Bin Lu wrote:
If I use -nameopt utf8 option, the output of the subject is empty even for
ascii string subject DN. This does not seem to match what is said in the man
page. A bug?
Please try out with the attached certificate (removing the .txt ext).
Are the DN attributes with non-ASCII
Viktor Dukhovni wrote:
On Mon, Sep 23, 2013 at 10:54:04AM -0400, Salz, Rich wrote:
Another option is to use LDAP's STARTTLS support on port 389.
It seems the config to require it is a bit obscure;
http://www.openldap.org/lists/openldap-technical/201202/msg00414.html
might be useful.
You should better ask OpenLDAP questions on the openldap-technical mailing list:
http://www.openldap.org/lists/
Ciao, Michael.
Robbie Mingfu Zhang wrote:
Hi:
If I set the TLSVerifyClient demand on openldap server side, then I'll got
below error
(set TLSVerifyClient as never/allow/try,
Viktor Dukhovni wrote:
With SMTP, PKIX certificate verification is pointless without explicit
per-destination configuration:
http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2
This is why I am working to implement and standardize SMTP with DANE TLS.
Viktor Dukhovni wrote:
On Sat, Dec 28, 2013 at 05:56:41PM +0100, Michael Str?der wrote:
http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2
This is why I am working to implement and standardize SMTP with DANE TLS.
DANE itself does not help. It just shifts
Jakob Bohm wrote:
On 1/7/2014 12:17 AM, Biondo, Brandon A. wrote:
I am using ‘ca’ not ‘x509’. It too ignores/discards extensions. Turning
on copy_extensions solved the issue though, thanks. I have some
follow-up questions:
1.If including SANs in CSRs is non-standard, what is the accepted way
Graham Leggett wrote:
In a typical client certificate scenario, you might verify that a certificate
chain is complete, not expired, and trusted by a root certificate. If you
were to choose a way to authorize the certificate over and above the check
that the cert is valid, you might store
Mario Lombardo wrote:
Hi *,
this is just an idea. However it would increase the security of our crypto
system in case a trusted CA has been compromised.
The idea is to implement a DNS lookup of a host whenever a ssl connection is
going to be established. The lookup may search the TXT
Walter H. wrote:
subjectKeyIdentifier=hash
which parts of the certificate are included in generating this hash value?
http://tools.ietf.org/html/rfc5280#section-4.2.1.2
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
sandeep kiran p wrote:
Ours is an LDAP directory enabled application where we use SSL/TLS to
protect binds to the directory. Right now we are using OpenSSL 0.9.8g to
do this. Our application depends on external directory servers for
authentication which are not maintained by us. So it is only
HI!
Is there an API function in OpenSSL which extracts only the DER blob of
RecipientInfos from a CMS message (needed for encrypted S/MIME message). Or
has that to be done low-level with ASN.1 parser?
Ciao, Michael.
__
OpenSSL
HI!
Someone sent me an encrypted S/MIME message which I could not decrypt in
Mozilla's Seamonkey. Trying to determine the cause for that I wanted to look
at the RecipientInfos structure with OpenSSL 0.9.8k shipped with openSUSE
Linux 11.2 and and also tried with OpenSSL 1.0.0 (self-compiled).
Dr. Stephen Henson wrote:
On Tue, Mar 30, 2010, Michael Strder wrote:
Someone sent me an encrypted S/MIME message which I could not decrypt in
Mozilla's Seamonkey. Trying to determine the cause for that I wanted to look
at the RecipientInfos structure with OpenSSL 0.9.8k shipped with openSUSE
shake kvc wrote:
I want to be able to store CRLs in the openldap repository so that I can
retrieve them using a LDAP client.
Basically, the client would be given a LDAP URL as follows:
ldap://xxx.yyy.com/CN=Challenger(1),CN=xxx,CN=C
customer.
Ciao, Michael.
--
Michael Ströder Klauprechtstr. 11
Dipl.-Inform. D-76137 Karlsruhe, Germany
Tel.: +49 721 8304316
E-Mail: mich...@stroeder.comhttp://www.stroeder.com
__
OpenSSL
Luisç Nevesã wrote:
I am trying to use mod_authz_ldap to query a X.509 certificate on a
ldap directory
This is rather a LDAP-related question e.g. for the openldap-technical mailing
list if you're using OpenLDAP server or the more general list l...@umich.edu.
in the directory, i have stored
Carla Coutinho wrote:
I'm trying to generate an OCSP request containing Issuer Name Hash and
Issuer Key Hash calculated with hashing algorithm SHA256.
I've already instaled OpenSSL 1.0.0, which has the option '-sha256', but
that doesn't seem to be working (the Hash Algorithm is always SHA1).
Rainer Giedat wrote:
i have a hard time figuring out how i can print the cipher used to
encrypt a smime encrypted mail.
openssl smime -in test.eml -pk7out|openssl asn1parse
Or with OpenSSL 1.0 in case S/MIME MUA sent CMS instead of PKCS#7:
openssl cms -in test.eml -cmsout -outform pem|openssl
John Nagle wrote:
Normally, when a certificate is to be valid for more than one
domain name, one name is in the CN field, and the others are in
the subjectAltName extension.
But look at the cert for https://www.ipmirror.com/;.
This might serve as an interesting example for the people
HI!
There is a difference when displaying the modulus with command-line tool.
Here's the relevant excerpt of the following command:
openssl x509 -noout -text -modulus -in cert.pem
[..]
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
HI!
It's confusing that OpenSSL seems to output distinguished names in different
string representations.
While one can use command-line argument -nameopt to influence the output of
openssl x509 -issuer -subject this does not affect DN output of X.509v3
extensions and there's no such argument for
man 1ssl verify says:
The third operation is to check the trust settings on the root CA. The root
CA should be trusted for the supplied purpose. For compatibility with previous
versions of SSLeay and OpenSSL a certificate with no trust settings is
considered to be valid for all purposes.
I
Michael Ströder wrote:
man 1ssl verify says:
The third operation is to check the trust settings on the root CA. The root
CA should be trusted for the supplied purpose. For compatibility with previous
versions of SSLeay and OpenSSL a certificate with no trust settings is
considered
HI!
I'm feeling dumb since this simple command fails and I cannot see why:
$ openssl verify -CAfile rootcacert.pem subcacert.pem
subcacert.pem: C = DE, O = SCA Deutsche Post Com GmbH, CN = Signtrust CERT
Root CA 1:PN
error 2 at 1 depth lookup:unable to get issuer certificate
I've attached the
Erik Tkal wrote:
Your rootcacert is not a root cert, as it was issued by C=US, ST=UT,
L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com,
CN=UTN-USERFirst-Client Authentication and Email. You need to append that
cert as well to your CAfile.
Shouldn't it be possible to
Bruce Stephens wrote:
Erik Tkal et...@juniper.net writes:
Maybe that's a bug in OpenSSL 0.9.8o? The docs for verify say It is
an error if the whole chain cannot be built up.
Maybe, but I think it's just as reasonable to regard it as a bug in the
docs.
I think it's useful for verify to
Bruce Stephens wrote:
Bruce Stephens bruce.steph...@isode.com writes:
Dr. Stephen Henson st...@openssl.org writes:
[...]
Is that unmodified OpenSSL 0.9.8o? If so that's peculiar I get the expected
error here.
No, it's Debian's 0.9.8o-2.
Ah, my fault. Obvious in retrospect: Debian's
Eric S. Eberhard wrote:
or ... keep it simple and at least consider using stunnel.
I use stunnel myself in some situations. It's a great tool.
But bear in mind that the application then has no access to authentication
information of the SSL layer.
Ciao, Michael.
Mailing List SVR wrote:
Il 20/07/2011 17:06, Dr. Stephen Henson ha scritto:
On Wed, Jul 20, 2011, Mailing List SVR wrote:
Il 20/07/2011 08:44, Mailing List SVR ha scritto:
Hi,
openssl seems unable to verify the attacched sod.pem, other pem
file works fine there is something strange with the
Victor B. Wagner wrote:
RFC 2511 defines ASN.1 syntax for putting multiple certificate request
into one message:
[..]
Question is - how widespread is use of this syntax, is there any
real-world CA which understand CertReqMessages sequence.
There are several PKI implementations which support
Victor Duchovni wrote:
On Thu, Nov 23, 2006 at 06:46:23PM -0300, Mart?n Coco wrote:
My main goal is to design a PKI for our server infrastructure (ldaps,
https, mail, vpn, etc.) The problem is that, for example, when reading
the mentioned book, all the examples are based on people, but not on
Donny Dinh wrote:
* ./openssl s_client -connect www.google.com:443 -state*
[..]
*6709:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record
mac:s3_pkt.c:1057:SSL alert number 20*
*6709:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:*
If I force
HI!
I'm currently trying to parse the X.509v3 certificate extensions
with the help of an ASN.1 parser module for Python. I'm somewhat
stuck into detail problems since I'm a total ASN.1 newbie. Maybe I
have misunderstood some concepts.
If I'm parsing the extensions do I have to use a-priori
Dr S N Henson wrote:
making sure there's no summary info before BEGIN CERTIFICATE
and seeing if you can find what format keytool wants.
Uuumpf! Yes, my fault (turning red): I did not remove the text
before BEGIN CERTIFICATE line. Sorry.
Ciao, Michael.
Xiaohua Cheng wrote:
So, now keytool can recognize the certificate your OpenSSL generates?
Yes. keytool of JDK 1.3, X509v3 server cert with some extensions.
It always returns
"unrecognized format" when I was trying to import certificate generated
with OpenSSL into the keystore.
Try to
Deepak wrote:
I have a piece of Java (JSSE) code
BTW:
news:comp.lang.java.security is a more appropriate
forum for these kind of questions...
Ciao, Michael.
__
OpenSSL Project
Ri Li wrote:
I have some question about the SSL, when my office
is using a Proxy server to go to the internet. Is the
SSL encryption only encryt between the Proxy Server to
the Internet Web Server? or protect from user under
proxy server to Internet Web Server??
If you configured your web
Mahesh Anantharaman wrote:
openssl smime -verify -noverify -nointern -nochain -in message.txt
-certfile myfile.pem
Note that you normally MUST verify the validity of the sender's
certificate against a trusted root cert which you retrieved in a
secure way. Otherwise you have to make sure that
Dr S N Henson wrote:
The email is always checked against the senders certificate: it is
extracted from the signed email automatically so there is no need to
donwload it manually.
Note: With Outlook (Express) you can turn off adding the sender's
certificate to the S/MIME signature to reduce
Optik Marko wrote:
Please can you send me links from German-sites for openSSL?
English is too difficult for me.
You're lucky (Du hast Glück):
http://www.pca.dfn.de/dfnpca/certify/ssl/handbuch/
Ciao, Michael.
__
OpenSSL
Peter Stamfest wrote:
Hello OpenSSL users,
[..]
* UDP based instead of TCP based (see below for reasons)
SSL sits on top of a connection-oriented protocol like e.g. TCP or
PPP. Some VPN products use SSL over PPP over UDP. Did you mean that?
But what's wrong with IPSec, S/WAN and
Alex Cosic wrote:
JSSE java client
[..]
untrusted certificate chain.
1. Slightly off-topic here. Better ask in
news:comp.lang.java.security
2. Read the docs of Sun's keytool. keytool -import -alias "My CA"
...
Ciao, Michael.
Peter Stamfest wrote:
On Fri, 5 Jan 2001, Michael Strvder wrote:
SSL sits on top of a connection-oriented protocol like e.g. TCP or
PPP. Some VPN products use SSL over PPP over UDP. Did you mean that?
What I have in mind is not SSL over UDP.
Off course since UDP is not a
Peter Stamfest wrote:
* IPSec is hard to configure
But please give us a reason why you believe that the configuration
of "your solution" would be easier. Yes, it's somewhat more
complicated than starting setup.exe and just click a "Next" button
if it's meant to be really secure.
The main
If we want to continue this thread I suggest to switch
to news:comp.dcom.vpn for not filling up openssl-users
with off-topic discussion.
Ciao, Michael.
__
OpenSSL Project http://www.openssl.org
Marco Cunha wrote:
we can't have our clients going around creating,
signing installing new certificates every once in a while so I was
thinking about doing the following :
Look into openssl.c and friends and figure out a way of making the server
generate a CA cert and server cert on the
mariano Jess wrote:
Somebody Knows if it's possible to send attach files with smime.
Yes, it's possible. Note the MIME in S/MIME.
Ciao, Michael.
__
OpenSSL Project http://www.openssl.org
User
Reiner Buehl wrote:
There is a (not recommended) possibility for this: If all of your hosts
belong to the same domain you could generate a so called "wildcard
certificate".
This is a certificate with a hostname like '*.mydomain.org'
AFAIK this does not work with M$ IE.
Ciao, Michael.
Maxime Dubois wrote:
So I need to keep request files as I keep cert files...
Maybe you can also try to generate a new request from an expired
cert.
openssl x509 -x509toreq
I think renewal is interesting because [...]
It's always a matter of your local policy.
Ciao, Michael.
Maxime Dubois wrote:
What I wanted to know is: How does a root CA say it does not trust anymore
a sub-CA it has signed before?
By revoking the certificate of the sub CA.
Revoking means putting it into the root CA's CRL.
Ciao, Michael.
Maxime Dubois wrote:
This solution was interesting but it seems that I need the private key of
the user certificate to sign the request
Yes, my fault. Use the old cert request.
You should store them for auditing reasons anyway.
Ciao, Michael.
[EMAIL PROTECTED] wrote:
I created a cert with the host name known as www.evilempire.com
and netscape was quite happy to accept it and never reported that
the URL I typed in does not match the name carried within the cert.
You're wrong. Even those old Netscape Navigator 4.0x certainly asks
Robert Hannemann wrote:
i´ve generated a Certificate with DER encoding and add it to an LDAP
Directory User Entry. When i search the LDAPentry with Netscape
Addressbook, the Attributes of the Result looks good, but the
Certificate is displayed as an binary string like :
[EMAIL PROTECTED] wrote:
Ng Pheng Siong wrote:
Hi,
I've gotten a few messages about M2Crypto not working on
Linux (Red Hat
7.1, SuSe 7.1) because undefined symbol: EVP_rc5_32_12_16_ofb.
I understand the packaged OpenSSL on those platforms are versions of
0.9.6.
I don't have
haikel wrote:
I need to develop an application that allows me to update, automaticaly,
netscape and IE with new certificates and private keys.
IMHO this is not possible in general since the user's certificate
and key database is hopefully protected with his/her passphrase.
If you want to
StarTux wrote:
[EMAIL PROTECTED] wrote:
We should be able to deal with this problem ourselves because it
affects us often enough.
Yes. :-(
ANy suggestions how?
Who has admin rights to the list? Anyone with admin rights should be
able to nuke anyone off of the list quietly and
Steffen Dettmer wrote:
I'm setting up a CA useing openssl and mod_ssl for Apache.
I'm writing some perl scripts for standard jobs, like:
- Certificate verifying with Netscape (nsRevocationUrl in v3 SSL ext)
- Certificate distributing (a cert list sorted by DN hierachie)
where an user
HI!
I´m working on a CA framework which takes all parameters from
openssl.cnf. I want to write a (Python) script which does all of the CA
certificate stuff.
In order to generate a whole CA hierarchies (Root-CA signs other CA´s)
there should be a parameter in the openssl.cnf which CA is signed by
HI!
I would like to announce a new beta release of pyca, a set of scripts
and CGI-BIN programs for setting up and running a certificate authority
using OpenSSL.
See
http://sites.inka.de/ms/python/pyca/
for further details. Unfortunately there´s no real documentation
available up to now and
Phil Tracy wrote:
At 04:33 AM 4/27/99 , you wrote:
I would like to announce a new beta release of pyca, a set of scripts
and CGI-BIN programs for setting up and running a certificate authority
using OpenSSL.
Thanks for the contirbution! It looks great so far. I'm just getting started
Raul Gutierrez wrote:
I am installing the pyCA package
and when i run from the browser the
ca-index.py script i get the followin error:
Internal Server Error
When i saw the eeror log i saw the following:
[..]
Traceback (innermost last):
File
Erwann ABALEA wrote:
On Tue, 13 Jul 1999, Radovan Semancik wrote:
I have problem with OpenSSL generated certificates. MSIE 4 and MSIE 5
both say that this certificate has expored:
[..]
- the server/client certificate has a notAfterDate that falls AFTER the
CA's one... It's
CASTELAIN Didier wrote:
Is there a Certificate server in Freeware or for a trial period ?
Have a look at:
http://www.openssl.org/related/apps.html
Ciao, Michael.
__
OpenSSL Project
ssl wrote:
On Mon, 30 Aug 1999, Michael Ströder wrote:
ssl wrote:
below the cert info, you'll see the "Check Certificate Status" button,
[..]
By this method, the cert must have "nsRevocationUrl" pointing
to a cgi to check it.
This on-line certif
HI!
I'm currently having a hard time integrating support for MS Internet
Explorer 4+ into my poor man's CA package pyCA.
I managed to generate a certificate request and get the issued
certificate installed into IE with some small VBScript code.
But I have several questions:
1. MS IE accepts
"Salz, Rich" wrote:
type of certificate to publish in an LDAP directory for support of
S/MIME,
etc. Are there any strong feelings about X.509 vs. PKCS12 (or others)
or
encoding types?
I thought everyone used the DER representation of the X.509 certificate
structure. (That is what
HI!
Please, can we stop the off-topic discussion here?
We have enough to read all day.
Ciao, Michael.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL
Gideon Serfontein wrote:
I am having a problem signing a Microsoft IE certificate ,
[..]
If anyone can help me , or has gotten the Xenroll.dll to work , please
let me know.
I can send you a gzipped tar-ball with a snapshot of pyCA
(http://sites.inka.de/ms/python/pyca/) which does include
Hi Mike,
yes, you are on the wrong mailing-list.
Mike Bartlett wrote:
I was under the impression that OpenSSL was an SSL mod
to Apache BASED ON SSLEAY and hence should have its own method or
similar method to getca. Any idea where getca is - should I install
something else?
No. OpenSSL
"Rubinstein, Dmitry" wrote:
will have any hits from 'mil' TLD.
[..]
I've got 1768 total hits for 3 months
[..]
Have many hits and good luck unveiling the NSA conspiracy!
[..]
BTW, the military guy must have found your site pretty dull, if there
were no more hits... ;-)
(Sigh!) I only
HI!
I read the mod_ssl-README about Server Gated Cryptography / Global
Server IDs. Well, that seems interesting to me. I created a server cert
for a Notes/Domino Server 4.61 with X.509v3 attributes msSGC and nsSGC
set. But the Domino Server seems not to accept the certificate. Does
somebody has
Eric Rescorla wrote:
Technically, they're both correct.
This posting is sent to the list several times.
Can someone stop this please?
Ciao, Michael.
__
OpenSSL Project http://www.openssl.org
"Pablo J. Royo" wrote:
I´m using this cert from Baltimore with openssl0.9.5a.
This question is for openssl-users not openssl-dev.
I don´t know why they generate PEM certs with 76 chars in each line,
instead of 64 as everybody does.
Should be no problem. Depends on their base64 lib.
If
Graham Leggett wrote:
On 13 Apr 2014, at 12:25 PM, Hanno Böck ha...@hboeck.de wrote:
I wasn't really sure where to ask this, but I think this list is
appropriate.
While having read so much about heartbleed, one question stays
unanswered for me all the time:
What's the use of this
Graham Leggett wrote:
On 13 Apr 2014, at 2:04 PM, Michael Ströder mich...@stroeder.com wrote:
No, it does *not* answer the question.
The question was: Who is currently using it?
Just to clarify any possible confusion, whether or not a piece of software
actively uses the heartbeat makes
Alexandre Arantes wrote:
one of them asked me why did I choose not to add the client hostname to the
Client Certificate, thus making it usable only by that specific client.
There are no standardized naming rules for client certs like the TLS server
hostname check implemented at the client
Walter H. wrote:
> On Thu, October 29, 2015 11:07, Jakob Bohm wrote:
>> She (Eve) would know that the requesting party Alice
>> was talking to Bob at the very moment she sent Trent
>> the OCSP *request* for Bob's certificate.
>>
>> [...] equivalent of having (almost complete) real time
>> copies
Walter H. wrote:
> On 28.10.2015 16:44, Jakob Bohm wrote:
>> On 27/10/2015 21:21, Walter H. wrote:
>>> On 26.10.2015 21:42, rosect...@yahoo.com wrote:
Hi, I need some help on this call.
I am building an OCSP client following guide in openssl and compile the
code in Cygwin
Walter H. wrote:
> On 30.10.2015 21:42, Michael Ströder wrote:
>> Walter H. wrote:
>>> On Thu, October 29, 2015 11:07, Jakob Bohm wrote:
>>>> She (Eve) would know that the requesting party Alice
>>>> was talking to Bob at the very moment she sent Trent
>
Walter H. wrote:
> On 31.10.2015 13:01, Michael Ströder wrote:
>> Walter H. wrote:
>>> On 30.10.2015 21:42, Michael Ströder wrote:
>>>> Walter H. wrote:
>>>>> On Thu, October 29, 2015 11:07, Jakob Bohm wrote:
>>>>>> She (Eve) would
Tom Browder wrote:
> I plan to tidy my automation before the issue of new certs, but I wonder
> how critical it is to ensure unique certificate serial numbers given that
> the certs are only used for us. I'm not even sure I'll ever revoke any
> cert (they were issued to expire sometime in 2030).
Robert Moskowitz wrote:
> On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote:
>> On Fri, Aug 11, 2017, Robert Moskowitz wrote:
>>
>>> I would want the 'openssl req' command to prompt for hwType and
>>> hsSerialNum. At least for now.
>>>
>> Note that you can't get the 'openssl req' command prompt
Robert Moskowitz wrote:
> I am getting a SAN in the csr e.g.:
>
> Attributes:
> Requested Extensions:
> X509v3 Subject Alternative Name:
> IP Address:192.168.2.1
> [..]
> But I am not getting SAN in the cert. Perhaps I need something for SAN in the
>
Sanjaya Joshi wrote:
> I use openldap_2.3.39 to initiate secure LDAP connection (starttls) to
> external LDAP
> server. The used openssl version is 1.0.2k.
I'm not sure whether OpenSSL 1.0.2k is even usable with this ancient OpenLDAP
version.
Especially it was set to historic status by the
Colony.three via openssl-users wrote:
> I've set mine to test this comprehensively. (Apache and NginX) With
> Apache Firefox -ignores- server-prescribed ciphers and chooses an EC.
> NginX does properly prevail with the algo. Was this an accident, Apache?
I'd suggest to read the Apache httpd
Michael Richardson wrote:
>
> Jakob Bohm wrote:
> >> I wanted to know when we use engine instance for encyrption/decryption
> >> operation, can it be done selectively?
>
> > Please beware that many TPM chips were recently discovered to contain a
> > broken
Viktor Dukhovni wrote:
>> On Jan 19, 2018, at 10:09 PM, Frank Migge wrote:
>>
Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication
>>
>> This is were I would check first.
>>
>> I am not fully sure, but believe that Extended Key Usage should *not* be
>>
On 12/6/18 11:56 PM, Jakob Bohm via openssl-users wrote:
> Different levels of certainty is the point.
Which never worked well in practice, no matter how hard people tried to
clearly define levels if certainty.
Ciao, Michael.
--
openssl-users mailing list
To unsubscribe:
On 12/7/18 11:44 PM, Michael Wojcik wrote:
> Homograph attacks combined with phishing would be much cheaper and
> easier. Get a DV certificate from Let's Encrypt for anazom.com or
> amazom.com, or any of the Unicode homograph possibilies>
> Part of the point of EV certificates was supposed to be
On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote:
> On 05/12/2018 17:59, Viktor Dukhovni wrote:
>> IIRC Apple's Safari is ending support for EV, and some say that EV
>> has failed, and are not sorry to see it go.
>
> This is very bad for security. So far the only real failures have
> been:
HI!
Does anybody know an engine implementation which delegates private key
operations to a running key agent listening on a Unix domain socket?
Similar like ssh-agent or gpg-agent but available for applications using
OpenSSL API.
Ciao, Michael.
On 6/18/20 9:12 AM, Williams, Gareth wrote:
> I can successfully add a multi-value RDN to the Subject of a
> certificate request using the + format in the config file:
> [..]
> However, if I add a SAN to the request:
> [..]
> the resulting request has them as separate RDNs (as if the + is not
>
On 3/10/22 14:06, edr dr wrote:
I would like to be able to automate the process of updating CRLs in
order to be able to keep the CRL validity time short.
Understandable.
At the same time, I do not want to store passwords used for
certificate creation in cleartext anywhere.
It's a pity that
On 9/18/22 06:09, Philip Prindeville wrote:
On Sep 15, 2022, at 4:27 PM, Michael Wojcik via openssl-users
wrote:
You still haven't explained your threat model, or what mitigation
the application can take if this requirement is violated, or why
you think this is a "best practice". >
The threat
94 matches
Mail list logo