Thanks a lot Jeff,
The book is really very useful.
On Sun, Feb 24, 2013 at 12:36 AM, Jeffrey Walton wrote:
> On Fri, Feb 15, 2013 at 9:25 AM, Ashok C wrote:
> > On Thu, Feb 14, 2013 at 5:31 PM, Jeffrey Walton
> wrote:
> >> On Thu, Feb 14, 2013 at 5:58 AM, Ashok C wrote:
Thanks Jeff,
My response inline.
On Thu, Feb 14, 2013 at 5:31 PM, Jeffrey Walton wrote:
> On Thu, Feb 14, 2013 at 5:58 AM, Ashok C wrote:
> > Hi,
> >
> > As part of implementing certificate expiry related alarms for my SSL
> > application, I would kindly
Thanks Steve and Kent for the pointers.
Makes things clear for now.
On Thu, Dec 6, 2012 at 4:22 AM, Dr. Stephen Henson wrote:
> On Wed, Dec 05, 2012, Ashok C wrote:
>
> > Hi,
> >
> > Our current SSL server loads plain-text private keys using the
> > SSL_CTX_use_Pr
going to do that, it is still
> recommended that the CA follows the scenario 2 procedures, except
> when it is a test CA for verifying handling of this scenario in
> X.509 implementations.
>
>
> On 9/24/2012 8:01 PM, Ashok C wrote:
>
>> Only the private and public
ose abbreviations.
>
> For the benefit of other readers:
>
> I think Ashok was referring to AuthorityKeyIdentifier and
> SubjectKeyIdentifier fieldsbeing absent from the root
> CA certificates in his scenario.
>
> On 9/24/2012 6:26 PM, Ashok C wrote:
>
>> Hi,
>>
&g
Hi,
One more observation was made here in another test case.
*Configuration:*
One old root CA certificate oldca.pem with subject name say, C=IN
One new root CA certificate newca.pem with same subject name.
One EE certificate, ee.pem issued by new root CA.
*Test case 1:*
Using CAFile option in ope
Gentle reminder ..
Just want to know if this is a bug or intended behaviour.
--
Ashok
On Fri, Sep 14, 2012 at 3:12 PM, Ashok C wrote:
> Hi Etkal,
>
> >>s_client app or the OpenSSL cert store functionality that changed this.
> The problem is with the openSSL store itself, as
certificates in cafile
>
> ** **
>
> Would it make sense to delete the expired certificate from the Windows
> store? Duplicate expired/non expired CA certificates sounds to me like a
> problem waiting to happen.
>
> ** **
>
> *Charles*
>
> *From:
Sending again as the previous email did not appear in list.
Is there some problem with the mailing list?
--
Ashok
On Wed, Sep 12, 2012 at 2:59 PM, Ashok C wrote:
> Hi,
>
> I don't think this question was answered. Could you please reply?
>
> --
> Ashok
>
>
>
Hi,
I don't think this question was answered. Could you please reply?
--
Ashok
On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion <
klaus.mailingli...@pernau.at> wrote:
> Hi!
>
> I wrote a small program which dumps all root certificates from Windows
> certificate store into a file. Then I use ope
ew behavior the intended behavior? Is it possible to have the old
behavior also in new opensslversions?
Thanks
Klaus"
Is this behaviour intended in openssl-1.0.0 ?
--
Ashok
On Fri, Aug 3, 2012 at 3:28 AM, Dr. Stephen Henson wrote:
> On Thu, Aug 02, 2012, Ashok C wrote:
>
> > Hi,
&
Hi,
Is there a way in which I can determine the correct issuer certificate of
an issued certificate(either intermediate CA or end entity) based on
comparing immediate pair alone.
Eg:
My hierarchy is like this:
Root
Intermediate CA 1
Intermediate CA 2
End entity
Is it possible to determine that I
hear they are not. Would you have some
opinion/understanding regarding this?
--
Ashok
On Mon, Jul 30, 2012 at 8:17 AM, Dave Thompson wrote:
> >From: Ashok C [mailto:ash@gmail.com]
> >Sent: Saturday, 28 July, 2012 01:21
>
> >Thanks Dave. But main use case for me is the tru
ch cert they issue, i.e. they never need
> to disambiguate using AKI/SKI. And some don't even *have* AKI/SKI.
>
> Good luck.
>
> --
> *From:* Ashok C [mailto:ash@gmail.com]
> *Sent:* Thursday, 26 July, 2012 02:08
> *To:* Dave Thompson
>
, 2012 at 2:09 PM, Ashok C wrote:
> Hi,
>
> I read from the RFC5280 that AKI is mandatory for all certificates
> generated by a conforming CA.
> "The keyIdentifier field of the authorityKeyIdentifier extension MUST
>be included in all certificates generated by conforming
if
> it is present in the certificate otherwise it only depends on the subject
> name and issuer name match.
>
> Of course, at the end you need to verify the signature. But thats not the
> part of the certificate chain formation.
>
>
> On Mon, Jul 23, 2012 at 10:06 AM, As
ing files from openssl source code.
>
> 1. ssl_cert.c (around line number 626)
> 2. x509_vfy.c (around line number 153)
> 3. v3_purp.c (around line number 700).
>
> good luck!
>
> On Mon, Jul 23, 2012 at 8:41 AM, Ashok C wrote:
>
>> Hi,
>>
>> I have a
Hi,
What would be the unique names with which I can store CA certificates in
file system?
I understand that issuer-id and serial number are the unique identifiers
for a certificate. But using this name for a certificate file name makes it
very long and also introduces some characters like "@,=" et
Hi,
I had almost the same requirement and eventually achieved it by patching my
openssl package's x509_verify code to do the check_cert_time() method
optionally depending on some conditions. Ideally I feel openSSL should
provide a validation flag like
*X509_V_FLAG_IGNORE_LIFETIME **which would hel
solved for now. If you guys have any comments on
this, please let me know. Otherwise you can ignore the previous email.
Regds,
Ashok
On Wed, Mar 28, 2012 at 10:08 PM, Ashok C wrote:
> Hi,
>
> I am implementing CRL feature for my application and was doing a proof of
> concept u
Hi,
I am implementing CRL feature for my application and was doing a proof of
concept using openSSL.
Here is what I did:
1. I used openssl commands to generate a v3 root CA certificate and also
the corresponding server certificate.
2. Now i revoked the server certificate using openssl co
Thanks Jakob,
We too have the use cases of those four certificates. Now what would be the
best programmatic way to find out for sure if a given certificate is a CA
certificate or not, be it a v3 or a v1.
Regds,
Ashok
On Feb 24, 2012 12:51 AM, "Jakob Bohm" wrote:
> On 2/23/2012 10
Hi,
What would be the most efficient and easiest way to distinguish a CA
certificate from an actual server/client(end entity) certificate?
We were thinking of identifying the CA with the "CA:TRUE" constraint from
the text display, but again this check does not cover x509 v1 certificates
where this
Hi,
I understand that X509 is the preferred ITU-T standard for PKI.
But what would be the other certificate standards which are available and
those which a PKI solution needs to support?
First question would be whether there are any certificates which do not
belong to the X509 standard?
Also, what
Hi,
I see that the openSSL certificate verify utility uses the
X509_verify_cert() in x509_vfy.c for certificate validation.
Based on the manual pages for verify, I understand that the order for
verification is as follows:
1. Firstly a certificate chain is built up starting from the supplied
Am 09.01.2012 13:10, schrieb Ashok C:
>
> Hi,
>>
>> In addition to the online material, are there any good books which we
>> can refer to understand openSSL better? Both conceptually as well as
>> from the API/code perspective.
>> We hear of the "Network Secu
Hi,
In addition to the online material, are there any good books which we can
refer to understand openSSL better? Both conceptually as well as from the
API/code perspective.
We hear of the "Network Security with OpenSSL by John Viega" as one good
reference. But it was published in 2002. Any good n
,
Ashok
On Tue, Dec 27, 2011 at 4:50 PM, Ashok C wrote:
> Thanks Dave.
> But regarding this:
>
> >>Important note: make sure the old and new root certs have different
> names. (Same for intermediate CAs, which your example doesn't have.)
> OpenSSL looks-up using Issuer
9 AM, Dave Thompson wrote:
> > From: owner-openssl-us...@openssl.org On Behalf Of Ashok C
> > Sent: Thursday, 22 December, 2011 10:55
>
> > Another doubt I have is about the SSL_CTX_set_client_ca_list
> > and the SSL_get_client_ca_list.
>
> >
, Dec 21, 2011 at 8:46 AM, Dave Thompson wrote:
> > From: owner-openssl-us...@openssl.org On Behalf Of Ashok C
> > Sent: Tuesday, 20 December, 2011 04:16
>
> > What will be the recommendation from the open source community for
> > supporting the following
Hi,
What will be the recommendation from the open source community for
supporting the following scenario in a openSSL based client/server
application:
*The certificates involved:*
old CA certificate of the CA authority(root)
new CA certificate of the CA authority(root)
Server's end entity certifi
ng v3 certificates, the
error did not appear again and my client-server app is working well with
the multi-level configuration. Thanks a lot for your patient help in this
regard.
Regds,
Ashok
On Sat, Dec 3, 2011 at 4:17 AM, Dave Thompson wrote:
> > From: Ashok C [mailto:ash@gmail
locations in client side? Meaning, do we need to
build the chain from client side explicitly by ourselves?
Regds,
Ashok
On Fri, Dec 2, 2011 at 5:33 AM, Dave Thompson wrote:
> > From: owner-openssl-us...@openssl.org On Behalf Of Ashok C
> > Sent: Wednesday, 30 November
orked for me
>>in all versions I've used. What version(s) are you running,
>>is it vanilla build or any mods/patches, and built how?
We are running openssl-0.9.8g and 1.0.0d in normal x86/x86_64 environment
with few CVE patches.
On Tue, Nov 29, 2011 at 9:51 AM, Dave Thompson wrot
the client?
P.S. My previous query also is unanswered. It would be great if I get some
responses to that also ;)
Regds,
Ashok
-- Forwarded message --
From: Ashok C
Date: Wed, Nov 23, 2011 at 12:55 PM
Subject: Usage of CAPath/CAFile options in int
SSL_CTX_load_verify_locations Reg
Hi,
We are implementing multi-layer support for our openssl-based PKI solution
and had the following query:
Currently our PKI solution supports only single layer CA support and we use
SSL_CTX_load_verify_locations API with the CAFile option, meaning that the
service loads the CA certificate from
Hi,
I am a newbie user of openssl, and am using openssl C apis to verify
certificates.
Is there any way by which I can ignore the date verificationa and the
signature verification?
Thanks in advance.
Regds,
Ashok
Hi,
Does the openssl X509_verify certificate validation API support an argument
that supports skipping of signature and date validation?
Or is there any other way that I can achieve this optional verification.
Please help me out in this regard.
Regds,
Ashok.
Hi,
I was trying to find the correct API for extracting the subject/issuer name
from an x509 certificate using openssl library, but was unable to find the
exact one.
It would be great if someone guides me regarding this.
Thanks in Advance!
Regds,
Ashok
39 matches
Mail list logo
