Re: Generating a smime certificate
On Sun, May 27, 2007 at 12:13:38AM +0100, Mick wrote: > On Saturday 26 May 2007 21:38, Victor Duchovni wrote: > > On Sat, May 26, 2007 at 10:11:08PM +0200, Marek Marcola wrote: > > > $ openssl x509 -in cert.pem -text -noout > > > . > > > . > > > X509v3 extensions: > > > X509v3 Basic Constraints: > > > CA:FALSE > > > X509v3 Key Usage: > > > Digital Signature, Non Repudiation, Key Encipherment > > > . > > > > Perhaps a mini-ca will help. See "ca.sh", "cert.sh" and "openssl.cnf" > > used as follows: > [snip] > > Thanks Victor, > > Can you see anything amiss with my attached openssl.cnf? > Sorry, for me openssl.cnf is a write-only interface... Perhaps someone else can help you. I find the files easier to write than read. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie build question
Please ignore. My silly mistake. Got it to build. Sumati Gupta <[EMAIL PROTECTED]> wrote: Hi, This is a newbie question: I downloaded the openssl source and built libssl and libcrypto with the linux-debug-elf option. I removed the efence library from the make file since I don't have it. Now when I link the two libs with my app, I get a whole bunch of links errors like: /usr/lib/libssl.so: undefined reference to `BIO_puts@@OPENSSL_0.9.8' /usr/lib/libssl.so: undefined reference to `X509_VERIFY_PARAM_free@@OPENSSL_0.9.8' What am I doing wrong? I'd appreciate any help. - Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. - Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool.
Newbie build question
Hi, This is a newbie question: I downloaded the openssl source and built libssl and libcrypto with the linux-debug-elf option. I removed the efence library from the make file since I don't have it. Now when I link the two libs with my app, I get a whole bunch of links errors like: /usr/lib/libssl.so: undefined reference to `BIO_puts@@OPENSSL_0.9.8' /usr/lib/libssl.so: undefined reference to `X509_VERIFY_PARAM_free@@OPENSSL_0.9.8' What am I doing wrong? I'd appreciate any help. - Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
Generating a server certificate
Hello, I'm attempting to load a server certificate into a server. I create the certificate using the following: Generate a CA 1)openssl req -out ca.pem -new -x509 -generates CA file "ca.pem" and CA key "privkey.pem" Generate server certificate/key pair - no password required. 2)openssl genrsa -out server.key 1024 3)openssl req -key server.key -new -out server.req 4)openssl x509 -req -in server.req -CA CA.pem -CAkey privkey.pem -CAserial file.srl -out server.pem -contents of "file.srl" is a two digit number. eg. "00" I have a question concerning the following call: if (SSL_CTX_use_PrivateKey_file(ctx,PRIVKEY,SSL_FILETYPE_PEM) != 1) { ERR_print_errors_fp(stderr); printf("Error loading private key from file"); } I'm passing into the PRIVKEY argument server.key? When I try to pass "privkey.pem" that was generated it wants to know the "Enter PEM pass phrase" which I entered. It then fails to load the private key from the file. Could somebody be so good to enlighten me on this? Thanks, Garyc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generating a smime certificate
On Saturday 26 May 2007 21:38, Victor Duchovni wrote: > On Sat, May 26, 2007 at 10:11:08PM +0200, Marek Marcola wrote: > > $ openssl x509 -in cert.pem -text -noout > > . > > . > > X509v3 extensions: > > X509v3 Basic Constraints: > > CA:FALSE > > X509v3 Key Usage: > > Digital Signature, Non Repudiation, Key Encipherment > > . > > Perhaps a mini-ca will help. See "ca.sh", "cert.sh" and "openssl.cnf" > used as follows: [snip] Thanks Victor, Can you see anything amiss with my attached openssl.cnf? -- Regards, Mick # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 [ ca ] default_ca = CA_default # The default ca section [ CA_default ] #dir = ./demoCA # Where everything is kept dir = . certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK: a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = AU countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Some-State localityName = Locality Name (eg, city) 0.organizationName = Organization N
Re: Generating a smime certificate
On Saturday 26 May 2007 21:11, Marek Marcola wrote: > > Check that you really have proper extensions in certificate: > > $ openssl x509 -in cert.pem -text -noout > . > . > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > X509v3 Key Usage: > Digital Signature, Non Repudiation, Key Encipherment > . > . OK, I don't have any X509v3 extensions! Would these be created by default? I haven't really altered my default openssl.cnf to any extent and definitely not commented out any parts of it. -- Regards, Mick pgpyDWY6k97wC.pgp Description: PGP signature
Re: Generating a smime certificate
On Sat, May 26, 2007 at 10:11:08PM +0200, Marek Marcola wrote: > $ openssl x509 -in cert.pem -text -noout > . > . > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > X509v3 Key Usage: > Digital Signature, Non Repudiation, Key Encipherment > . Perhaps a mini-ca will help. See "ca.sh", "cert.sh" and "openssl.cnf" used as follows: $ ./ca.sh rsa 2048 Generating RSA private key, 2048 bit long modulus .+++ +++ e is 65537 (0x10001) Using configuration from ca.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'New York' localityName :PRINTABLE:'New York' organizationName :PRINTABLE:'Example Corp' commonName:PRINTABLE:'Insecure CA' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until May 26 20:22:33 2017 GMT (3653 days) Write out database with 1 new entries Data Base Updated $ ./cert.sh rsa 1024 Generating RSA private key, 1024 bit long modulus ..++ ..++ e is 65537 (0x10001) Using configuration from ca.cnf DEBUG[load_index]: unique_subject = "no" Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'New York' localityName :PRINTABLE:'New York' organizationName :PRINTABLE:'Example Corp' organizationalUnitName:PRINTABLE:'Marketing Department' commonName:PRINTABLE:'mktg.example.com' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until May 25 20:22:59 2008 GMT (365 days) Write out database with 1 new entries Data Base Updated To tweak the subject names, ... of the CA and issued cert, edit the names at the top of openssl.cnf: [ cert_distinguished_name ] countryName = US stateOrProvinceName = New York localityName= New York organizationName= Example Corp organizationalUnitName = Marketing Department commonName = mktg.example.com emailAddress= [EMAIL PROTECTED] [ ca_distinguished_name ] countryName = US stateOrProvinceName = New York localityName= New York organizationName= Example Corp commonName = Insecure CA emailAddress= [EMAIL PROTECTED] the rest should not need tweaks. The cert in myCA/rsacert.pem looks like this: ... X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Key Identifier: B1:54:85:D9:40:45:30:E1:E2:2C:9B:D8:BC:A8:93:EE:61:B8:19:A5 X509v3 Authority Key Identifier: keyid:36:95:DB:50:85:3A:2F:1E:A8:34:EB:ED:C2:C6:34:F9:4B:38:28:8 E DirName:/C=US/ST=New York/L=New York/O=Example Corp/CN=Insecure CA/[EMAIL PROTECTED] serial:EE:05:5D:8D:9F:D7:56:72 ... -- Viktor. ca.sh Description: Bourne shell script cert.sh Description: Bourne shell script newkey.sh Description: Bourne shell script [ cert_distinguished_name ] countryName = US stateOrProvinceName = New York localityName= New York organizationName= Example Corp organizationalUnitName = Marketing Department commonName = mktg.example.com emailAddress= [EMAIL PROTECTED] [ ca_distinguished_name ] countryName = US stateOrProvinceName = New York localityName= New York organizationName= Example Corp commonName = Insecure CA emailAddress= [EMAIL PROTECTED] [ ca ] default_ca = req # The default ca section [ policy_match ] countryName = match stateOrProvinceName = match localityName= match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional [ ca_cert ] basicConstraints= critical,CA:true subjectKeyIdentifier= hash # this first authorityKeyIdentifier = keyid:always, issuer:always # and now this [ usr_cert ] basicConstraints= critical,CA:false keyUsage= digitalSignature, keyEncipherment extendedKeyUsage= serverAuth, clien
Re: Generating a smime certificate
Hello, > On Saturday 26 May 2007 19:55, Marek Marcola wrote: > > Hello, > > > > Some mail systems (eg Lotus Notes) requires proper extensions in > > certificates. Certificates without this extensions are not > > treated as candidates for signing/encryption. > > With default configuration OpenSSL certificates > > are created without extensions for signing and encryption. > > To change this remove comment from line: > > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > from proper section of openssl.cnf file and generate > > new certificate and check if this works. > > Thanks Marek, > > I uncommented the line from the section [ usr_cert ] and also checked that > the > same line was uncommented under the section [ v3_req ]. However, I am > getting the same error. :( > > This is so frustrating. > > Anything else I could check? Check that you really have proper extensions in certificate: $ openssl x509 -in cert.pem -text -noout . . X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment . . Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generating a smime certificate
On Saturday 26 May 2007 19:55, Marek Marcola wrote: > Hello, > > Some mail systems (eg Lotus Notes) requires proper extensions in > certificates. Certificates without this extensions are not > treated as candidates for signing/encryption. > With default configuration OpenSSL certificates > are created without extensions for signing and encryption. > To change this remove comment from line: > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > from proper section of openssl.cnf file and generate > new certificate and check if this works. Thanks Marek, I uncommented the line from the section [ usr_cert ] and also checked that the same line was uncommented under the section [ v3_req ]. However, I am getting the same error. :( This is so frustrating. Anything else I could check? -- Regards, Mick pgptfliThZJR9.pgp Description: PGP signature
Re: Generating a smime certificate
Hello, Some mail systems (eg Lotus Notes) requires proper extensions in certificates. Certificates without this extensions are not treated as candidates for signing/encryption. With default configuration OpenSSL certificates are created without extensions for signing and encryption. To change this remove comment from line: keyUsage = nonRepudiation, digitalSignature, keyEncipherment from proper section of openssl.cnf file and generate new certificate and check if this works. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Generating a smime certificate
Hi All, I have been trying for some time now to generate a smime certificate that works in Kmail. Unfortunately, when I import it it shows some kind of error with certain extensions: = keyType: 4096 bit RSA subjKeyId: [?] authKeyId: [?] keyUsage: [error: No value] extKeyUsage: [none] policies: [none] chainLength: [error: No value] crlDP: [error] authInfo: [error] subjInfo: [error] = As a result of the above I cannot set it to be used with the respective email account in Kmail (I suspect that this is because of the keyUsage error). gpgsm -k shows: key usage: [error: No value] chain length: [error: No value] When I look at the certificate that I used to generate the pkcs12 bundle, I see this: = No Trusted Uses. No Rejected Uses. Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No = Is keyUsage and -purpose two different things? Firefox does not seem to have a problem with this pkcs12 file and it recognises all the 'use' flags. I am at a loss as to why this happens. Can you please suggest ways for troubleshooting it? -- Regards, Mick pgpHhANzYl8Ca.pgp Description: PGP signature
Re: AW: Database file structure
Thank you Bernhard/ Ted (?), that is exactly what I was looking for. For everyone who wants to know the time format: start reading Bernhards link from behind. Best regards Dominic Bernhard Froehlich wrote: > > > Have a look at > http://www.mail-archive.com/openssl-users@openssl.org/msg45982.html > > Ted > ;) > > -- > PGP Public Key Information > Download complete Key from http://www.convey.de/ted/tedkey_convey.asc > Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 > > > > > -- View this message in context: http://www.nabble.com/Database-file-structure-tf3810867.html#a10814776 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]