Hello!
Thanks for your help and monitoring.
Yes, I get the same error, I also throws the same when tested with the
files you sent me.
I think there must be something I missed or did wrong in the installation.
Which version did you use for this package:
openssl
mod_tsa
Apache
mod_ssl
mysql
ts-patch_XXXX
Another thing, to generate the certificate for the extension tsa with
Time Stamping, which. cnf did you use? The openssl.cnf or one created
for you?
Very grateful!
Thanks
2011/2/22 Mounir IDRASSI <mounir.idra...@idrix.net
<mailto:mounir.idra...@idrix.net>>
Hi,
Are you sure you have the same error description
(lib(47):func(131):reason(117):ts_rsp_sign.c:206:)? I have tested
here with a certificate containing "Digital Signature, Non
Repudiation" key usage and OpenSSL doesn't complain.
I'm attaching the timestamp certificate (with its key and its CA
certificate) that I used. Can you see if it is working for you?
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 2/22/2011 3:11 PM, Yessica De Ascencao wrote:
Hi Mounir IDRASSI!
I generated the certificate with ONLY Digital Signature, Non
Repudiation but I still have the same problem.
Thanks!
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d8:e6:a3:f6:22:c7:a4:0c
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ve, ST=distrito capital, O=suscerte,
OU=acraiz, CN=ac/emailAddress=a...@suscerte.gob.ve
<mailto:a...@suscerte.gob.ve> <mailto:a...@suscerte.gob.ve
<mailto:a...@suscerte.gob.ve>>
Validity
Not Before: Feb 22 14:08:20 2011 GMT
Not After : Feb 22 14:08:20 2012 GMT
Subject: C=ve, ST=distritocapital, L=caracas, O=tss,
OU=suscerte, CN=tsscompany/emailAddress=t...@company.com
<mailto:t...@company.com> <mailto:t...@company.com
<mailto:t...@company.com>>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
7a:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17
X509v3 Authority Key Identifier:
keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76
X509v3 Subject Alternative Name:
email:t...@company.com <mailto:email%3a...@company.com>
<mailto:email%3a...@company.com
<mailto:email%253a...@company.com>>
X509v3 Extended Key Usage: critical
Time Stamping
Signature Algorithm: sha1WithRSAEncryption
3d:d4:76:9a:d7:2d:6a:93:62:d7:2c:29:87:cc:9c:72:97:19:
1a:2d:59:b8:fc:6c:86:22:ad:9c:ba:74:de:89:cb:55:c0:f8:
50:02:5d:7d:58:92:cb:0d:c9:9a:30:a9:2a:32:7e:2c:c6:a1:
19:eb:09:30:55:85:c8:30:d4:f1:51:9a:ca:77:58:8e:f8:a6:
b8:d9:92:63:10:fa:ad:06:79:aa:d9:5a:09:9c:5b:91:8b:7a:
04:66:f5:24:0b:25:25:69:a5:66:30:c1:4a:b8:cf:c7:51:e1:
5a:a0:a6:51:cf:b0:26:05:8d:c4:66:cd:3b:c6:08:a5:de:57:
81:af
2011/2/22 Mounir IDRASSI <mounir.idra...@idrix.net
<mailto:mounir.idra...@idrix.net>
<mailto:mounir.idra...@idrix.net
<mailto:mounir.idra...@idrix.net>>>
Hi,
I don't agree : from the error description
(lib(47):func(131):reason(117):ts_rsp_sign.c:206) it is
clear that
OpenSSL loaded the certificate but the
X509_check_purpose(signer,
X509_PURPOSE_TIMESTAMP_SIGN, 0) call in ts_rsp_sign failed.
Actaully, reading the certificate dump shows that the
problem is
coming from the certificate Key Usage : it MUST NOT contain Key
Encipherment.
So, to resolve your problem, set the Key Usage to ONLY Digital
Signature, Non Repudiation.
I hope this will help.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 2/22/2011 2:40 PM, Patrick Patterson wrote:
Hi Yessica:
That error is fairly straightforward - it's can't load the
cert (meaning, it can't even load the file).
Have you made sure that the permissions are correct?
Are you
absolutely sure that you have the right cert in the right
location?
Have fun.
Patrick.
On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote:
Hi!
This is the new certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d8:e6:a3:f6:22:c7:a4:0b
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ve, ST=distrito capital, O=suscerte,
OU=acraiz, CN=ac/emailAddress=a...@suscerte.gob.ve
<mailto:a...@suscerte.gob.ve>
<mailto:a...@suscerte.gob.ve <mailto:a...@suscerte.gob.ve>>
Validity
Not Before: Feb 21 20:15:08 2011 GMT
Not After : Feb 21 20:15:08 2012 GMT
Subject: C=ve, ST=distritocapital, L=caracas,
O=tss, OU=suscerte,
CN=tsscompany/emailAddress=t...@company.com
<mailto:t...@company.com>
<mailto:t...@company.com <mailto:t...@company.com>>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
7a:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key
Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17
X509v3 Authority Key Identifier:
keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76
X509v3 Subject Alternative Name:
email:t...@company.com <mailto:email%3a...@company.com>
<mailto:email%3a...@company.com
<mailto:email%253a...@company.com>>
X509v3 Extended Key Usage: critical
Time Stamping
Signature Algorithm: sha1WithRSAEncryption
02:d1:fd:44:de:1e:9f:e0:29:66:35:8f:43:da:e6:b5:20:43:
52:90:b0:dc:8a:0f:09:92:9e:c2:6b:dc:14:ab:2c:9f:1b:8e:
02:76:9a:17:08:77:ca:26:06:13:25:9e:4a:e2:bf:bb:2b:4d:
cf:67:41:c0:2b:3a:1a:d0:ae:a8:88:3c:13:e2:0d:f6:9c:1e:
e7:ba:ef:22:c6:b8:18:3b:a8:5e:f9:0e:43:b8:de:82:b1:e0:
be:00:d2:57:9c:f3:d9:48:72:28:70:5d:06:d7:73:84:bc:f7:
5e:65:27:86:0d:e8:28:b4:dd:72:4d:8e:59:02:cc:39:0f:8d:
47:87
And this is the error:
[Mon Feb 21 20:15:37 2011] [error] mod_tsa:could
not load
X.509 certificate: /usr/local/ssl/misc/demoCA/tss.pem
[Mon Feb 21 20:15:37 2011] [error]
mod_tsa:17262:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
[Mon Feb 21 20:15:37 2011] [emerg] exiting, fatal error
during mod_tsa initialisation.
Thanks!!!
2011/2/21 Jaroslav Imrich<jaroslav.imr...@gmail.com
<mailto:jaroslav.imr...@gmail.com>
<mailto:jaroslav.imr...@gmail.com
<mailto:jaroslav.imr...@gmail.com>>>
Hello Yessica,
please post new certificate and exact error you're
getting.
--
Kind Regards / S pozdravom
Jaroslav Imrich
http://www.jariq.sk
On Mon, Feb 21, 2011 at 4:41 PM, Yessica De
Ascencao<yessima...@gmail.com
<mailto:yessima...@gmail.com>
<mailto:yessima...@gmail.com <mailto:yessima...@gmail.com>>>
wrote:
hello!!!
Thanks for the response!
Yes I needed the extension to Time Stamping,
however when
I load the sample certificate in the OpenTSA page,
continues to show me the same error. I created a
certificate with the correct extension and likewise
gives
me error.
I really do not know what may be happening.
Thank you very much!
2011/2/18 Jaroslav Imrich<jaroslav.imr...@gmail.com
<mailto:jaroslav.imr...@gmail.com>
<mailto:jaroslav.imr...@gmail.com
<mailto:jaroslav.imr...@gmail.com>>>
Hello Yessica,
this line in your logs tells you where the error
occured:
[Thu Feb 17 19:23:09 2011] [error]
mod_tsa:1510:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
When you look into source code of openssl ts module -
http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2
<http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2>
<http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2
<http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2>>
- you can see that line 206 contains following code:
if (X509_check_purpose(signer,
X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1)
{
TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT,
TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE);
return 0;
}
That means loading of TSA certificate failed because of
incorrect extensions.
Certificate you posted has critical mark on "X509v3
Subject Alternative Name" which is completely wrong in
this case. It is "Time Stamping" that has to be
marked as
critical.
-- Kind Regards / S pozdravom
Jaroslav Imrich
http://www.jariq.sk
-- Saludos!
Yessica De Ascencao
0426-7142582
-- Saludos!
Yessica De Ascencao
0426-7142582
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
<mailto:openssl-users@openssl.org>
<mailto:openssl-users@openssl.org
<mailto:openssl-users@openssl.org>>
Automated List Manager majord...@openssl.org
<mailto:majord...@openssl.org>
<mailto:majord...@openssl.org <mailto:majord...@openssl.org>>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
<mailto:openssl-users@openssl.org>
<mailto:openssl-users@openssl.org
<mailto:openssl-users@openssl.org>>
Automated List Manager majord...@openssl.org
<mailto:majord...@openssl.org>
<mailto:majord...@openssl.org <mailto:majord...@openssl.org>>
--
Saludos!
Yessica De Ascencao
0426-7142582
--
Saludos!
Yessica De Ascencao
0426-7142582
