AW: AW: CSR signing
Ah, now I know where the concatenation idea comes from ;-) -Ursprüngliche Nachricht- Von: Dr. Stephen Henson [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 27. Oktober 2004 17:43 An: [EMAIL PROTECTED] Betreff: Re: AW: CSR signing On Wed, Oct 27, 2004, Ronan wrote: I'd suggest you use the CA.pl script instead. That should make things much easier. i have a csr (in pem format(by default)) and a key I want to sign the csr with my domains root CA Where is this root CA and key? If it has been created by OpenSSL you can concatenate the key and certificate into a PEM file and supply that new when you call CA.pl -newca. If the root CA and key are from some other source and managed by (for example) some Windows CA you are best sending the CSR to that and getting it to sign the result. I want then to change it to pkcs12 format CA.pl -pkcs12 will do that. Finally i want to install it onto an Active Directory (win 2000 advanced) machine so i can ssl to the AD Now I can't help with AD.. using the CA.pl and my current key and csr copy mycsr.csr to newreq.pem and run # /home/local/ssl/misc/CA.pl -sign Signed certificate is in newcert.pem its not there is no newcert.pem is this what im after? Did it come up with any other error message before that? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: signing cerfificates
To sign the certificate, you must provide the CA's cert and the CA's private key. This is the command that I use usually: openssl ca -config config.cnf -in new.cer -out user.pem -keyfile ca.pk -cert ca.pem I hope it will help you. Frederic. Jagadeesha T wrote: HI all, I have a CSR generated from Sun One LDAP server. That Request needs to be signed, I 'am using openssl ca option to sign that request like ../bin/openssl ca -out cert.pem -config ./openssl.cnf -verbose -infiles new.cer. new.cer is a request generated by the LDAP server. It is giving Error reading certificate request in new.cer. I 'am new ssl, openssl. Please can anybody help me how can make use ca to sign the request generated by LDAP server. The error number is 26744:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:768: Thanks and Regards, Jagadeesha T Do you Yahoo!? Yahoo! Mail Address AutoComplete http://us.rd.yahoo.com/mail_us/taglines/aac/*http://promotions.yahoo.com/new_mail/static/ease.html - You start. We finish. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: CSR signing
Dr. Stephen Henson wrote: On Wed, Oct 27, 2004, Ronan wrote: I'd suggest you use the CA.pl script instead. That should make things much easier. i have a csr (in pem format(by default)) and a key I want to sign the csr with my domains root CA Where is this root CA and key? If it has been created by OpenSSL you can concatenate the key and certificate into a PEM file and supply that new when you call CA.pl -newca. ok the root CA and key are stored on one machine / soalris. the csr and key for the server i want to install the certificate on is also on this local machine. so if i cat the root CA and the root key into a pem file and then run CA.pl -newca what does this give me??? If the root CA and key are from some other source and managed by (for example) some Windows CA you are best sending the CSR to that and getting it to sign the result. I want then to change it to pkcs12 format CA.pl -pkcs12 will do that. yeah i understand that bit Finally i want to install it onto an Active Directory (win 2000 advanced) machine so i can ssl to the AD Now I can't help with AD.. using the CA.pl and my current key and csr copy mycsr.csr to newreq.pem and run # /home/local/ssl/misc/CA.pl -sign Signed certificate is in newcert.pem its not there is no newcert.pem is this what im after? Did it come up with any other error message before that? well im using openssl command line and it gives the following warning but still continues... /usr/local/ssl/bin/openssl pkcs12 -export -in ronanscert.pem -out rtest.p12 unable to load 'random state' This means that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in (the file will be overwritten). Enter Export Password: Verifying password - Enter Export Password: any more help / clarification?? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Regards Ronan McGlue == Analyst/Programmer Information Services Queens University Belfast BT7 1NN __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: openssl-0.9.7 MSVCR70 compatibility problem
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson On Wed, Oct 27, 2004, Tnis wrote: I'm trying to use OpenSSL ver 0.9.7 e/d version under Windows XP. I'm using MS VC++ .NET 2002 which links libeay32.dll to MSVCR70* runtime. I'm using /MD (multi-threaded DLL) switch. Anyone using openssl with .NET 2002 successfully? I cannot switch to other VC++ versions because of Visibroker 6 library. Crashing during a BIO operation is the typical symptom of a runtime library mismatch. Are any external libraries you link to compatible with the /MD switch? Have you tried a simple program first to see if that compiles properly? Yes I have tested required OpenSSL functions in separate application and it works. I suspected runtime library mismatch as well but couldn't find any. My application integrates Visibroker 6 library orb_r_6.dll which is dependent on MSVCR70.DLL (c runtime) and MSVCI70.DLL (iostream). My application is directly dependent on them as well plus MSVCP70.DLL (STL). Of course different dependencies onto the same DLL refer to the same physical file. Any suggestions on checking runtime mismatch? Tnis __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
more CSR
openssl x509 -in ./demoCA/rtest.csr -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/serial -out ./demoCA/rtest.pem unable to load 'random state' This means that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in (the file will be overwritten). unable to load certificate 1530:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE this is the error im currently getting. I have generated rtest.key and rtest.csr I have cat'd rtest.key into rtest.csr then run the above... I did this because it compains about needing a key If i dont have to do this please tell me why So its looking for a trsuted certificate how do i do this... -- Regards Ronan McGlue == Analyst/Programmer Information Services Queens University Belfast BT7 1NN __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
what is the difference between get and post with ssl?
Version: apache-1.3.28 mod_ssl-2.8.15 openssl-0.9.6h[engine] i execute the test.html in internet explorer and it return a correct index1.html page. But if i change the method from 'get' to 'post', it return the message " Method Not Allowed The requested method POST is not allowed for the URL /index1.html. " why??? /***test.html*/ htmlheadtitlePost Test/title/head body bgcolor=#FFform name="testform" method="get" action=""https://10.70.107.123/index1.html">https://10.70.107.123/index1.html" input type=submit value="submit"/form/body/html
Re: what is the difference between get and post with ssl?
In message [EMAIL PROTECTED] on Thu, 28 Oct 2004 18:10:35 +0800, [EMAIL PROTECTED] said: hzhijun Version: apache-1.3.28 mod_ssl-2.8.15 openssl-0.9.6h[engine] hzhijun hzhijun i execute the test.html in internet explorer and it return a hzhijun correct index1.html page. But if i change the method from hzhijun 'get' to 'post', it return the message hzhijun hzhijun Method Not Allowed hzhijun The requested method POST is not allowed for the URL /index1.html. hzhijun hzhijun hzhijun why??? First of all, this has absolutely *nothing* to do with SSL (let alone OpenSSL). The POST method usually means you want to send data to a CGI script or something like that. A HTML page usually isn't a CGI script. However, I would think this is really a matter of Apache configuration that has nothing to do with SSL, so you should probably ask on the usual Apache lists to get an accurate answer. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: more CSR
Ronan wrote: openssl x509 -in ./demoCA/rtest.csr -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/serial -out ./demoCA/rtest.pem unable to load 'random state' This means that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in (the file will be overwritten). unable to load certificate 1530:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE this is the error im currently getting. I have generated rtest.key and rtest.csr I have cat'd rtest.key into rtest.csr then run the above... I did this because it compains about needing a key If i dont have to do this please tell me why So its looking for a trsuted certificate how do i do this... this is buggin me i think i've read every document on openssl.org and am still stumped... Someone is bound to have done this before... ronan -- Regards Ronan McGlue == Analyst/Programmer Information Services Queens University Belfast BT7 1NN __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: CSR signing
On Thu, Oct 28, 2004, Ronan wrote: Dr. Stephen Henson wrote: On Wed, Oct 27, 2004, Ronan wrote: I'd suggest you use the CA.pl script instead. That should make things much easier. i have a csr (in pem format(by default)) and a key I want to sign the csr with my domains root CA Where is this root CA and key? If it has been created by OpenSSL you can concatenate the key and certificate into a PEM file and supply that new when you call CA.pl -newca. ok the root CA and key are stored on one machine / soalris. the csr and key for the server i want to install the certificate on is also on this local machine. so if i cat the root CA and the root key into a pem file and then run CA.pl -newca what does this give me??? It sets up the CA structure to allow the 'ca' command to work and the CA.pl wrapper script. If you now have the certificate request in a file called newreq.pem you should be able to do: CA.pl -sign which should prompt you appropriately and sign the request creating a new certificate. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Solaris make install problems for 0.9.7e
I'm also experiencing the same problem on solaris 2.6 through 9 as mentioned in thread make install fails on solaris sparc 8 for 0.9.7e http://www.mail-archive.com/[EMAIL PROTECTED]/msg37703.html This did not happen on 0.9.7d, which I built using the same command line During a make install it appears the Makefile does not make sense? from fips/sha1/Makefile install: @if test -n $(EXHEADER); then \ for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; \ fi If EXHEADER is null will this not expand to: if test -n ; then \ for i in ; \ do (cp $i /usr/local/include/openssl/$i; \ chmod 644 /usr/local/include/openssl/$i ); \ done; \ fi for i in ; that is not valid shell, hence the error is reported: .../openssl-0.9.7e/fips/sha1# make install sh: syntax error at line 2: `;' unexpected *** Error code 2 make: Fatal error: Command failed for target `install' I assume this is what is causing the problem. Has anyone managed to compile this 0.9.7e on a solaris box? I have 2.6, 7, 8 and 9 and I'm using Sunfreeware's GCC package Sun's make on all platforms Chris Pitchford [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Solaris make install problems for 0.9.7e
I get this too if you quote the $(EXHEADER) to be $(EXHEADER) in the install section of the files listed below it compiles and installs ok. Files: ./fips/aes/Makefile ./fips/des/Makefile ./fips/dh/Makefile ./fips/dsa/Makefile ./fips/rsa/Makefile ./fips/sha1/Makefile Looks as though it is time for openssl-0.9.7f! RB - Original Message - From: Chris Pitchford [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 28, 2004 2:31 PM Subject: Solaris make install problems for 0.9.7e I'm also experiencing the same problem on solaris 2.6 through 9 as mentioned in thread make install fails on solaris sparc 8 for 0.9.7e http://www.mail-archive.com/[EMAIL PROTECTED]/msg37703.html This did not happen on 0.9.7d, which I built using the same command line During a make install it appears the Makefile does not make sense? from fips/sha1/Makefile install: @if test -n $(EXHEADER); then \ for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; \ fi If EXHEADER is null will this not expand to: if test -n ; then \ for i in ; \ do (cp $i /usr/local/include/openssl/$i; \ chmod 644 /usr/local/include/openssl/$i ); \ done; \ fi for i in ; that is not valid shell, hence the error is reported: .../openssl-0.9.7e/fips/sha1# make install sh: syntax error at line 2: `;' unexpected *** Error code 2 make: Fatal error: Command failed for target `install' I assume this is what is causing the problem. Has anyone managed to compile this 0.9.7e on a solaris box? I have 2.6, 7, 8 and 9 and I'm using Sunfreeware's GCC package Sun's make on all platforms Chris Pitchford [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: more CSR
Actually you might be confused a little. A CSR is nothing more than a public key bundled with an identity (name). If you already have a CSR you should not also need a public key. If you mean the key to be the private key to a signing CA and the CSR to be for an end-user certificate to be SIGNED by that CA, it would be a different story. However, this appears to be the solution to your immediate problem: [zben-mac-ii:~] zben% man x509 X509(1) OpenSSL NAME x509 - Certificate display and signing utility SYNOPSIS openssl x509 [-inform DER|PEM|NET] [-outform DER|PEM|NET] [-keyform DER|PEM] [-CAform DER|PEM] [-CAkeyform DER|PEM] [-in filename] [-out ... OPTIONS ... SIGNING OPTIONS ... -req by default a certificate is expected on input. With this option a certificate request is expected instead. If you're giving it a CSR you should use the -req option otherwise it will be expecting a certificate, which is sorta what the error diagnostic was trying to tell you: 1530:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE == Word to the wise: it would be a Good Idea to read all the man pages from cover to cover of the openssl keywords you're trying to use, plus the global one, plus the two on the configuration file format, plus the ASCII text files in the doc (docs?) directory of the source code distribution. Ronan wrote: Ronan wrote: openssl x509 -in ./demoCA/rtest.csr -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/serial -out ./demoCA/rtest.pem unable to load 'random state' This means that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in (the file will be overwritten). unable to load certificate 1530:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE this is the error im currently getting. I have generated rtest.key and rtest.csr I have cat'd rtest.key into rtest.csr then run the above... I did this because it compains about needing a key If i dont have to do this please tell me why So its looking for a trsuted certificate how do i do this... this is buggin me i think i've read every document on openssl.org and am still stumped... Someone is bound to have done this before... ronan -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: what is the difference between get and post with ssl?
Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Thu, 28 Oct 2004 18:10:35 +0800, [EMAIL PROTECTED] said: hzhijun i execute the test.html in internet explorer and it return a hzhijun correct index1.html page. But if i change the method from hzhijun 'get' to 'post', it return the message hzhijun hzhijun Method Not Allowed hzhijun The requested method POST is not allowed for the URL /index1.html. hzhijun hzhijun hzhijun why??? First of all, this has absolutely *nothing* to do with SSL (let alone OpenSSL). The POST method usually means you want to send data to a CGI script or something like that. A HTML page usually isn't a CGI script. However, I would think this is really a matter of Apache configuration that has nothing to do with SSL, so you should probably ask on the usual Apache lists to get an accurate answer. Well, what is Apache supposed to do in this case? You have data arguments from the POST, but the URL is for a simple data file fetch. Ignore the arguments and just give you the data file? BTW using a CGI script on GET is one way to do dynamic data. But I can't think of any useful semantic for POST on something that is not a CGI script or other input data handler, so I agree that giving a diagnostic is reasonable in this case. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Solaris make install problems for 0.9.7e
excellent! that worked. thanks for your help. On Thu, 28 Oct 2004 15:13:14 +0100, Robert Bannocks [EMAIL PROTECTED] wrote: I get this too if you quote the $(EXHEADER) to be $(EXHEADER) in the install section of the files listed below it compiles and installs ok. Files: ./fips/aes/Makefile ./fips/des/Makefile ./fips/dh/Makefile ./fips/dsa/Makefile ./fips/rsa/Makefile ./fips/sha1/Makefile Looks as though it is time for openssl-0.9.7f! RB - Original Message - From: Chris Pitchford [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 28, 2004 2:31 PM Subject: Solaris make install problems for 0.9.7e I'm also experiencing the same problem on solaris 2.6 through 9 as mentioned in thread make install fails on solaris sparc 8 for 0.9.7e http://www.mail-archive.com/[EMAIL PROTECTED]/msg37703.html This did not happen on 0.9.7d, which I built using the same command line During a make install it appears the Makefile does not make sense? from fips/sha1/Makefile install: @if test -n $(EXHEADER); then \ for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; \ fi If EXHEADER is null will this not expand to: if test -n ; then \ for i in ; \ do (cp $i /usr/local/include/openssl/$i; \ chmod 644 /usr/local/include/openssl/$i ); \ done; \ fi for i in ; that is not valid shell, hence the error is reported: .../openssl-0.9.7e/fips/sha1# make install sh: syntax error at line 2: `;' unexpected *** Error code 2 make: Fatal error: Command failed for target `install' I assume this is what is causing the problem. Has anyone managed to compile this 0.9.7e on a solaris box? I have 2.6, 7, 8 and 9 and I'm using Sunfreeware's GCC package Sun's make on all platforms __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Debugging OpenSSL in DDD
Hi, I've actually just been running openssl in ddd 2 days ago. Here' the basic configuration I use: ./Configure --openssldir=where I want openssl 386 linux-elf To compile openssl with the support for debugging ./Configure --openssldir=path/to/openssl/with/debugging 386 linux-elf:gcc -g build, test, then install: make make tests make install Then, if what you want to debug is actually an application that uses OpenSSL, you have to make sure that you link that application against the version of OpenSSL that you just compiled, i.e gcc -g myapp.c -o myapp path/to/openssl/with/debugging/lib/libcrypto.a Hope this helps. Best, Jacques Thomas Frosty Frosty wrote: Hi If I remember correctly, youo have to compile the OpenSSL source with the debug flag activated (check your compiler's manual; e.g. with gcc you have to add the option -g). Once you have the binaries, you can open them with DDD and follow the execution. Normally you don't have to use the Open Source menu entry, as DDD opens the source files as the execution flow moves from one to another Frosty Frosty Gurpreet Grewal wrote: I need to trace through OpenSSL code to see the flow of things when I use it for some processing. I am trying to use DDD for the same but haven't been able to do so. When I try to do Open Source from the File menu, it doesnt show me any files which I can open and set up my break points. Any ideas would be helpful.. Thanks Gurpreet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Solaris make install problems for 0.9.7e
--On Thursday, October 28, 2004 15:13:14 +0100 Robert Bannocks [EMAIL PROTECTED] wrote: I get this too if you quote the $(EXHEADER) to be $(EXHEADER) in the install section of the files listed below it compiles and installs ok. This will break if EXHEADER is _not_ empty. The following snippet should work in all cases (assuming I got my backslash escaping right...): install: @if test -n $(EXHEADER); then \ headerlist=$(EXHEADER); \ for i in $$headerlist; do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; \ fi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]