Re: openssl newbie HELP!
Hi Liam, Liam Escario wrote: Hi! Can anybody direct me to an Openssl tutorial/manual where I can find out step-by-step how to: 1) use openssl to create a CA 2) use the CA to create certificates if you need only some certificates this is a good start http://www.code.online.pt/story/2004/5/7/191824/5423 If you need revocation, crl management and so on for a lot of certificates or must provide a simple management console look at www.openca.org - the current 0.9.2 version is RC currently but quite usable for production. For more details send pm Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature
Re: openssl newbie HELP!
Try this one: http://www.dswilson.com/spring2004/javasecurity/openssl-instructions.html - Original Message - From: Liam Escario [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 02, 2004 7:32 AM Subject: openssl newbie HELP! Hi! Can anybody direct me to an Openssl tutorial/manual where I can find out step-by-step how to: 1) use openssl to create a CA 2) use the CA to create certificates I'd really appreciated any help on this. Thanks! lee_the_flee There is no emotion, there is peace. There is no ignorance, there is knowledge. There is no passion, there is serenity. There is no chaos, there is harmony. There is no death, there is the Force! _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl newbie HELP!
It's been awhile since I've looked at OpenCA. The manual was almost impossible to read and seemed to be quite a rough translation from German. Do you know if any work has been done on cleaning that up in the past 12 months or so? On Aug 1, 2004, at 11:42 PM, Oliver Welter wrote: If you need revocation, crl management and so on for a lot of certificates or must provide a simple management console look at www.openca.org - the current 0.9.2 version is RC currently but quite usable for production. For more details send pm Oliver smime.p7s Description: S/MIME cryptographic signature
remove
remove __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl newbie HELP!
Hi Joseph, It's been awhile since I've looked at OpenCA. The manual was almost impossible to read and seemed to be quite a rough translation from German. Do you know if any work has been done on cleaning that up in the past 12 months or so? Yes, a lot - I am member of the dev team so I know what I am talking about :P The docs are not complete and the english could be better but there is a very easy and well documented setup procedure and we (the openca list) is always giving assistance. So I think you will get a simple CA running in about half a day. Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature
RE: openssl newbie HELP!
Thanks for all your help guys. Those links were great! I liked Areg's the best: very detailed and complete (and good for beginners). =) Just a question or two to clarify: 1) I noticed the certificates created in the tutorial had a *.pem extension. The ones I'm used to dealing with had a *.cer one. What's the difference here? 2) And I'm pretty sure I get it, but just to clarify: If I were a Translator (and a CA) and I was helping two systems communicate with each other I would: 2.1) make a certificate for each system and then sign them with my (CA) certificate 2.2) give each system their certificate AND private key 2.3) give both systems my certificate 2.4) in the server of each of the systems, add my certificate into its SSL settings Liam _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: ErrorMessage on certificate generation
Well, that lead me to some other error messages. But it seems to be the right way ;-) Regards Thomas -Ursprüngliche Nachricht- Von: Antoine Latter [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 30. Juli 2004 16:06 An: [EMAIL PROTECTED] Betreff: Re: ErrorMessage on certificate generation I was receiving the: wrong number of fields on line 1 (looking for field 6, got 1, '' left) error myself, yesterday. I fixed it by making sure that my blank index.txt was truly and properly blank - I had an empty line in the file, which messed everything up and caused opessl to segfault, which is probably the same as Speicherzugriffsfehler. Antoine On Fri, 30 Jul 2004 11:43:03 +0200, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi all, I am currently developing a routine (UNIX shell script) for automatic certificat generation. The script contains the following command: openssl ca -config $CADIR/TMF-TestCA.cnf -name $PURPOSE -in $i -out $CADIR/certOut/$REQ.pem where $PURPOSE names the section of the config file to be used. The command produces the an output as follow: Using configuration from /home/OpenSSL-CA/TMF-TestCA/TMF-TestCA.cnf wrong number of fields on line 1 (looking for field 6, got 1, '' left) TMF-TestCA/bin/ComputeRequests: line 15: 5411 Speicherzugriffsfehler openssl ca -config $CADIR/TMF-TestCA.cnf -name $PURPOSE -in $i -out $CADIR/certOut/$REQ.pem Speicherzugriffsfehler means memory access error. Can anybody tell me what's going wrong? Maybe there is anything wrong with my config file? Best regards Thomas Beckmann __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: ErrorMessage on certificate generation
Okay, this is for all having the same problem... Obviously OpenSSL will only work using an empty index.txt. What you have to do is - concatenate the content of index.txt with YOUR database file (e. g. database.txt). So database.txt will contain the information index.txt should originally keep. - remove the old index.txt - create a new (empty) index.txt with touch index.txt It's just a quick an dirty work-around. But it works ;-) Regards Thomas -Ursprüngliche Nachricht- Von: Antoine Latter [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 30. Juli 2004 16:06 An: [EMAIL PROTECTED] Betreff: Re: ErrorMessage on certificate generation I was receiving the: wrong number of fields on line 1 (looking for field 6, got 1, '' left) error myself, yesterday. I fixed it by making sure that my blank index.txt was truly and properly blank - I had an empty line in the file, which messed everything up and caused opessl to segfault, which is probably the same as Speicherzugriffsfehler. Antoine On Fri, 30 Jul 2004 11:43:03 +0200, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi all, I am currently developing a routine (UNIX shell script) for automatic certificat generation. The script contains the following command: openssl ca -config $CADIR/TMF-TestCA.cnf -name $PURPOSE -in $i -out $CADIR/certOut/$REQ.pem where $PURPOSE names the section of the config file to be used. The command produces the an output as follow: Using configuration from /home/OpenSSL-CA/TMF-TestCA/TMF-TestCA.cnf wrong number of fields on line 1 (looking for field 6, got 1, '' left) TMF-TestCA/bin/ComputeRequests: line 15: 5411 Speicherzugriffsfehler openssl ca -config $CADIR/TMF-TestCA.cnf -name $PURPOSE -in $i -out $CADIR/certOut/$REQ.pem Speicherzugriffsfehler means memory access error. Can anybody tell me what's going wrong? Maybe there is anything wrong with my config file? Best regards Thomas Beckmann __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Storing keys and certs on USB tokens using openssl(1)
Hi openssl users, Is it possible to generate keys on USB tokens using openssl(1) and pkcs11 engine? I cannot find any dokumentation about it. Can anybody point me to the right direction, or knows some links/howtos? Thanks for your help Ralf __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Storing keys and certs on USB tokens using openssl(1)
Keys at least: there's an openssl engine for opensc aKeys at least: there's an openssl engine for opensc and one for pkcs11 libraries at www.opensc.org Kevin On Monday 02 August 2004 10:42 am, you wrote: Hi openssl users, Is it possible to generate keys on USB tokens using openssl(1) and pkcs11 engine? I cannot find any dokumentation about it. Can anybody point me to the right direction, or knows some links/howtos? Thanks for your help Ralf __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA key generation error
Hi, I have the following code #include openssl/rsa.h #include openssl/evp.h int main() { OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); RSA *rsa; BIO *publickey; ERR_load_crypto_strings(); rsa = RSA_generate_key(1024, 65537, NULL, NULL); char *passwd = "123456"; FILE *F1 = fopen("key.pem", "wb"); PEM_write_RSAPrivateKey(F1, rsa, EVP_des_cbc(), NULL, 0, NULL, passwd); // PEM_write_bio_RSAPublicKey(publickey,rsa); fclose(F1); FILE *F2 = fopen("key.pem", "rb"); RSA *rsa_2; rsa_2 = PEM_read_RSAPrivateKey(F2, NULL, NULL, passwd); char str[256]; ERR_error_string(ERR_get_error(), str); printf(str); } but i am getting the following error error::lib(0):func(0):reason(0) Any suggestions, Thanks Joe __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
SSL connection via proxy server
Hi, I am new to open ssl. Till now I have connected to a Web service from my server using OpenSSL library. (Currently, I am using BIO_write to send the request.) Now I need to go via a proxy to reach the webservice. How do I achieve this? I could see a function BIO_set_proxies(), but really don't know how to use it. Appreciate if anyone can help me or have any sample code. Thanks, Vasanth Dandapani __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to convert a buffer to an intern structure???
Hi guys!!! I'm working in a Crypto-OpenSSL based Project generating and mannaging X509 cert's. I have a little problem because I'm using an Oracle DB like repository.The cert's arestored in PEM format in the DB (-BEGIN . END-), the connection between my app and the server is ODBC based, when Irecover the cert from DBI store that in a buffer (char []) but I don't know how convert that buffer in an intern usable structure...(Maybe BIO or PEM) Any hint??? Best Regards ZainosDo You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
Re: What binary data format is used by openssl enc?
On Sun, Aug 01, 2004, Alicia da Conceicao wrote: Greetings: I was wondering what type of data format is used by openssl enc? Specifically, when I type: openssl enc -des-ede3-cbc -e fileName fileName.3des The resulting binary output file from openssl enc, which is 3DES (triple- DES) encrypted with a password, it not DER encoded. In fact, the binary output file begins with the text Salted__, which I am guessing is for the 3DES CBC mode initialization vector. No its a random salt for EVP_BytesToKey(). This means that openssl enc does not appear to use any ANS.1 format, like PKCS-7 EncryptedData, that I can decern. So what is this mystery format? Is it proprietary to OpenSSL, or does it conform to some public standard (CCITT, IETF, or PKIX)? Its not ASN1 because the OpenSSL ASN1 code isn't fully streaming and to do so would be a massive undertaking which has so far not attracted any interest. If the openssl enc format does conform to some public standard, then it should be specified in the man page so that other encryption librarie can conform to it. The data following the salt is the raw encrypted data using standard block padding. This isn't conformant with any public standard. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
remove
remove __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: What binary data format is used by openssl enc?
Hi Steve: Its not ASN1 because the OpenSSL ASN1 code isn't fully streaming and to do so would be a massive undertaking which has so far not attracted any interest. The data following the salt is the raw encrypted data using standard block padding. This isn't conformant with any public standard. Thank you for clearing things up for me regarding openssl enc encoding format. :-) But now that you mentioned it, I would have to say that it would be more than a massive undertaking to use DER encoding for openssl enc streaming, it would be impossible, since DER encoding always puts an object's length before an object's contents. You would first need to dump the entire stream contents into a temporary location before you can obtain and DER encode the stream length, and to do so would not qualify as streaming since nothing comes out until everything is put in. Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: What binary data format is used by openssl enc?
Technically this is true, as DER requires the determinate length encoding options and disallows the indeterminate length ones... Alicia da Conceicao wrote: Hi Steve: Its not ASN1 because the OpenSSL ASN1 code isn't fully streaming and to do so would be a massive undertaking which has so far not attracted any interest. The data following the salt is the raw encrypted data using standard block padding. This isn't conformant with any public standard. Thank you for clearing things up for me regarding openssl enc encoding format. :-) But now that you mentioned it, I would have to say that it would be more than a massive undertaking to use DER encoding for openssl enc streaming, it would be impossible, since DER encoding always puts an object's length before an object's contents. You would first need to dump the entire stream contents into a temporary location before you can obtain and DER encode the stream length, and to do so would not qualify as streaming since nothing comes out until everything is put in. Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA key generation error
Sorry for the stupid question, I have figured it out. Thanks JoeJoe smith [EMAIL PROTECTED] wrote: Hi, I have the following code #include openssl/rsa.h #include openssl/evp.h int main() { OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); RSA *rsa; BIO *publickey; ERR_load_crypto_strings(); rsa = RSA_generate_key(1024, 65537, NULL, NULL); char *passwd = "123456"; FILE *F1 = fopen("key.pem", "wb"); PEM_write_RSAPrivateKey(F1, rsa, EVP_des_cbc(), NULL, 0, NULL, passwd); // PEM_write_bio_RSAPublicKey(publickey,rsa); fclose(F1); FILE *F2 = fopen("key.pem", "rb"); RSA *rsa_2; rsa_2 = PEM_read_RSAPrivateKey(F2, NULL, NULL, passwd); char str[256]; ERR_error_string(ERR_get_error(), str); printf(str); } but i am getting the following error error::lib(0):func(0):reason(0) Any suggestions, Thanks Joe __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage!
remove
remove Dan Hestand --- Senior Consultant IONA Technologies, Inc 200 West Street Waltham, MA 02451 781.902.8305 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: How to convert a buffer to an intern structure???
Title: Message Hi., Use d2i interfaces For any object... d2i_OBJNAME(OBJTYPE *obj, char *pp, long length) for example to get RSA key from buffer RSA *rsa rsa = d2i_RSAPublicKey(NULL, buf, len).. Hope it helps.. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Roberto Zainos HSent: Monday, August 02, 2004 10:21 PMTo: [EMAIL PROTECTED]Subject: How to convert a buffer to an intern structure??? Hi guys!!! I'm working in a Crypto-OpenSSL based Project generating and mannaging X509 cert's. I have a little problem because I'm using an Oracle DB like repository.The cert's arestored in PEM format in the DB (-BEGIN . END-), the connection between my app and the server is ODBC based, when Irecover the cert froom DBI store that in a buffer (char []) but I don't know how convert that buffer in an intern usable structure...(Maybe BIO or PEM) Any hint??? Best Regards Zainos Do You Yahoo!?Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes. Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments.