On 12/20/2012 03:44 AM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz
Sent: Wednesday, 19 December, 2012 22:24
... I am trying better to understand ...
creating a mailserver (postfix) cert.
I am looking at a couple templets. The one at postfix.org
Left out response to -nodes option...
On 12/20/2012 03:44 AM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz
Sent: Wednesday, 19 December, 2012 22:24
... I am trying better to understand ...
creating a mailserver (postfix) cert.
I am looking
On 12/20/2012 06:52 PM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz
Sent: Thursday, 20 December, 2012 08:24
Left out response to -nodes option...
On 12/20/2012 03:44 AM, Dave Thompson wrote:
openssl req -new -nodes -keyout foo-key.pem -out
foo
OK. I am swamped. What is the command to display the cert content?
I see
openssl asn1parse -in file.cert
but although I can read ASN1 cruft, I would like a nicer output.
thanks
__
OpenSSL Project
On 12/20/2012 08:49 PM, Patrick Patterson wrote:
Hi Robert:
On 2012-12-20, at 8:05 PM, Robert Moskowitz wrote:
OK. I am swamped. What is the command to display the cert content?
openssl x509 -in cert.pem -text -noout.
Great just what I was looking
Hello,
I am running on Centos 6.3 where it looks like Openssl is 1.0.0-25
I am creating my cert with:
openssl req -new -outform PEM -out certs/test.htt-consult.com.crt
-newkey rsa:2048 -nodes -keyout private/test.htt-consult.com.key
-keyform PEM -days 3650 -x509
This prompts me for the
is displayed. Firefox shows DN content how I would expect it.
On 12/31/2012 05:01 PM, Robert Moskowitz wrote:
Hello,
I am running on Centos 6.3 where it looks like Openssl is 1.0.0-25
I am creating my cert with:
openssl req -new -outform PEM -out certs/test.htt-consult.com.crt
-newkey rsa:2048 -nodes
:
From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz
Sent: Monday, 31 December, 2012 17:02
I am running on Centos 6.3 where it looks like Openssl is 1.0.0-25
I am creating my cert with:
openssl req -new -outform PEM -out certs/test.htt-consult.com.crt
-newkey rsa:2048 -nodes -keyout
On 01/02/2013 11:45 PM, Dave Thompson wrote:
From: Robert Moskowitz [mailto:r...@htt-consult.com]
Sent: Wednesday, 02 January, 2013 12:12
As I indicated, part of my problem is the default ssl.conf for apache
points to localhost.crt (built at firstboot) and I changed my hostname
which does
I have a CA cert in pem format that uses ecdsa. I have tried to display
the contents with:
openssl x509 -in x509-ca.pem -text -nameopt multiline -noout
I get errors:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Unable to load Public Key
On 08/14/2013 05:37 PM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz
Sent: Wednesday, 14 August, 2013 15:49
I have a CA cert in pem format that uses ecdsa. I have tried
to display the contents with:
openssl x509 -in x509-ca.pem -text -nameopt
Does any version of OpenSSL provide support for EDDSA, particularly
creating and displaying the content of them?
Right now my interest is seeing what is involved in creating them with
EC25519 and evaluating their size and how they parse.
Or meet me at the IETF and talk to me about them.
On 03/16/2017 04:04 PM, Salz, Rich via openssl-users wrote:
Does any version of OpenSSL provide support for EDDSA, particularly creating
and displaying the content of them?
Not yet. EDDSA for 25519 and 448 would be great to have in the next relese,
tho.
Let's talk about it at IETF.
--
Jan,
On 03/09/2017 08:06 PM, Jan Danielsson wrote:
On 03/10/17 00:49, Robert Moskowitz wrote:
[---]
Is there some 'simple' way to provide these answers? Like with env
variables?
I tend do create response files (one response per line) and then
simply pipe to openssl:
$ cat foo.params
I am creating self-signed certs with:
openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey
rsa:2048 -nodes -keyout private/$your_host_tld.key -keyform PEM -days
3650 -x509 -extensions v3_req
Where, for example:
your_host_tld=z9m9z.test.htt-consult.com
Thing is that this then
Hi, Rich.
Fancy meeting you here.
On 03/09/2017 07:33 PM, Salz, Rich via openssl-users wrote:
Yes there are easier ways to do this. Set up a conf file and use it (via the
-conf flag). You can use env vars, set default values, and so on. Look at the
config manpages,
Viktor,
On 03/09/2017 08:17 PM, Viktor Dukhovni wrote:
On Mar 9, 2017, at 6:49 PM, Robert Moskowitz <r...@htt-consult.com> wrote:
I am creating self-signed certs with:
openssl req -new -outform PEM -out certs/$your_host_tld.crt -newkey rsa:2048
-nodes -keyout private/$your_host_t
On 03/09/2017 08:53 PM, Viktor Dukhovni wrote:
On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <r...@htt-consult.com> wrote:
$ umask 077 # avoid world-readable private keys
Perhaps (no perhaps about it) this is old information, but I picked up that I
needed:
chmod 640 for the privat
Very nice. But this looks like it as part of the whole easyRSA effort,
not something I can easily feed into the openssl command to create the
cert. It would take a fair bit of digging to dig out what I need for now.
Definitely something I will look into soon, as providing a simple PKI
for a
Viktor,
On 03/09/2017 05:53 PM, Viktor Dukhovni wrote:
On Mar 9, 2017, at 8:43 PM, Robert Moskowitz <r...@htt-consult.com> wrote:
$ umask 077 # avoid world-readable private keys
Perhaps (no perhaps about it) this is old information, but I picked up that I
needed:
chm
On 08/11/2017 02:39 PM, Dr. Stephen Henson wrote:
On Fri, Aug 11, 2017, Robert Moskowitz wrote:
Frustrated...
On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:
My challenge comes to subjectAltName and its subfield
hardwareModuleName
per RFC 4108. I guess I am not 'getting
Frustrated...
On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:
My challenge comes to subjectAltName and its subfield
hardwareModuleName
per RFC 4108. I guess I am not 'getting' the subjectAltName section of
'man x509v3_config'.
Not all forms of SAN names are supported. If you
On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote:
On Fri, Aug 11, 2017, Robert Moskowitz wrote:
I would want the 'openssl req' command to prompt for hwType and
hsSerialNum. At least for now.
Note that you can't get the 'openssl req' command prompt for this but you can
generate
Why thank you, Viktor. Let's see if I can get this right from RFC4108
On 08/11/2017 12:47 PM, Viktor Dukhovni wrote:
On Fri, Aug 11, 2017 at 03:29:25PM +, Salz, Rich via openssl-users wrote:
In the certificate extensions section you do something like:
subjectAltName =
Sigh. Well let's see want I can get done on this by the next
IEEE802/IETF week pair.
On 08/11/2017 11:56 AM, Salz, Rich wrote:
What is the procedure to get it added. RFC 4108 has been around for a while,
as has 802.1AR-2009.
Simplest way is to (get someone to) write the code and make a
On 08/14/2017 02:04 PM, Salz, Rich via openssl-users wrote:
➢ Is there anyway to display the basic ASN.1 structure here so I can see
what was stored in the cert?
openssl asn1parse
Humpf. I looked at that a few times and did not see the obvious. Sigh.
So some progress. using -i
I am now working on using the othername option. I see it go in, but I
can't display it. All I get is:
X509v3 Subject Alternative Name:
othername:
I seem to recall encountering some way to display this in a google
search, but I have not found that search yet in my
On 08/14/2017 03:28 PM, Jakob Bohm wrote:
On 14/08/2017 20:55, Robert Moskowitz wrote:
On 08/14/2017 02:04 PM, Salz, Rich via openssl-users wrote:
➢ Is there anyway to display the basic ASN.1 structure here so I can
see
what was stored in the cert?
openssl asn1parse
Humpf. I
I am following:
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
But modifying it to produce ECDSA certs. So the first step is to make
the private key. Jamie says:
openssl genrsa -aes256 -out private/ca.key.pem 4096
The -aes256 option supposedly password
On 08/10/2017 04:26 PM, Viktor Dukhovni wrote:
On Thu, Aug 10, 2017 at 03:17:02PM -0400, Robert Moskowitz wrote:
Are you sure you want secp256k1? By far the more common choice is
prime256r1 (aka P-256 or secp256r1).
Do you mean prime256v1?
Yes, it is the primary name in OpenSSL
Thank you, Viktor.
On 08/10/2017 02:27 PM, Viktor Dukhovni wrote:
On Thu, Aug 10, 2017 at 12:03:31PM -0400, Robert Moskowitz wrote:
openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem
But openssl ecparam does not have any option equivalent (that I can find) to
-aes256
Thanks for the response, Rich.
On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:
My challenge comes to subjectAltName and its subfield
hardwareModuleName
per RFC 4108. I guess I am not 'getting' the subjectAltName section of
'man x509v3_config'.
Not all forms of SAN names are
On 08/11/2017 11:29 AM, Salz, Rich wrote:
Given these supported names, what goes into the config file to create a SAN
without having to specify it on the command line?
In the certificate extensions section you do something like:
subjectAltName = dns:www.example.com, IP:127.0.0.1
and
Now that I can build a generic PKI with EDDSA, the next step is to add
creation of 802.1AR iDevID certificates. I am using the current draft,
sec 8, 802.1ARce-d2-2, but for this purpose it is essentially the same
(but clearer written) as sec 7, 802.1AR-2009.
I start with making the following
]
# Extensions for IEEE 802.1AR iDevID certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
On 08/12/2017 10:28 AM, Michael Ströder wrote:
Robert Moskowitz wrote:
On 08/11/2017 02:47 PM
On 08/14/2017 07:16 AM, Michael Ströder wrote:
Robert Moskowitz wrote:
I am getting a SAN in the csr e.g.:
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address:192.168.2.1
[..]
But I am not getting SAN in the cert
I have skimmed through a few RFCs following today's postings and a few
web sites. It would seem to me that I should:
Remove commonName and emailAddress completely from the cnf file. They no
longer belong in any cert, root or intermediate CA certs, server or user
certs.
For servers include
On 08/16/2017 05:01 PM, Salz, Rich via openssl-users wrote:
There’s no such requirement. It MUST be at most 20 octets long.
>
>> - Serial numbers contain cryptographically strong random bits,
currently at
>> least 64 random bits, though it is best if the entire serial number
On 08/10/2017 02:27 PM, Viktor Dukhovni wrote:
On Thu, Aug 10, 2017 at 12:03:31PM -0400, Robert Moskowitz wrote:
openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem
But openssl ecparam does not have any option equivalent (that I can find) to
-aes256
Yes, this command
Rich,
Meant to ask you about this at IETF.
Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to
produce these???
And, relatedly, what do you think about CBOR encoding rather than
ASN.1? Kill ASN.1 in constrained devices and save on transmission costs?
Thanks
Bob
On
19
thanks.
On 07/27/2017 10:45 AM, Benjamin Kaduk wrote:
On 07/27/2017 09:18 AM, Robert Moskowitz wrote:
Rich,
Meant to ask you about this at IETF.
Given draft-ietf-curdle-pkix-05.txt sec 10, is there openssl code to
produce these???
There is code to validate them,
Ah, thanks for the explanation Rich.
On 08/08/2017 11:19 AM, Salz, Rich via openssl-users wrote:
We don't add features to released versions, just bug-fixes. Ladar has posted a
patch for 1.0.2 for those do-it-yourselfers who are so inclined.
The 'master' branch, which will become 1.1.1 at
I want to build a PKI structure of a root CA, intermediate CA(s), and
user and server certs. So I went looking for some guidance and found:
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
Anything else out there?
The certs will all be ECDSA, P256 SHA256.
Thanks Rich, I will take a look at this also.
Bob
On 08/09/2017 09:49 AM, Salz, Rich via openssl-users wrote:
https://www.openssl.org/~rsalz/pki.tgz but only a root and end-entity. Adding
an intermediate should not be incredible difficult :)
--
openssl-users mailing list
To unsubscribe:
On 08/18/2017 01:16 PM, Dr. Stephen Henson wrote:
On Thu, Aug 17, 2017, Robert Moskowitz wrote:
In the [ ca ] section I have:
prompt = no
If I leave the = out I get an error, so I am assuming I got the
format of this right.
Then I have
[ req ]
distinguished_name
I have made it through the basics. Thanks for all the help. The fruits
of my labor can be found at:
http://www.htt-consult.com/pki
under roll your own CA and 802.1AR
There is a link there for my current 'lessons learned'. I will be
adding more to this:
On 08/17/2017 05:38 PM, Salz, Rich wrote:
declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You should not set it and see if that works
organizationalUnitName = "." puts a . in it. So I have to
On 08/17/2017 07:01 PM, Jakob Bohm wrote:
On 18/08/2017 00:09, Robert Moskowitz wrote:
On 08/17/2017 05:38 PM, Salz, Rich wrote:
declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You shou
On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <r...@htt-consult.com> wrote:
I guess I am making progress. I am not getting SAN into the root cert. my
cnf has in it:
[ req ]
# Options for the `req` tool (`man req`).
defaul
On 08/17/2017 04:17 PM, Robert Moskowitz wrote:
On 08/17/2017 04:09 PM, Salz, Rich wrote:
Use the –batch flag to avoid all prompting
I commented out the prompt line and tried again:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
> -new -x509 -days 7300 -sha
On 08/17/2017 04:17 PM, Robert Moskowitz wrote:
On 08/17/2017 04:09 PM, Salz, Rich wrote:
Use the –batch flag to avoid all prompting
I commented out the prompt line and tried again:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
> -new -x509 -days 7300 -sha
I guess I am making progress. I am not getting SAN into the root cert.
my cnf has in it:
[ req ]
# Options for the `req` tool (`man req`).
default_bits= 2048
prompt = no
distinguished_name = req_distinguished_name
string_mask = utf8only
req_extensions =
ARGH!!!
On 08/17/2017 05:38 PM, Salz, Rich wrote:
declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You should not set it and see if that works
So now I have to figure out how to handle an empty
On 08/16/2017 01:12 PM, Viktor Dukhovni wrote:
On Aug 16, 2017, at 12:52 PM, Robert Moskowitz <r...@htt-consult.com> wrote:
Which is also a problem in openssl. You have to put the SAN into the cnf file.
There are a number of hacks to do this from the command line.
Yep. For an ap
On 08/16/2017 10:51 AM, Jakob Bohm wrote:
On 16/08/2017 16:32, Tom Browder wrote:
On Wed, Aug 16, 2017 at 08:36 Salz, Rich via openssl-users
> wrote:
➢ So, in summary, do I need to ensure cert serial numbers are
unique for
On 08/16/2017 11:58 AM, Erwann Abalea via openssl-users wrote:
Bonjour,
Le 16 août 2017 à 16:51, Jakob Bohm a écrit :
On 16/08/2017 16:32, Tom Browder wrote:
On Wed, Aug 16, 2017 at 08:36 Salz, Rich via openssl-users
On 08/16/2017 05:01 PM, Salz, Rich via openssl-users wrote:
There’s no such requirement. It MUST be at most 20 octets long.
>
>> - Serial numbers contain cryptographically strong random bits,
currently at
>> least 64 random bits, though it is best if the entire serial number
openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem
On 08/17/2017 09:52 PM, Robert Moskowitz wrote:
It IS working with -selfsign. So this step is done.
openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300
-notext
:18:
5b:02:21:00:8b:f1:52:ea:dd:44:88:a6:ee:43:cd:29:52:e4:
27:57:ee:52:a2:47:86:6f:9e:11:9d:7d:72:a5:08:82:8f:14
On 08/17/2017 09:23 PM, Robert Moskowitz wrote:
NO does not work. It worked because I had the old root CA cert
there. Without it it fails.
I tried adding
On 08/19/2017 04:00 AM, Peter Sylvester wrote:
On 08/18/2017 07:16 PM, Dr. Stephen Henson wrote:
On Thu, Aug 17, 2017, Robert Moskowitz wrote:
In the [ ca ] section I have:
prompt = no
If I leave the = out I get an error, so I am assuming I got the
format of this right.
Then I have
On 08/22/2017 10:53 AM, Salz, Rich via openssl-users wrote:
> SHA256 is not listed as a valid hash.
Many more X.509 digest algorithms are supported in this context
than (sadly) are listed in the manpage. Perhaps there should
be a command that lists all supported x.509 hash
On 08/20/2017 09:50 AM, Salz, Rich via openssl-users wrote:
If you generate 19 bytes or RAND output, it will never exceed 20 bytes encoded.
OpenSSL will be generating 159 bits of RAND output, so that it will never
exceed 20 bytes encoded. The command-line RAND program is bytes, the C API is
On 08/20/2017 09:32 AM, Viktor Dukhovni wrote:
On Aug 20, 2017, at 8:35 AM, Robert Moskowitz <r...@htt-consult.com> wrote:
It is 64 - 160 BITS
Correct, with the word "cryptographically random" somewhere in
there, for at least 64 of the bits.
Which is 8 - 20 OCTETS
Correct,
Want to continue this thread but with new information. I built a
Fedora-arm 26 system (on a Cubieboard2) and it has openssl version 1.1.0f
I built my DER root cert (and private key) no problem.
I built my DER Intermediate cert private key and CSR no problem.
For the following command:
sn=8
into a complex
bootstrap process that I don't totally agree with. And NETCONF is doing
their flavor of it. Sigh.
The IETF CORE wg is looking at this too.
I have to munch on this problem a lot more.
Bob
On 08/22/2017 10:19 AM, Viktor Dukhovni wrote:
On Aug 21, 2017, at 9:02 PM, Robert
On 08/17/2017 12:56 AM, Jeffrey Walton wrote:
On Thu, Aug 17, 2017 at 12:28 AM, Robert Moskowitz <r...@htt-consult.com> wrote:
I have skimmed through a few RFCs following today's postings and a few web
sites. It would seem to me that I should:
Remove commonName and emailAddress comp
I have been researching serial number in cert based on Jakob's comment:
"- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
standalone
numbers and as DER-encoded numbers. Note that this is not the default in
the openssl ca program.
- Serial numbers contain cryptographically
Should digitalSignature be included in keyusage in CA certs?
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
Includes it.
On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote:
And RFC 5280, which is still the standard, says serial# must be <= 20 bytes.
Which means, you want to make sure the high bit is off, else the DER encoding will
make it 21 bytes.
So the new –rand_serial flag I am adding to the CA
On 08/17/2017 10:49 AM, Karl Denninger wrote:
On 8/17/2017 09:40, Robert Moskowitz wrote:
I have been researching serial number in cert based on Jakob's comment:
"- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
standalone
numbers and as DER-encoded numbers.
Viktor,
thanks for the reply.
On 08/17/2017 11:15 AM, Viktor Dukhovni wrote:
On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote:
Remove commonName and emailAddress completely from the cnf file. They no
longer belong in any cert, root or intermediate CA certs, server or user
Erwann,
thank you for your response.
On 08/17/2017 11:29 AM, Erwann Abalea via openssl-users wrote:
Bonjour,
Le 17 août 2017 à 17:10, Robert Moskowitz <r...@htt-consult.com> a écrit :
On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote:
And RFC 5280, which is still the st
On 08/18/2017 08:46 AM, Salz, Rich via openssl-users wrote:
This has been a long email thread. Can you open a github issue and summarize
the improvements you think we should make?
Thanks.
And thanks for your patience!
When I get through the "lessons learned" step, I will ask you how to
On 08/18/2017 08:48 AM, Jeffrey Walton wrote:
It is coming down that I would need a unique cnf for each cert type, rather
than one per signing CA. Things just don't work well without prompting or
very consistent DN content. So I am going to pull most of my. ENV. I am
leaving it in for dir
sha256 in both?
Could benefit from some refinement. Or getting the 1 step working.
Good enough for now!
Bob
On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <r...@htt-consult.com> wrote:
I guess I am making progress. I am not getti
NO does not work. It worked because I had the old root CA cert there.
Without it it fails.
I tried adding -selfsign and that did something, but did not create a
trusted cert...
On 08/17/2017 08:44 PM, Robert Moskowitz wrote:
Kind of...
Does not put SAN in CA cert:
openssl req -config
Jakob had it right
On 08/17/2017 07:01 PM, Jakob Bohm wrote:
Given all these problems with the Distinguished Name prompting
mechanism, just add the -subject option to the req command line
(using appropriate environment variables in the shell script).
Enjoy
Jakob
It is coming down that
Thank you for your response.
I am basically skipping 20 years of PKI development and trying to get to
current best practices...
On 08/17/2017 09:50 AM, Erwann Abalea via openssl-users wrote:
Bonjour,
Le 17 août 2017 à 15:20, Robert Moskowitz <r...@htt-consult.com> a écrit :
In the [ ca ] section I have:
prompt = no
If I leave the = out I get an error, so I am assuming I got the format
of this right.
Then I have
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = $ENV::countryName
On 09/13/2017 09:39 AM, Salz, Rich via openssl-users wrote:
An X509v3 certificate has “notBefore” and “notAfter” fields. If either of
those is not present, then it is not an X509v3 certificate. The time marked by
those fields is the validity period.
If you want “never expires” X509v3
On 09/15/2017 11:57 AM, Michael Richardson wrote:
The PEM_* routines, as documented at:
https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_PUBKEY.html
do not claim to read DER format input. (Actually they don't say anything about
DER).
Ruby's library uses:
pkey =
On 09/13/2017 09:31 AM, Michael Richardson wrote:
Robert Moskowitz <r...@htt-consult.com> wrote:
> The devices never test out the lifetime of their certs. That is up to
Exactly...
(Do you think about the MacGyver/StarTrek/A-Team/Leverage/MissionImpossible
plot line that g
I am using the test responder:
openssl ocsp -port 2560 -text -rmd sha256\
-index index.txt \
-CA certs/ca-chain.cert.pem \
-rkey private/$ocspurl.key.pem \
-rsigner certs/$ocspurl.cert.pem \
-nrequest 1
What is the SHA1 hash report about? It
-ecdsa-pki-01.txt
Date: Fri, 08 Sep 2017 12:26:36 -0700
From: internet-dra...@ietf.org
To: Robert Moskowitz <r...@labs.htt-consult.com>, Liang Xia
<frank.xiali...@huawei.com>, Henk Birkholz
<henk.birkh...@sit.fraunhofer.de>, Liang Xia <frank.xiali...@huawei.com>
A n
Dukhovni wrote:
On Tue, Aug 29, 2017 at 05:36:34PM -0400, Robert Moskowitz wrote:
Another problem. It is almost like it is not reading the CA selction?
Not "almost", but actually as expected, since "openssl x509 -req"
is not the ca(1) application.
openssl x509 -req -
On 08/30/2017 10:33 AM, Viktor Dukhovni wrote:
On Wed, Aug 30, 2017 at 06:03:03AM -0400, Robert Moskowitz wrote:
I woke up a little clearer head, and realized, that a truly
constrained device won't even bother with DER, but just store the raw
keypair.
FWIW, Apple's boot firmware stores
Viktor,
On 08/30/2017 12:59 AM, Viktor Dukhovni wrote:
On Wed, Aug 30, 2017 at 12:17:09AM -0400, Robert Moskowitz wrote:
So back to openssl ca and deal with no way to directly create a DER
formatted cert.
Definitely a deficiency.
Not really a deficiency, as the certificates in question need
I started out making certs from csrs with:
openssl ca -config $dir/openssl-intermediate.cnf -extensions usr_cert
-days 375 -notext -md sha256 \
-in $dir/csr/$clientemail.csr.$format -out
$dir/certs/$clientemail.cert.$format
And that worked well enough, but I found some limitations
On 09/11/2017 12:23 PM, Salz, Rich via openssl-users wrote:
Ah, put -sha256 in the CLIENT request. Seems kind of backward. Or at
least the server should have some control over the hash used?
Well, it is the client that is making the request, so therefore the client
On 09/08/2017 10:08 PM, Dr. Stephen Henson wrote:
On Fri, Sep 08, 2017, Robert Moskowitz wrote:
I am using the test responder:
openssl ocsp -port 2560 -text -rmd sha256\
-index index.txt \
-CA certs/ca-chain.cert.pem \
-rkey private/$ocspurl.key.pem
On 09/05/2017 11:59 AM, Dr. Stephen Henson wrote:
On Tue, Sep 05, 2017, Robert Moskowitz wrote:
Jamie Nugyen's guide uses openssl to test OCSP with 'openssl ocsp':
https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
What is unclear here
Good progress. A few questions:
on
https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
The sample server test command is:
openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
-index intermediate/index.txt \
-CA
On 09/07/2017 04:13 PM, Dr. Stephen Henson wrote:
On Thu, Sep 07, 2017, Robert Moskowitz wrote:
Good progress. A few questions:
on
https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
The sample server test command is:
openssl ocsp -port
On 09/06/2017 01:31 PM, Salz, Rich via openssl-users wrote:
…
$crlDP
$ocspIAI
This is not supported. You can only put variables in *values*
OK. But now I have to work out values.
Bob
--
openssl-users mailing list
To unsubscribe:
situations with scaled down CPUs, long device lifespans and support
requirements, functional validation with future time settings would
definitely be a good idea on the test plan.
Frank
Robert Moskowitz <mailto:r...@htt-consult.com>
Wednesday, September 13, 2017 12:57 AM
IEEE 802.1ARce (lat
On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
On Mon, Sep 11, 2017, Robert Moskowitz wrote:
I would actually really like to have a SIMPLE OCSP responder. But
so far have not found one. freeIPA has one buried within it, but
that is too disruptive to install unless you buy into freeIPA
I am trying to use an environment variable to add a whole line to the
config file. This is to control adding (or not providing) CRL and/or
OCSP support.
export shows:
declare -x crlDP="crlDistributionPoints =
URI:http://www.htt-consult.com/pki/intermediate.crl.pem;
declare -x
onfig file based on what
the goal is...
thanks
Bob
On 09/06/2017 12:23 PM, Robert Moskowitz wrote:
I am trying to use an environment variable to add a whole line to the
config file. This is to control adding (or not providing) CRL and/or
OCSP support.
export shows:
declare -x
On 09/12/2017 09:38 AM, Robert Moskowitz wrote:
On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
On Mon, Sep 11, 2017, Robert Moskowitz wrote:
I would actually really like to have a SIMPLE OCSP responder. But
so far have not found one. freeIPA has one buried within it, but
that is too
Depends on the question
'Infinite' duration is used in IEEE 802.1AR Device Identities. The
concept is the vendor installs the certificate in read-only memory. It
is expected to be good for the life of the device.
On 09/11/2017 05:32 AM, Alejandro Pulido wrote:
Dear team of OpenSSL,
1 - 100 of 189 matches
Mail list logo