded numbers. Note that

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

Viktor, thanks for the reply. On 08/17/2017 11:15 AM, Viktor Dukhovni wrote: On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote: Remove commonName and emailAddress completely from the cnf file. They no longer belong in any cert, root or intermediate CA certs, server or user

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

> Le 17 août 2017 à 17:36, Jeffrey Walton a écrit : > > On Thu, Aug 17, 2017 at 11:34 AM, Erwann Abalea > wrote: >> >>> Le 17 août 2017 à 17:26, Jeffrey Walton a écrit : >>> > When you see a name like "example.com" in

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

On Thu, Aug 17, 2017 at 11:34 AM, Erwann Abalea wrote: > >> Le 17 août 2017 à 17:26, Jeffrey Walton a écrit : >> When you see a name like "example.com" in the CN, its usually a CA including a domain name and not a hostname. >>> >>> That's

Re: [openssl-users] More on cert serialnumbers

Bonjour, > Le 17 août 2017 à 17:10, Robert Moskowitz a écrit : > > > > On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote: >> And RFC 5280, which is still the standard, says serial# must be <= 20 bytes. >> Which means, you want to make sure the high bit is off,

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

> Le 17 août 2017 à 17:26, Jeffrey Walton a écrit : > >>> When you see a name like "example.com" in the CN, its usually a CA >>> including a domain name and not a hostname. >> >> That's nonsense. > > If a certificate is issued under CA/B policies, and CN=example.com but >

Re: [openssl-users] More on cert serialnumbers

Erwann, thank you for your response. On 08/17/2017 11:29 AM, Erwann Abalea via openssl-users wrote: Bonjour, Le 17 août 2017 à 17:10, Robert Moskowitz a écrit : On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote: And RFC 5280, which is still the standard,

[openssl-users] Solved - Re: Cant get the subjectALtName inot the root cert

Kind of... Does not put SAN in CA cert: openssl req -config openssl-root.cnf -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem Does put SAN in CA cert: openssl req -config openssl-root.cnf -key private/ca.key.pem \ -new -sha256

Re: [openssl-users] Solved - Re: Cant get the subjectALtName inot the root cert

NO does not work. It worked because I had the old root CA cert there. Without it it fails. I tried adding -selfsign and that did something, but did not create a trusted cert... On 08/17/2017 08:44 PM, Robert Moskowitz wrote: Kind of... Does not put SAN in CA cert: openssl req -config

Re: [openssl-users] keyusage digitalSignature in CA certs

Thank you for your response. I am basically skipping 20 years of PKI development and trying to get to current best practices... On 08/17/2017 09:50 AM, Erwann Abalea via openssl-users wrote: Bonjour, Le 17 août 2017 à 15:20, Robert Moskowitz a écrit : Should

Re: [openssl-users] More on cert serialnumbers

On 8/17/2017 09:40, Robert Moskowitz wrote: > I have been researching serial number in cert based on Jakob's comment: > > "- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as > standalone > numbers and as DER-encoded numbers. Note that this is not the > default in > the openssl

[openssl-users] Cant seem to get prompt no to work

In the [ ca ] section I have: prompt = no If I leave the = out I get an error, so I am assuming I got the format of this right. Then I have [ req ] distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = $ENV::countryName

Re: [openssl-users] Cant seem to get prompt no to work

In the CA section, you have to specify which fields you need/want in the DN. This is the “policy” identifier which points to a section that names the RDN’s you want/need. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

On 08/17/2017 03:39 PM, Salz, Rich via openssl-users wrote: In the CA section, you have to specify which fields you need/want in the DN. This is the “policy” identifier which points to a section that names the RDN’s you want/need. I have that: [ ca ] # `man ca` default_ca = CA_default [

Re: [openssl-users] Cant seem to get prompt no to work

Use the –batch flag to avoid all prompting -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Cant seem to get prompt no to work

On 08/17/2017 04:09 PM, Salz, Rich wrote: Use the –batch flag to avoid all prompting I commented out the prompt line and tried again: openssl req -config openssl-root.cnf -key private/ca.key.pem \ > -new -x509 -days 7300 -sha256 -batch -extensions v3_ca -out certs/ca.cert.pem Enter