Re: Understanding -x509 option

On 12/20/2012 03:44 AM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Wednesday, 19 December, 2012 22:24 ... I am trying better to understand ... creating a mailserver (postfix) cert. I am looking at a couple templets. The one at postfix.org

Re: Understanding -x509 option

Left out response to -nodes option... On 12/20/2012 03:44 AM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Wednesday, 19 December, 2012 22:24 ... I am trying better to understand ... creating a mailserver (postfix) cert. I am looking

Re: Understanding -x509 option

On 12/20/2012 06:52 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Thursday, 20 December, 2012 08:24 Left out response to -nodes option... On 12/20/2012 03:44 AM, Dave Thompson wrote: openssl req -new -nodes -keyout foo-key.pem -out foo

Displaying cert content

OK. I am swamped. What is the command to display the cert content? I see openssl asn1parse -in file.cert but although I can read ASN1 cruft, I would like a nicer output. thanks __ OpenSSL Project

Re: Displaying cert content

On 12/20/2012 08:49 PM, Patrick Patterson wrote: Hi Robert: On 2012-12-20, at 8:05 PM, Robert Moskowitz wrote: OK. I am swamped. What is the command to display the cert content? openssl x509 -in cert.pem -text -noout. Great just what I was looking

problem with self-signed crt in Apache

Hello, I am running on Centos 6.3 where it looks like Openssl is 1.0.0-25 I am creating my cert with: openssl req -new -outform PEM -out certs/test.htt-consult.com.crt -newkey rsa:2048 -nodes -keyout private/test.htt-consult.com.key -keyform PEM -days 3650 -x509 This prompts me for the

Solved - Re: problem with self-signed crt in Apache

is displayed. Firefox shows DN content how I would expect it. On 12/31/2012 05:01 PM, Robert Moskowitz wrote: Hello, I am running on Centos 6.3 where it looks like Openssl is 1.0.0-25 I am creating my cert with: openssl req -new -outform PEM -out certs/test.htt-consult.com.crt -newkey rsa:2048 -nodes

BasicConstraints - Re: problem with self-signed crt in Apache

: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Monday, 31 December, 2012 17:02 I am running on Centos 6.3 where it looks like Openssl is 1.0.0-25 I am creating my cert with: openssl req -new -outform PEM -out certs/test.htt-consult.com.crt -newkey rsa:2048 -nodes -keyout

Re: BasicConstraints - Re: problem with self-signed crt in Apache

On 01/02/2013 11:45 PM, Dave Thompson wrote: From: Robert Moskowitz [mailto:r...@htt-consult.com] Sent: Wednesday, 02 January, 2013 12:12 As I indicated, part of my problem is the default ssl.conf for apache points to localhost.crt (built at firstboot) and I changed my hostname which does

Displaying cert with ecdsa

I have a CA cert in pem format that uses ecdsa. I have tried to display the contents with: openssl x509 -in x509-ca.pem -text -nameopt multiline -noout I get errors: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Unable to load Public Key

Re: Displaying cert with ecdsa

On 08/14/2013 05:37 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Wednesday, 14 August, 2013 15:49 I have a CA cert in pem format that uses ecdsa. I have tried to display the contents with: openssl x509 -in x509-ca.pem -text -nameopt

[openssl-users] EDDSA certificates

Does any version of OpenSSL provide support for EDDSA, particularly creating and displaying the content of them? Right now my interest is seeing what is involved in creating them with EC25519 and evaluating their size and how they parse. Or meet me at the IETF and talk to me about them.

Re: [openssl-users] EDDSA certificates

On 03/16/2017 04:04 PM, Salz, Rich via openssl-users wrote: Does any version of OpenSSL provide support for EDDSA, particularly creating and displaying the content of them? Not yet. EDDSA for 25519 and 448 would be great to have in the next relese, tho. Let's talk about it at IETF. --

Re: [openssl-users] scripting creating a cert

Jan, On 03/09/2017 08:06 PM, Jan Danielsson wrote: On 03/10/17 00:49, Robert Moskowitz wrote: [---] Is there some 'simple' way to provide these answers? Like with env variables? I tend do create response files (one response per line) and then simply pipe to openssl: $ cat foo.params

[openssl-users] scripting creating a cert

I am creating self-signed certs with: openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days 3650 -x509 -extensions v3_req Where, for example: your_host_tld=z9m9z.test.htt-consult.com Thing is that this then

Re: [openssl-users] scripting creating a cert

Hi, Rich. Fancy meeting you here. On 03/09/2017 07:33 PM, Salz, Rich via openssl-users wrote: Yes there are easier ways to do this. Set up a conf file and use it (via the -conf flag). You can use env vars, set default values, and so on. Look at the config manpages,

Re: [openssl-users] scripting creating a cert

Viktor, On 03/09/2017 08:17 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 6:49 PM, Robert Moskowitz <r...@htt-consult.com> wrote: I am creating self-signed certs with: openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048 -nodes -keyout private/$your_host_t

Re: [openssl-users] scripting creating a cert

On 03/09/2017 08:53 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <r...@htt-consult.com> wrote: $ umask 077 # avoid world-readable private keys Perhaps (no perhaps about it) this is old information, but I picked up that I needed: chmod 640 for the privat

Re: [openssl-users] scripting creating a cert

Very nice. But this looks like it as part of the whole easyRSA effort, not something I can easily feed into the openssl command to create the cert. It would take a fair bit of digging to dig out what I need for now. Definitely something I will look into soon, as providing a simple PKI for a

Re: [openssl-users] scripting creating a cert

Viktor, On 03/09/2017 05:53 PM, Viktor Dukhovni wrote: On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <r...@htt-consult.com> wrote: $ umask 077 # avoid world-readable private keys Perhaps (no perhaps about it) this is old information, but I picked up that I needed: chm

Re: [openssl-users] 802.1AR certificate generation and the config file

On 08/11/2017 02:39 PM, Dr. Stephen Henson wrote: On Fri, Aug 11, 2017, Robert Moskowitz wrote: Frustrated... On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote: My challenge comes to subjectAltName and its subfield hardwareModuleName per RFC 4108. I guess I am not 'getting

Re: [openssl-users] 802.1AR certificate generation and the config file

Frustrated... On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote: My challenge comes to subjectAltName and its subfield hardwareModuleName per RFC 4108. I guess I am not 'getting' the subjectAltName section of 'man x509v3_config'. Not all forms of SAN names are supported. If you

Re: [openssl-users] 802.1AR certificate generation and the config file

On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote: On Fri, Aug 11, 2017, Robert Moskowitz wrote: I would want the 'openssl req' command to prompt for hwType and hsSerialNum. At least for now. Note that you can't get the 'openssl req' command prompt for this but you can generate

Re: [openssl-users] 802.1AR certificate generation and the config file

Why thank you, Viktor. Let's see if I can get this right from RFC4108 On 08/11/2017 12:47 PM, Viktor Dukhovni wrote: On Fri, Aug 11, 2017 at 03:29:25PM +, Salz, Rich via openssl-users wrote: In the certificate extensions section you do something like: subjectAltName =

Re: [openssl-users] 802.1AR certificate generation and the config file

Sigh. Well let's see want I can get done on this by the next IEEE802/IETF week pair. On 08/11/2017 11:56 AM, Salz, Rich wrote: What is the procedure to get it added. RFC 4108 has been around for a while, as has 802.1AR-2009. Simplest way is to (get someone to) write the code and make a

Re: [openssl-users] Displaying subjectAtlName othername content

On 08/14/2017 02:04 PM, Salz, Rich via openssl-users wrote: ➢ Is there anyway to display the basic ASN.1 structure here so I can see what was stored in the cert? openssl asn1parse Humpf. I looked at that a few times and did not see the obvious. Sigh. So some progress. using -i

[openssl-users] Displaying subjectAtlName othername content

I am now working on using the othername option. I see it go in, but I can't display it. All I get is: X509v3 Subject Alternative Name: othername: I seem to recall encountering some way to display this in a google search, but I have not found that search yet in my

Re: [openssl-users] Displaying subjectAtlName othername content

On 08/14/2017 03:28 PM, Jakob Bohm wrote: On 14/08/2017 20:55, Robert Moskowitz wrote: On 08/14/2017 02:04 PM, Salz, Rich via openssl-users wrote: ➢ Is there anyway to display the basic ASN.1 structure here so I can see what was stored in the cert? openssl asn1parse Humpf. I

[openssl-users] Password protect EC private key

I am following: https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html But modifying it to produce ECDSA certs. So the first step is to make the private key. Jamie says: openssl genrsa -aes256 -out private/ca.key.pem 4096 The -aes256 option supposedly password

Re: [openssl-users] Password protect EC private key

On 08/10/2017 04:26 PM, Viktor Dukhovni wrote: On Thu, Aug 10, 2017 at 03:17:02PM -0400, Robert Moskowitz wrote: Are you sure you want secp256k1? By far the more common choice is prime256r1 (aka P-256 or secp256r1). Do you mean prime256v1? Yes, it is the primary name in OpenSSL

Re: [openssl-users] Password protect EC private key

Thank you, Viktor. On 08/10/2017 02:27 PM, Viktor Dukhovni wrote: On Thu, Aug 10, 2017 at 12:03:31PM -0400, Robert Moskowitz wrote: openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem But openssl ecparam does not have any option equivalent (that I can find) to -aes256

Re: [openssl-users] 802.1AR certificate generation and the config file

Thanks for the response, Rich. On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote: My challenge comes to subjectAltName and its subfield hardwareModuleName per RFC 4108. I guess I am not 'getting' the subjectAltName section of 'man x509v3_config'. Not all forms of SAN names are

Re: [openssl-users] 802.1AR certificate generation and the config file

On 08/11/2017 11:29 AM, Salz, Rich wrote: Given these supported names, what goes into the config file to create a SAN without having to specify it on the command line? In the certificate extensions section you do something like: subjectAltName = dns:www.example.com, IP:127.0.0.1 and

[openssl-users] 802.1AR certificate generation and the config file

Now that I can build a generic PKI with EDDSA, the next step is to add creation of 802.1AR iDevID certificates. I am using the current draft, sec 8, 802.1ARce-d2-2, but for this purpose it is essentially the same (but clearer written) as sec 7, 802.1AR-2009. I start with making the following

Re: [openssl-users] 802.1AR certificate generation and the config file

] # Extensions for IEEE 802.1AR iDevID certificates (`man x509v3_config`). basicConstraints = CA:FALSE authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment On 08/12/2017 10:28 AM, Michael Ströder wrote: Robert Moskowitz wrote: On 08/11/2017 02:47 PM

Re: [openssl-users] 802.1AR certificate generation and the config file

On 08/14/2017 07:16 AM, Michael Ströder wrote: Robert Moskowitz wrote: I am getting a SAN in the csr e.g.: Attributes: Requested Extensions: X509v3 Subject Alternative Name: IP Address:192.168.2.1 [..] But I am not getting SAN in the cert

[openssl-users] Implementing deprecation of commonname and emailaddress

I have skimmed through a few RFCs following today's postings and a few web sites. It would seem to me that I should: Remove commonName and emailAddress completely from the cnf file. They no longer belong in any cert, root or intermediate CA certs, server or user certs. For servers include

Re: [openssl-users] Personal CA: are cert serial numbers critical?

On 08/16/2017 05:01 PM, Salz, Rich via openssl-users wrote: There’s no such requirement. It MUST be at most 20 octets long. > >> - Serial numbers contain cryptographically strong random bits, currently at >> least 64 random bits, though it is best if the entire serial number

Re: [openssl-users] Password protect EC private key

On 08/10/2017 02:27 PM, Viktor Dukhovni wrote: On Thu, Aug 10, 2017 at 12:03:31PM -0400, Robert Moskowitz wrote: openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem But openssl ecparam does not have any option equivalent (that I can find) to -aes256 Yes, this command

Re: [openssl-users] EDDSA certificates

Rich, Meant to ask you about this at IETF. Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to produce these??? And, relatedly, what do you think about CBOR encoding rather than ASN.1? Kill ASN.1 in constrained devices and save on transmission costs? Thanks Bob On

Re: [openssl-users] EDDSA certificates

19 thanks. On 07/27/2017 10:45 AM, Benjamin Kaduk wrote: On 07/27/2017 09:18 AM, Robert Moskowitz wrote: Rich, Meant to ask you about this at IETF. Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to produce these??? There is code to validate them,

Re: [openssl-users] EDDSA certificates

Ah, thanks for the explanation Rich. On 08/08/2017 11:19 AM, Salz, Rich via openssl-users wrote: We don't add features to released versions, just bug-fixes. Ladar has posted a patch for 1.0.2 for those do-it-yourselfers who are so inclined. The 'master' branch, which will become 1.1.1 at

[openssl-users] Howto to create a PKI with Openssl command line

I want to build a PKI structure of a root CA, intermediate CA(s), and user and server certs. So I went looking for some guidance and found: https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html Anything else out there? The certs will all be ECDSA, P256 SHA256.

Re: [openssl-users] Howto to create a PKI with Openssl command line

Thanks Rich, I will take a look at this also. Bob On 08/09/2017 09:49 AM, Salz, Rich via openssl-users wrote: https://www.openssl.org/~rsalz/pki.tgz but only a root and end-entity. Adding an intermediate should not be incredible difficult :) -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Cant seem to get prompt no to work

On 08/18/2017 01:16 PM, Dr. Stephen Henson wrote: On Thu, Aug 17, 2017, Robert Moskowitz wrote: In the [ ca ] section I have: prompt = no If I leave the = out I get an error, so I am assuming I got the format of this right. Then I have [ req ] distinguished_name

[openssl-users] Pilgrims progress

I have made it through the basics. Thanks for all the help. The fruits of my labor can be found at: http://www.htt-consult.com/pki under roll your own CA and 802.1AR There is a link there for my current 'lessons learned'. I will be adding more to this:

Re: [openssl-users] Cant seem to get prompt no to work

On 08/17/2017 05:38 PM, Salz, Rich wrote: declare -x organizationalUnitName="" routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1 You are setting an empty OU. You should not set it and see if that works organizationalUnitName = "." puts a . in it. So I have to

Re: [openssl-users] Cant seem to get prompt no to work

On 08/17/2017 07:01 PM, Jakob Bohm wrote: On 18/08/2017 00:09, Robert Moskowitz wrote: On 08/17/2017 05:38 PM, Salz, Rich wrote: declare -x organizationalUnitName="" routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1 You are setting an empty OU. You shou

Re: [openssl-users] Cant get the subjectALtName inot the root cert

On 08/17/2017 06:38 PM, Jeffrey Walton wrote: On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <r...@htt-consult.com> wrote: I guess I am making progress. I am not getting SAN into the root cert. my cnf has in it: [ req ] # Options for the `req` tool (`man req`). defaul

Re: [openssl-users] Cant seem to get prompt no to work

On 08/17/2017 04:17 PM, Robert Moskowitz wrote: On 08/17/2017 04:09 PM, Salz, Rich wrote: Use the –batch flag to avoid all prompting I commented out the prompt line and tried again: openssl req -config openssl-root.cnf -key private/ca.key.pem \ > -new -x509 -days 7300 -sha

Re: [openssl-users] Cant seem to get prompt no to work

On 08/17/2017 04:17 PM, Robert Moskowitz wrote: On 08/17/2017 04:09 PM, Salz, Rich wrote: Use the –batch flag to avoid all prompting I commented out the prompt line and tried again: openssl req -config openssl-root.cnf -key private/ca.key.pem \ > -new -x509 -days 7300 -sha

[openssl-users] Cant get the subjectALtName inot the root cert

I guess I am making progress. I am not getting SAN into the root cert. my cnf has in it: [ req ] # Options for the `req` tool (`man req`). default_bits= 2048 prompt = no distinguished_name = req_distinguished_name string_mask = utf8only req_extensions =

Re: [openssl-users] Cant seem to get prompt no to work

ARGH!!! On 08/17/2017 05:38 PM, Salz, Rich wrote: declare -x organizationalUnitName="" routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1 You are setting an empty OU. You should not set it and see if that works So now I have to figure out how to handle an empty

Re: [openssl-users] Personal CA: are cert serial numbers critical?

On 08/16/2017 01:12 PM, Viktor Dukhovni wrote: On Aug 16, 2017, at 12:52 PM, Robert Moskowitz <r...@htt-consult.com> wrote: Which is also a problem in openssl. You have to put the SAN into the cnf file. There are a number of hacks to do this from the command line. Yep. For an ap

Re: [openssl-users] Personal CA: are cert serial numbers critical?

On 08/16/2017 10:51 AM, Jakob Bohm wrote: On 16/08/2017 16:32, Tom Browder wrote: On Wed, Aug 16, 2017 at 08:36 Salz, Rich via openssl-users > wrote: ➢ So, in summary, do I need to ensure cert serial numbers are unique for

Re: [openssl-users] Personal CA: are cert serial numbers critical?

On 08/16/2017 11:58 AM, Erwann Abalea via openssl-users wrote: Bonjour, Le 16 août 2017 à 16:51, Jakob Bohm a écrit : On 16/08/2017 16:32, Tom Browder wrote: On Wed, Aug 16, 2017 at 08:36 Salz, Rich via openssl-users

Re: [openssl-users] Personal CA: are cert serial numbers critical?

On 08/16/2017 05:01 PM, Salz, Rich via openssl-users wrote: There’s no such requirement. It MUST be at most 20 octets long. > >> - Serial numbers contain cryptographically strong random bits, currently at >> least 64 random bits, though it is best if the entire serial number

[openssl-users] FINAL simpler solution - Re: Solved - Re: Cant get the subjectALtName inot the root cert

openssl-root.cnf -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem On 08/17/2017 09:52 PM, Robert Moskowitz wrote: It IS working with -selfsign. So this step is done. openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 -notext

Re: [openssl-users] Solved - Re: Cant get the subjectALtName inot the root cert

:18: 5b:02:21:00:8b:f1:52:ea:dd:44:88:a6:ee:43:cd:29:52:e4: 27:57:ee:52:a2:47:86:6f:9e:11:9d:7d:72:a5:08:82:8f:14 On 08/17/2017 09:23 PM, Robert Moskowitz wrote: NO does not work. It worked because I had the old root CA cert there. Without it it fails. I tried adding

Re: [openssl-users] Cant seem to get prompt no to work

On 08/19/2017 04:00 AM, Peter Sylvester wrote: On 08/18/2017 07:16 PM, Dr. Stephen Henson wrote: On Thu, Aug 17, 2017, Robert Moskowitz wrote: In the [ ca ] section I have: prompt = no If I leave the = out I get an error, so I am assuming I got the format of this right. Then I have

Re: [openssl-users] Cant get openssl x509 to work as documented

On 08/22/2017 10:53 AM, Salz, Rich via openssl-users wrote: > SHA256 is not listed as a valid hash. Many more X.509 digest algorithms are supported in this context than (sadly) are listed in the manpage. Perhaps there should be a command that lists all supported x.509 hash

Re: [openssl-users] Clearing up some of my mistakes on serial number

On 08/20/2017 09:50 AM, Salz, Rich via openssl-users wrote: If you generate 19 bytes or RAND output, it will never exceed 20 bytes encoded. OpenSSL will be generating 159 bits of RAND output, so that it will never exceed 20 bytes encoded. The command-line RAND program is bytes, the C API is

Re: [openssl-users] Clearing up some of my mistakes on serial number

On 08/20/2017 09:32 AM, Viktor Dukhovni wrote: On Aug 20, 2017, at 8:35 AM, Robert Moskowitz <r...@htt-consult.com> wrote: It is 64 - 160 BITS Correct, with the word "cryptographically random" somewhere in there, for at least 64 of the bits. Which is 8 - 20 OCTETS Correct,

Re: [openssl-users] Cant get openssl x509 to work as documented

Want to continue this thread but with new information. I built a Fedora-arm 26 system (on a Cubieboard2) and it has openssl version 1.1.0f I built my DER root cert (and private key) no problem. I built my DER Intermediate cert private key and CSR no problem. For the following command: sn=8

Re: [openssl-users] Cant get openssl x509 to work as documented

into a complex bootstrap process that I don't totally agree with. And NETCONF is doing their flavor of it. Sigh. The IETF CORE wg is looking at this too. I have to munch on this problem a lot more. Bob On 08/22/2017 10:19 AM, Viktor Dukhovni wrote: On Aug 21, 2017, at 9:02 PM, Robert

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

On 08/17/2017 12:56 AM, Jeffrey Walton wrote: On Thu, Aug 17, 2017 at 12:28 AM, Robert Moskowitz <r...@htt-consult.com> wrote: I have skimmed through a few RFCs following today's postings and a few web sites. It would seem to me that I should: Remove commonName and emailAddress comp

[openssl-users] More on cert serialnumbers

I have been researching serial number in cert based on Jakob's comment: "- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as standalone numbers and as DER-encoded numbers. Note that this is not the default in the openssl ca program. - Serial numbers contain cryptographically

[openssl-users] keyusage digitalSignature in CA certs

Should digitalSignature be included in keyusage in CA certs? https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html Includes it.

Re: [openssl-users] More on cert serialnumbers

On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote: And RFC 5280, which is still the standard, says serial# must be <= 20 bytes. Which means, you want to make sure the high bit is off, else the DER encoding will make it 21 bytes. So the new –rand_serial flag I am adding to the CA

Re: [openssl-users] More on cert serialnumbers

On 08/17/2017 10:49 AM, Karl Denninger wrote: On 8/17/2017 09:40, Robert Moskowitz wrote: I have been researching serial number in cert based on Jakob's comment: "- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as standalone numbers and as DER-encoded numbers.

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

Viktor, thanks for the reply. On 08/17/2017 11:15 AM, Viktor Dukhovni wrote: On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote: Remove commonName and emailAddress completely from the cnf file. They no longer belong in any cert, root or intermediate CA certs, server or user

Re: [openssl-users] More on cert serialnumbers

Erwann, thank you for your response. On 08/17/2017 11:29 AM, Erwann Abalea via openssl-users wrote: Bonjour, Le 17 août 2017 à 17:10, Robert Moskowitz <r...@htt-consult.com> a écrit : On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote: And RFC 5280, which is still the st

Re: [openssl-users] Throwing in the towel on ENV for DN

On 08/18/2017 08:46 AM, Salz, Rich via openssl-users wrote: This has been a long email thread. Can you open a github issue and summarize the improvements you think we should make? Thanks. And thanks for your patience! When I get through the "lessons learned" step, I will ask you how to

Re: [openssl-users] Throwing in the towel on ENV for DN

On 08/18/2017 08:48 AM, Jeffrey Walton wrote: It is coming down that I would need a unique cnf for each cert type, rather than one per signing CA. Things just don't work well without prompting or very consistent DN content. So I am going to pull most of my. ENV. I am leaving it in for dir

[openssl-users] Solved - Re: Cant get the subjectALtName inot the root cert

sha256 in both? Could benefit from some refinement. Or getting the 1 step working. Good enough for now! Bob On 08/17/2017 06:38 PM, Jeffrey Walton wrote: On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <r...@htt-consult.com> wrote: I guess I am making progress. I am not getti

Re: [openssl-users] Solved - Re: Cant get the subjectALtName inot the root cert

NO does not work. It worked because I had the old root CA cert there. Without it it fails. I tried adding -selfsign and that did something, but did not create a trusted cert... On 08/17/2017 08:44 PM, Robert Moskowitz wrote: Kind of... Does not put SAN in CA cert: openssl req -config

[openssl-users] Throwing in the towel on ENV for DN

Jakob had it right On 08/17/2017 07:01 PM, Jakob Bohm wrote: Given all these problems with the Distinguished Name prompting mechanism, just add the -subject option to the req command line (using appropriate environment variables in the shell script). Enjoy Jakob It is coming down that

Re: [openssl-users] keyusage digitalSignature in CA certs

Thank you for your response. I am basically skipping 20 years of PKI development and trying to get to current best practices... On 08/17/2017 09:50 AM, Erwann Abalea via openssl-users wrote: Bonjour, Le 17 août 2017 à 15:20, Robert Moskowitz <r...@htt-consult.com> a écrit :

[openssl-users] Cant seem to get prompt no to work

In the [ ca ] section I have: prompt = no If I leave the = out I get an error, so I am assuming I got the format of this right. Then I have [ req ] distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = $ENV::countryName

Re: [openssl-users] Doubt regarding O-SSL and setting the duration of certificates

On 09/13/2017 09:39 AM, Salz, Rich via openssl-users wrote: An X509v3 certificate has “notBefore” and “notAfter” fields. If either of those is not present, then it is not an X509v3 certificate. The time marked by those fields is the validity period. If you want “never expires” X509v3

Re: [openssl-users] reading DER format public keys

On 09/15/2017 11:57 AM, Michael Richardson wrote: The PEM_* routines, as documented at: https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_PUBKEY.html do not claim to read DER format input. (Actually they don't say anything about DER). Ruby's library uses: pkey =

Re: [openssl-users] Doubt regarding O-SSL and setting the duration of certificates

On 09/13/2017 09:31 AM, Michael Richardson wrote: Robert Moskowitz <r...@htt-consult.com> wrote: > The devices never test out the lifetime of their certs. That is up to Exactly... (Do you think about the MacGyver/StarTrek/A-Team/Leverage/MissionImpossible plot line that g

[openssl-users] Why is this OCSP response reporting a hash using SHA1?

I am using the test responder: openssl ocsp -port 2560 -text -rmd sha256\ -index index.txt \ -CA certs/ca-chain.cert.pem \ -rkey private/$ocspurl.key.pem \ -rsigner certs/$ocspurl.cert.pem \ -nrequest 1 What is the SHA1 hash report about? It

[openssl-users] New version of draft-moskowitz-ecdsa-pki

-ecdsa-pki-01.txt Date: Fri, 08 Sep 2017 12:26:36 -0700 From: internet-dra...@ietf.org To: Robert Moskowitz <r...@labs.htt-consult.com>, Liang Xia <frank.xiali...@huawei.com>, Henk Birkholz <henk.birkh...@sit.fraunhofer.de>, Liang Xia <frank.xiali...@huawei.com> A n

Re: [openssl-users] Another problem with openssl x509 -req -- default_enddate

Dukhovni wrote: On Tue, Aug 29, 2017 at 05:36:34PM -0400, Robert Moskowitz wrote: Another problem. It is almost like it is not reading the CA selction? Not "almost", but actually as expected, since "openssl x509 -req" is not the ca(1) application. openssl x509 -req -

Re: [openssl-users] Another problem with openssl x509 -req -- default_enddate

On 08/30/2017 10:33 AM, Viktor Dukhovni wrote: On Wed, Aug 30, 2017 at 06:03:03AM -0400, Robert Moskowitz wrote: I woke up a little clearer head, and realized, that a truly constrained device won't even bother with DER, but just store the raw keypair. FWIW, Apple's boot firmware stores

Re: [openssl-users] Another problem with openssl x509 -req -- default_enddate

Viktor, On 08/30/2017 12:59 AM, Viktor Dukhovni wrote: On Wed, Aug 30, 2017 at 12:17:09AM -0400, Robert Moskowitz wrote: So back to openssl ca and deal with no way to directly create a DER formatted cert. Definitely a deficiency. Not really a deficiency, as the certificates in question need

[openssl-users] Not updating index.txt

I started out making certs from csrs with: openssl ca -config $dir/openssl-intermediate.cnf -extensions usr_cert -days 375 -notext -md sha256 \ -in $dir/csr/$clientemail.csr.$format -out $dir/certs/$clientemail.cert.$format And that worked well enough, but I found some limitations

Re: [openssl-users] Why is this OCSP response reporting a hash using SHA1?

On 09/11/2017 12:23 PM, Salz, Rich via openssl-users wrote: Ah, put -sha256 in the CLIENT request. Seems kind of backward. Or at least the server should have some control over the hash used? Well, it is the client that is making the request, so therefore the client

Re: [openssl-users] Why is this OCSP response reporting a hash using SHA1?

On 09/08/2017 10:08 PM, Dr. Stephen Henson wrote: On Fri, Sep 08, 2017, Robert Moskowitz wrote: I am using the test responder: openssl ocsp -port 2560 -text -rmd sha256\ -index index.txt \ -CA certs/ca-chain.cert.pem \ -rkey private/$ocspurl.key.pem

Re: [openssl-users] Testing OCSP with openssl

On 09/05/2017 11:59 AM, Dr. Stephen Henson wrote: On Tue, Sep 05, 2017, Robert Moskowitz wrote: Jamie Nugyen's guide uses openssl to test OCSP with 'openssl ocsp': https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html What is unclear here

[openssl-users] Problems with server mode of openssl ocsp

Good progress. A few questions: on https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html The sample server test command is: openssl ocsp -port 127.0.0.1:2560 -text -sha256 \ -index intermediate/index.txt \ -CA

Re: [openssl-users] Problems with se...rver mode of openssl ocsp

On 09/07/2017 04:13 PM, Dr. Stephen Henson wrote: On Thu, Sep 07, 2017, Robert Moskowitz wrote: Good progress. A few questions: on https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html The sample server test command is: openssl ocsp -port

Re: [openssl-users] Env variables in config file to add a whole line

On 09/06/2017 01:31 PM, Salz, Rich via openssl-users wrote: … $crlDP $ocspIAI This is not supported. You can only put variables in *values* OK. But now I have to work out values. Bob -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Doubt regarding O-SSL and setting the duration of certificates

situations with scaled down CPUs, long device lifespans and support requirements, functional validation with future time settings would definitely be a good idea on the test plan. Frank Robert Moskowitz <mailto:r...@htt-consult.com> Wednesday, September 13, 2017 12:57 AM IEEE 802.1ARce (lat

Re: [openssl-users] Why is this OCSP response reporting a hash using SHA1?

On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote: On Mon, Sep 11, 2017, Robert Moskowitz wrote: I would actually really like to have a SIMPLE OCSP responder. But so far have not found one. freeIPA has one buried within it, but that is too disruptive to install unless you buy into freeIPA

[openssl-users] Env variables in config file to add a whole line

I am trying to use an environment variable to add a whole line to the config file. This is to control adding (or not providing) CRL and/or OCSP support. export shows: declare -x crlDP="crlDistributionPoints = URI:http://www.htt-consult.com/pki/intermediate.crl.pem; declare -x

Re: [openssl-users] Env variables in config file to add a whole line

onfig file based on what the goal is... thanks Bob On 09/06/2017 12:23 PM, Robert Moskowitz wrote: I am trying to use an environment variable to add a whole line to the config file. This is to control adding (or not providing) CRL and/or OCSP support. export shows: declare -x

Re: [openssl-users] Why is this OCSP response reporting a hash using SHA1?

On 09/12/2017 09:38 AM, Robert Moskowitz wrote: On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote: On Mon, Sep 11, 2017, Robert Moskowitz wrote: I would actually really like to have a SIMPLE OCSP responder. But so far have not found one. freeIPA has one buried within it, but that is too

Re: [openssl-users] Doubt regarding O-SSL and setting the duration of certificates

Depends on the question 'Infinite' duration is used in IEEE 802.1AR Device Identities. The concept is the vendor installs the certificate in read-only memory. It is expected to be good for the life of the device. On 09/11/2017 05:32 AM, Alejandro Pulido wrote: Dear team of OpenSSL,

  1   2   >