How to add Postal code to a certificate request
Hi, I have a doubt regarding the addition of postal code or PIN code or ZIP code to the certificate request. How to add Postal code to a certificate request. I tried to search for an NID for the postal code but could'nt found. What is the way to add the postal code to a certificate request?? Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: create cert non interactively
On Tue, 2002-04-02 at 11:50, Sarath Chandra M wrote: Hi, Is there way to create certificates using openssl in a noninteractive mode ? All the required values (common name, email, organization, ou etc) will be captured using a unix shell script and passed to openssl commands. Is it possible. Any help will be highly appreciated. i do it this way. there is probably a better one: openssl req -new -key prikey.pem -out req.csr info_file where info_file is a generated file (in this case with your shell script) and looks like this: -- ES Your state Your city Your organization Your organizational unit Your name -- if you don't want to fill any of the fields just leave a blank line. hope this helps. best regards, -- Aleix Conchillo Flaqué http://www.scytl.com --- PGP Key: http://www.scytl.com/pgp-keys/AleixConchillo.asc --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to add Postal code to a certificate request
At 15:25 02.04.2002 +0530, you wrote: Hi, I have a doubt regarding the addition of postal code or PIN code or ZIP code to the certificate request. How to add Postal code to a certificate request. I tried to search for an NID for the postal code but could'nt found. What is the way to add the postal code to a certificate request?? Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Put it in an OID 2.5.4.17, postal code. The postal code should also go into line 5 of the postal address, OID 2.5.4.16. Line 1 object's RDN Line 2 Street address or PO box Line 3 no default value Line 4 Physical Delivery Office Name, State or privince name Line 5 Postal Code Line 6 Country Name (from the DN) See Recommendation F.401 Use google to search for 2.5.4.17 postal code Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL + Java
Hi all, I'am writing a application in java , which allows the user to make a search in LDAP-Server. My Problem is that I want to use a secure network connection to communicate between the application and LDAP Server. I have install the openssl , but I have not found an easy manual which describes what I have to edit in the openssl.conf. Can anybody help me?? thanks in advance for any help Ferruh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: create cert non interactively
On 2 Apr 2002, Aleix Conchillo wrote: On Tue, 2002-04-02 at 11:50, Sarath Chandra M wrote: Hi, Is there way to create certificates using openssl in a noninteractive mode ? All the required values (common name, email, organization, ou etc) will be captured using a unix shell script and passed to openssl commands. Is it possible. Any help will be highly appreciated. i do it this way. there is probably a better one: openssl req -new -key prikey.pem -out req.csr info_file where info_file is a generated file (in this case with your shell script) and looks like this: -- ES Your state Your city Your organization Your organizational unit Your name -- if you don't want to fill any of the fields just leave a blank line. You can also just modify the .conf file to not prompt, e.g., I have something like this in a customized version of openssl.conf [req] ... prompt = no ... [req_distinguished_name] countryName = US stateOrProvinceName = Missouri localityName= STL organizationName= FOO organizationalUnitName = BAR commonName = $ENV::cert_owner emailAddress= $ENV::MAILADDR This way I'm not prompted. commonName and emailAddress take their values from the environment variables cert_owner and MAILADDR, respectively. If your CA private key has a passphrase, you can also use the -passin option to provide the passphrase via a multitude of ways. -cj PS BTW, I cobbled together this knowledge from docs/openssl.txt and the various manpages (req, x509, etc.) -- Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris Principal Software Engineer, Object Computing, Inc., +1 314 579 0066 Support Me Supporting Cancer Survivors in Ride for the Roses 2002 Donate at http://www.milodesigns.com/donate __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: create cert non interactively
On Tue, 2002-04-02 at 17:34, Chris Cleeland wrote: You can also just modify the .conf file to not prompt, e.g., I have something like this in a customized version of openssl.conf [snip] this way is just better :-) -- Aleix Conchillo Flaqué http://www.scytl.com --- PGP Key: http://www.scytl.com/pgp-keys/AleixConchillo.asc --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
FW: create cert non interactively
Dear friends, thanx a lot for the help. I am doing this way. A shell script to accept values for each attribute and put these in a info.inf file. Then do this : openssl req -new -key prikey.pem -out req.csr info.inf thanx again. sarath -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Aleix Conchillo Sent: Tuesday, April 02, 2002 2:05 PM To: [EMAIL PROTECTED] Subject: Re: create cert non interactively On Tue, 2002-04-02 at 11:50, Sarath Chandra M wrote: Hi, Is there way to create certificates using openssl in a noninteractive mode ? All the required values (common name, email, organization, ou etc) will be captured using a unix shell script and passed to openssl commands. Is it possible. Any help will be highly appreciated. i do it this way. there is probably a better one: openssl req -new -key prikey.pem -out req.csr info_file where info_file is a generated file (in this case with your shell script) and looks like this: -- ES Your state Your city Your organization Your organizational unit Your name -- if you don't want to fill any of the fields just leave a blank line. hope this helps. best regards, -- Aleix Conchillo Flaqué http://www.scytl.com --- PGP Key: http://www.scytl.com/pgp-keys/AleixConchillo.asc --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: create cert non interactively
On Tue, Apr 02, 2002 at 01:50:51PM +0400, Sarath Chandra M wrote: Hi, Is there way to create certificates using openssl in a noninteractive mode ? All the required values (common name, email, organization, ou etc) will be captured using a unix shell script and passed to openssl commands. Is it possible. Any help will be highly appreciated. Yes this is standard fare.. You take input filter redirect to another program.. wait for success and then return.. Hope that helps. Best Regards, [EMAIL PROTECTED] -- /* Security is a work in progress - dreamwvr */ # # Note: To begin Journey type man afterboot,man help,man hier[.] # // Who's Afraid of Schrodinger's Cat? /var/(.)?mail/me \? ;-] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL crashing due to ssl-s3 NULL pointer
On Mon, Apr 01, 2002 at 01:30:31PM -0500, Brad Barfield wrote: OpenSSL version: 0.9.6c OS: Linux 2.4.7-10 EGCS-2.91.66 I am seeing a crash in my SSL client application where the ssl-s3 member is NULL. from my limited understanding of the code, this should never happen at the point that I'm seeing it. Below is the gdb output from two different crashes: === crash #1: === (gdb) where #0 0x08062e09 in ssl3_get_message (s=0x836d650, st1=4384, stn=4385, mt=2, max=300, ok=0xb358) at s3_both.c:344 #1 0x0805aa53 in ssl3_get_server_hello (s=0x836d650) at s3_clnt.c:549 #2 0x08059efb in ssl3_connect (s=0x836d650) at s3_clnt.c:200 #3 0x08067bfb in SSL_connect (s=0x836d650) at ssl_lib.c:720 #4 0x0804fd56 in ssl_write (i=46) at ssl.c:758 #5 0x0804d126 in main_loop () at main.c:624 #6 0x0804e647 in main (argc=11, argv=0xb9a4) at main.c:1273 #7 0x40068507 in __libc_start_main (main=0x804dc08 main, argc=11, ubp_av=0xb9a4, init=0x804b3cc _init, fini=0x80e3700 _fini, rtld_fini=0x4000dc14 _dl_fini, stack_end=0xb99c) at ../sysdeps/generic/libc-start.c:129 (gdb) p s-s3 $1 = (struct ssl3_state_st *) 0x0 I had a look into the SSL code and I could not find a reason why s-s3 should become NULL. It is initialized in SSL_new() and destroyed in SSL_free(). The only additional idea I have would be that there may be an overflow somewhere that is overwriting part of SSL *s, so that s-s3 becomes invalid. If this problem would be reproduced easily, I would recommend running with efence enabled, but this is out of options for a long running process, as it manages to consume large amounts of system resources. You may consider quering s-3 for being non-NULL before calling SSL_connect(). If it is NULL, the bug appeared. === crash #2: === (gdb) where #0 0x08062e09 in ssl3_get_finished (s=0x836d650, a=4384, b=4385) at s3_both.c:220 #1 0x0805aa53 in ssl3_connect (s=0x836d650) at s3_clnt.c:418 #2 0x08059efb in ssl3_connect (s=0x836d650) at s3_clnt.c:114 #3 0x08067bfb in SSL_pending (s=0x836d650) at ssl_lib.c:596 #4 0x0804fd56 in ssl_read (i=46) at ssl.c:738 #5 0x0804d126 in main_loop () at main.c:628 #6 0x0804e647 in main (argc=11, argv=0xb9a4) at main.c:1278 (gdb) p s-s3 $1 = (struct ssl3_state_st *) 0x0 Here it is even more critical, as it means that s-s3 must have changed between operations. handshake_func = 0x80599f0 do_ssl_write+608, server = 0, new_session ^ ?? From the backtrace it also seems, that you are either using implicit negotiation (by calling SSL_pending()), or that a renegotiation is taking place. Maybe this can give additional hints for tracking the problem back. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA_NO_PADDING
IS it possible to use RSA_NO_PADDING when calling RSA_public_encrypt? I get a -1 returned from the RSA_public_encrypt() function? Thanks Ryan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: create cert non interactively
Sarath Chandra M wrote: Hi, Is there way to create certificates using openssl in a noninteractive mode ? All the required values (common name, email, organization, ou etc) will be captured using a unix shell script and passed to openssl commands. Is it possible. Any help will be highly appreciated. openssl ca has an option -batch for exact this reason. Best Regards, Michael -- --- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Help with Digital Signatures
Hello, I have some general questions concerning digital signatures. Firstly, sorry if my questions are vague - I'm giving all the information I have myself - the reason that I'm having a problem may be partly because the request I have is itself too vague! I'm trying to communicate with a 3rd-party piece of software, which sends/receives its documents digitally signed. According to the developers of that software, it signs data using PKCS#7 and SHA-1. In short, I am trying to both sign a data file using that combination of protocols, and in reverse, verify the signature of the incoming data. We already use Open-SSL for the HTTPS connection, and I already have a public/private key pair, and access to the remote party's public key. From what I can see, Open-SSL supports both PKCS#7 and SHA-1. Using SHA-1 alone, I have been able to sign data, and verify my own signed data. My questions are (again, sorry if they're a bit hazy): - Is it possible to sign data using PKCS#7 - I thought PKCS#7 was more a general syntax than an algorithm. - What steps do I go through to sign a file using PKCS#7 and SHA-1 (SHA-1 on its own I am already clear on - it's PKCS#7 that is causing confusion!). - Is there a good resource (like a tutorial) where I can find out how to do this using Open-SSL? - My file could be any data on the UNIX filesystem - in other words, it is not in PKCS#7 syntax. How do I encapsulate the file using PKCS#7, then digitally sign it? Any information (whether it be general guidance, or step-by-step commands!) would be really appreciated. Thanks in advance. Tom Reader __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Can an OPenSSL cert, be used to run an https server on a Windows IIS 5 on Win2K platform?
Yes, all you have to do is generate a certificate request using IIS management console, createyour own CA using OpenSSL, sign the key in the request using the CA's key, generating a certificate, install the certificate into IIS through management console, build up some test pages and configure it to be SSL enabled, then you should have an up-and-running IIS with SSL enabled. Not many things to do, though :) Loren - Original Message - From: Martyn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 02, 2002 4:09 AM Subject: Can an OPenSSL cert, be used to run an https server on a Windows IIS 5 on Win2K platform? I would like to do some testing with HTTPS on the above platform. Can the Openssl system be used with IIS 5 on win 2K? Thanks Martyn
create cert non interactively
Title: Message Hi, Is there way to create certificates using openssl in a noninteractive mode ? All the required values (common name, email, organization, ou etc) will be captured using a unix shell script and passed to openssl commands. Is it possible. Any help will be highly appreciated. regards sarath
Limiting key size
Did I miss the reply on this one. Can anybody shed some light on this? -- original mail follows Hi folks, how can one limit and enforce the the key size that can be generated and used by openSSL and related utilities. The enforcement has to happen on multiple levels, 1. At generation. 2. Loading keys into the context. I am presuming that the ciphers can be limited to a lower or higher strength by using the cipher call in openSSL. Thanks Baber :) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL crashing due to ssl-s3 NULL pointer
Lutz, thanks for the input. I did exactly as you suggested made a simple macro to check s-s3 for the NULL condition and log the event, and try to recover the session gracefully. It is possible that this is happening during a renegotiation. I also considered that *s could be getting stepped on by a rogue ptr somewhere, but I think it is awfully strange that *s appears to be perfectly valid except for the s3 member. Thanks for the ideas. -- brad __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file()
Try
/* set callback for passphrases on private key files */
SSL_CTX_set_default_passwd_cb( context, pem_passwd_cb);
before calling SSL_CTX_use_PrivateKey_file(), where pem_passwd_cb could
be for non-crypted private key files
/* callback for private key files passphrase */
static int pem_passwd_cb(char *buf, int size, int rwflag, void
*password)
{
return 0;
}
Ales Privetivy
Hi,
can somebody help me out.
when i use the SSL_CTX_use_PrivateKey_file() function in my client and server
program,
both the server and client progarm asks on the command prompt to
Enter PEM pass phrase:
I dont want the user to enter the pass phrase , how to avoid this situation. Is
there anyway ?
biswaksen
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Fw: Check certificate
Hello. I have gottwo problems. I want to check the signature of a certificate in PEM format but using function library. I want to create a C function that check date and signature and i don´t know how to do it. Some idea? Thanks, Oscar
Re: Unknown CA
On Mon, Apr 01, 2002 at 08:21:28AM +0530, amit limaye wrote: CONNECTED(0003) SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:unknown CA SSL_connect:failed in SSLv3 read finished A 15001:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt. c:985:SSL alert number 48 15001:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:22 6: Here you are informed, that the server is unhappy with the certificate supplied. The server send an alert. while on the server i get this SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write certificate A SSL_accept:SSLv3 write certificate request A SSL_accept:SSLv3 flush data Here the server should point out what is going wrong. This logfile is incomplete. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_get_verify_result(ssl)
On Fri, Mar 29, 2002 at 08:14:19PM +0530, biswaksen wrote:
I have written a client/server code using openssl.
when i am verifying the server certificate on the client side and also the client
certificate on the server side the verification fails.
On the client side ,
SSL_get_verify_result(ssl) returns code 18.
which is :
18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed
certificate
i have the server certificate on the client side and i am using this function in my
client code.
if (SSL_CTX_load_verify_locations(ctx,CERTF,HOME) = 0 ) {
ERR_print_errors_fp(stderr);
exit(3);
}
where CERTF is server certificate and HOME is the certificate path.
i have used verify command to check the server certificate which the server is
sending to the client and the certificate the client is having on its side. this
command gives OK.
then i dont know where is the problem. Please tell me why it fails.
It should work in the way described. Please make sure that you have building
against a recent version of the OpenSSL library, as the option to supply
self signed certificates in the CAfile has only been added recently.
Please also check out, whether the certificate is correctly loaded from
CERTF. HOME is not needed when the certificate in question is already
contained in CERTF. Put only the cert in question into CERTF and set
the CApath argument to NULL for testing.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: RSA_NO_PADDING
Ryan, -1 doesn't tell us much, does it? Try printing out the error stack with ERR_print_errs_fp(stdout) (http://www.openssl.org/docs/crypto/ERR_print_errors.html#). Are you careful to ensure that the integer pointed to by *from is your modulus? Thanks, == Greg Stark [EMAIL PROTECTED] == - Original Message - From: Ryan Jarvis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 02, 2002 10:35 AM Subject: RSA_NO_PADDING IS it possible to use RSA_NO_PADDING when calling RSA_public_encrypt? I get a -1 returned from the RSA_public_encrypt() function? Thanks Ryan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AES - Rijndael
Hello anybody! Im start testing OpenSSL and Id like to know if it supports AES (Rijndael) encryption and how to implement it. Beside, id like to hear your opinions about stress test and other benchmarks like this. Thanks in advance, and sorry for my english! Christian. !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=Content-Type content=text/html; charset=iso-8859-1 META content=MSHTML 6.00.2712.300 name=GENERATOR/HEAD BODY style=MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px DIVFONT size=1Hello anybody!/FONT/DIV DIVFONT size=1Im start testing OpenSSL and Id like to know if it supports AES (Rijndael) encryption and how to implement it./FONT/DIV DIVFONT size=1Beside, id like to hear your opinions about stress test and other benchmarks like this./FONT/DIV DIVFONT size=1Thanks in advance, and sorry for my english!/FONT/DIV DIVFONT size=1/FONTnbsp;/DIV DIVFONT size=1Christian./FONT/DIV/BODY/HTML
certificate creation example
Hello OpenSSL experts,
I've been experimenting, or more like playing
around, with Openssl on Linux. This is what I'm trying to do with OpenSSL
:
create a self-signed root CA
certificate
create a private key and then a certificate
request
use the root CA cert to sign the certificate
request, thereby making a user certificate
finally, I want to verify the cert(ie. verify
-CApath ___ newcert.pem)
I'm no expert at this, but this is what I did (so
far):
I used 'openssl req -x509 -newkey rsa:1024 -keyout
key.pem -out req.pem' for Step 1 above.
I used 'openssl req -new -key privkey.pem -out
cert.csr' for Step 2 above.
For Step 3 above, I triedusing the 'ca'
command but always returned an error (which is attached), saying that it could
not find files in the ./demoCA directory. So I created a /demoCA directory
on my machine containing the CA cert and it's private key and the serial and
index files. But still, when I ran the 'ca' command the same error
occurs.
I know there's a CA.pl programwhich I can
utilize to do the cert creation...but how do I use that? Do I need to
compile it or anything before I can use that program? I'm not
sure.
So I don't know what to do for Step 3 (sign a cert
request with the CA root cert). I'm out of ideas.
Please enlighten me with some ideas, or correct my
errors if you could.
Thanks alot.
Best regards,
H. Chan
Using configuration from /usr/share/ssl/openssl.cnf
./demoCA/private/cakey.pem: No such file or directory
trying to load CA private key
7740:error:02001002:system library:fopen:No such file or
directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')
7740:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:
error in ca
Re: certificate creation example
I hope this will help. All keys are saved w/o passphrase. Probably you
do not want to do it in production.
Aleksey Sanin.
http://www.aleksey.com/xmlsec
---
A. Create new CA
CA.pl -newca
cp ./demoCA/cacert.pem .
cp ./demoCA/private/cakey.pem .
openssl x509 -text -in cacert.pem
B. Generate RSA key and second level CA
openssl genrsa -out ca2key.pem
openssl req -new -key ca2key.pem -out ca2req.pem
openssl ca -cert cacert.pem -keyfile cakey.pem \
-out ca2cert.pem -infiles ca2req.pem
openssl verify -CAfile cacert.pem ca2cert.pem
C. Sign DSA key with second level CA
openssl req -new -key dsakey.pem -out dsareq.pem
openssl ca -cert ca2cert.pem -keyfile ca2key.pem \
-out dsacert.pem -infiles dsareq.pem
openssl verify -CAfile cacert.pem -untrusted ca2cert.pem dsacert.pem
D. Sign RSA key with second level CA
openssl req -new -key rsakey.pem -out rsareq.pem
openssl ca -cert ca2cert.pem -keyfile ca2key.pem \
-out rsacert.pem -infiles rsareq.pem
openssl verify -CAfile cacert.pem -untrusted ca2cert.pem rsacert.pem
Howard Chan wrote:
048101c1dacc$f4e0eed0$086fa8c0@vrjyu">
Hello OpenSSL experts,
I've been experimenting, or more like
playing around, with Openssl on Linux. This is what I'm trying to do with
OpenSSL :
create a self-signed root CAcertificate
create a private key and then a certificate
request
use the root CA cert to sign the certificate
request, thereby making a user certificate
finally, I want to verify the cert(ie.
verify-CApath ___ newcert.pem)
I'm no expert at this, but this is what
I did (so far):
I used 'openssl req -x509 -newkey rsa:1024
-keyoutkey.pem -out req.pem' for Step 1 above.
I used 'openssl req -new -key privkey.pem
-outcert.csr' for Step 2 above.
For Step 3 above, I triedusing the 'ca'
command but always returned an error (which is attached), saying that it
could not find files in the ./demoCA directory. So I created a /demoCA
directory on my machine containing the CA cert and it's private key and
the serial and index files. But still, when I ran the 'ca' command the
same error occurs.
I know there's a CA.pl programwhich
I can utilize to do the cert creation...but how do I use that? Do I need
to compile it or anything before I can use that program? I'm not sure.
So I don't know what to do for Step 3
(sign a cert request with the CA root cert). I'm out of ideas.
Please enlighten me with some ideas, or
correct my errors if you could.
Thanks alot.
Best regards,
H. Chan
Using configuration from /usr/share/ssl/openssl.cnf./demoCA/private/cakey.pem: No such file or directorytrying to load CA private key7740:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')7740:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:error in ca
