Re: Self-signed certificates
On Sat, Aug 20, 2005 at 10:54:13PM +0200, [EMAIL PROTECTED] wrote: Good evening, Is a difference between: openssl req -x509 ... and: openssl ca -selfsign ... ? I can use a certificate created using the first way as certificate in the CTL of MS IIS ver. 5.1 while the second one is rejected with the error message Only self-signed certificates are added to the CTL. Maybe anyone has an idea... You can check the certificate structure using the command: openssl asn1parse -in cert.pem ... and compare it with the structure of the first one. I think you only forgot some command switch. Best Regards, Yves __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem with OIDs during CA root certificate renewal
Hello,
I have a problem with OIDs during CA root certificate renewal.
I am using openssl 0.9.6b.
I've performed the following steps:
1) Converting existing certificate to CSR:
openssl x509 -x509toreq -in old_cert.pem -signkey PrivKey.pem -out careq.csr
2)Signing the request with existing private key.
openssl x509 -req -days 333 -extfile openssl.cnf -extensions v3_ca
-signkey PrivKey.pem -in careq.csr -out cacert.pem
I've tried two options in openssl.cnf file. In either cases I've got an
error when executed the second command.
* First option:
oid_section=new_oids
[ new_oids ]
AOID=a.b.c.d.e.f.g
BOID=${AOID}.h
COID=${BOID}.i.j.k
[ policy01 ]
policyIdentifier=COID
[ v3_ca ]
...
certificatePolicies=ia5org, @policy01
...
I've got:
Error Loading extension section v3_ca
487:error:2208306E:X509 V3 routines:POLICY_SECTION:invalid object\
identifier:v3_cpols.c:159:section:policy01,name:policyIdentifier,value:COID
487:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
extension:v3_conf.c:91:name=certificatePolicies,\ value=ia5org, @policy01
* Second option:
[ policy01 ]
policyIdentifier=a.b.c.d.e.f.g.h.i.j.k
[ v3_ca ]
...
certificatePolicies=ia5org, @policy01
...
I've got:
Error Loading extension section v3_ca
491:error:0D06B089:asn1 encoding routines:ASN1_get_object:too
long:asn1_lib.c:130:
491:error:0D081065:asn1 encoding routines:d2i_ASN1_OBJECT:bad object
header:a_object.c:217:
491:error:2208306E:X509 V3 routines:POLICY_SECTION:invalid object\
identifier:v3_cpols.c:159:section:policy01,name:policyIdentifier,value:a.b.c.d.e.f.g.h.i.j.k
491:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
extension:v3_conf.c:91:name=certificatePolicies,\ value=ia5org, @policy01
How can I address this issue?
Thank you in advance,
Arsen.
--
PGP Key: ID 0xBBE3DFD8 (expires: 2006-08-03)
Fingerprint: 1C3B 2C01 40DF ED87 23B1 BF6F 95C4 2E77 BBE3 DFD8
smime.p7s
Description: S/MIME Cryptographic Signature
[no subject]
Hi, All I just recently started working with SSL. Unfortunately, the online documentation is not quite complete as I expected. Maybe I am just not looking at the right place. If so, can someone point me to some tutorials that are good for new comers? I downloaded some sample code. One thing I am confused about is that the server can set up BIO for communication by the following code: BIO* io = BIO_new(BIO_f_buffer()); BIO* ssl_bio = BIO_new(BIO_f_ssl()); BIO_set_ssl(ssl_bio,ssl,BIO_CLOSE); BIO_push(io,ssl_bio); After that, io can be used in BIO_gets, which are nice than SSL_read which requires exact number of bytes to be read. It works fine for the server site. However, the same code doesn't work in the client site. Can someone tell me what is going on here? I really don't want to use SSL_read because it needs exactly number of bytes to be read(otherwise, it blocks if too few bytes arrive at the port). Thank you T Long __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Automation question
Hi all...I'm new to the list and for the most part OpenSSL as well...so sorry if I use the wrong terminology. I've searched the list archives, as well as Google, and cannot figure this out. I'm trying to create a CA certificate, as well as certificates for users using a script (called from a web browser). For the life of me, I cannot figure out how to send the openssl req and openssl ca command the answers to the questions it needs (O,OU,State,etc) through a text file or std in...I'm sure this is possible...I just can't find how! Any help would be greatly appreciated! Thanks, --Brian McCann __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Automation question
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 McCann, Brian wrote: | Hi all...I'm new to the list and for the most part OpenSSL as well...so | sorry if I use the wrong terminology. I've searched the list archives, | as well as Google, and cannot figure this out. I'm trying to create a | CA certificate, as well as certificates for users using a script (called | from a web browser). For the life of me, I cannot figure out how to | send the openssl req and openssl ca command the answers to the | questions it needs (O,OU,State,etc) through a text file or std in...I'm | sure this is possible...I just can't find how! Any help would be | greatly appreciated! | | Thanks, | --Brian McCann | | | __ | OpenSSL Project http://www.openssl.org | User Support Mailing Listopenssl-users@openssl.org | Automated List Manager [EMAIL PROTECTED] | | you could use the system(); command from php for one, on the other hand, you may want to try to run some background cgi theres plenty of ways to call commands from a webpage... Greetings Oliver -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (MingW32) iD8DBQFDC3k1WvEVE8MtwbgRA16OAJ41+DRFBmaV66EaN6UHS9OG04sCHwCeOmuD 7OqljNR/y5f2LM8swOueUpY= =PUlt -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Automation question
Oliver Leitner wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 McCann, Brian wrote: | Hi all...I'm new to the list and for the most part OpenSSL as well...so | sorry if I use the wrong terminology. I've searched the list archives, | as well as Google, and cannot figure this out. I'm trying to create a | CA certificate, as well as certificates for users using a script (called | from a web browser). For the life of me, I cannot figure out how to | send the openssl req and openssl ca command the answers to the | questions it needs (O,OU,State,etc) through a text file or std in...I'm | sure this is possible...I just can't find how! Any help would be | greatly appreciated! | | Thanks, | --Brian McCann | | | __ | OpenSSL Project http://www.openssl.org | User Support Mailing Listopenssl-users@openssl.org | Automated List Manager [EMAIL PROTECTED] | | you could use the system(); command from php for one, on the other hand, you may want to try to run some background cgi theres plenty of ways to call commands from a webpage... Greetings Oliver That didn't answer the OP's question. You should specify what platform you are working under. Under Windows, using stdin to fill in the fields is difficult (if not impossible) because the password field does not use stdin but rather the Console APIs. Personally, I think there should be a command-line option to define those fields in a URL-encoded format. That would go a long way to eliminating the .cnf files, which, under Windows, are considered to be a special file type such that they can't be opened in notepad very easily. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ Ask me about discounts on any Shining Light Productions product! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Automation question
In reply to you both, the PHP part I got down..that's not the problem. It's what to tell openssl to do. I'm trying now to make a cnf file to make a CA without prompting, then to make a certificate req and sign it without prompting...at least now I know I'm in the right direction. Thanks! --Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas J. Hruska Sent: Tuesday, August 23, 2005 15:59 To: openssl-users@openssl.org Subject: Re: Automation question Oliver Leitner wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 McCann, Brian wrote: | Hi all...I'm new to the list and for the most part OpenSSL as well...so | sorry if I use the wrong terminology. I've searched the list archives, | as well as Google, and cannot figure this out. I'm trying to create a | CA certificate, as well as certificates for users using a script (called | from a web browser). For the life of me, I cannot figure out how to | send the openssl req and openssl ca command the answers to the | questions it needs (O,OU,State,etc) through a text file or std in...I'm | sure this is possible...I just can't find how! Any help would be | greatly appreciated! | | Thanks, | --Brian McCann | | | __ | OpenSSL Project http://www.openssl.org | User Support Mailing List openssl-users@openssl.org | Automated List Manager [EMAIL PROTECTED] | | you could use the system(); command from php for one, on the other hand, you may want to try to run some background cgi theres plenty of ways to call commands from a webpage... Greetings Oliver That didn't answer the OP's question. You should specify what platform you are working under. Under Windows, using stdin to fill in the fields is difficult (if not impossible) because the password field does not use stdin but rather the Console APIs. Personally, I think there should be a command-line option to define those fields in a URL-encoded format. That would go a long way to eliminating the .cnf files, which, under Windows, are considered to be a special file type such that they can't be opened in notepad very easily. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ Ask me about discounts on any Shining Light Productions product! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Automation question
You need to set the cnf so it won't prompt. Here's a little excerpt from a shell script: cat @eof $CONFFILE # openssl x509 extfile params extensions = extend [req] # openssl req params prompt = no distinguished_name = dn-param [dn-param] # DN fields C = US ST = WA L = Yadda O = Yadda OU = Chain One CN = chain-one.dig.net emailAddress = [EMAIL PROTECTED] [extend] # openssl extensions #subjectKeyIdentifier = hash #authorityKeyIdentifier = keyid:always #basicConstraints = critical,CA:true #keyUsage = keyCertSign,cRLSign #nsCertType = sslCA,emailCA,objCA #certificatePolicies = ia5org,@policy [policy] @eof echo 01 $SNUMFILE $OPENSSL req -config $CONFFILE \ -newkey rsa:2048 -passout pass:yadda -keyout inter.key.pem | $OPENSSL x509 -req -sha1 -extfile $CONFFILE \ -CAserial $SNUMFILE -days 364 -passin pass:yadda \ -CA /root/ssl/file.crt -CAkey /root/ssl/file.key -out inter.cert.pem -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Brian Sent: Tuesday, 23 August, 2005 1:00 PM To: openssl-users@openssl.org Subject: RE: Automation question In reply to you both, the PHP part I got down..that's not the problem. It's what to tell openssl to do. I'm trying now to make a cnf file to make a CA without prompting, then to make a certificate req and sign it without prompting...at least now I know I'm in the right direction. Thanks! --Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas J. Hruska Sent: Tuesday, August 23, 2005 15:59 To: openssl-users@openssl.org Subject: Re: Automation question Oliver Leitner wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 McCann, Brian wrote: | Hi all...I'm new to the list and for the most part OpenSSL as well...so | sorry if I use the wrong terminology. I've searched the list archives, | as well as Google, and cannot figure this out. I'm trying to create a | CA certificate, as well as certificates for users using a script (called | from a web browser). For the life of me, I cannot figure out how to | send the openssl req and openssl ca command the answers to the | questions it needs (O,OU,State,etc) through a text file or std in...I'm | sure this is possible...I just can't find how! Any help would be | greatly appreciated! | | Thanks, | --Brian McCann | | | __ | OpenSSL Project http://www.openssl.org | User Support Mailing List openssl-users@openssl.org | Automated List Manager [EMAIL PROTECTED] | | you could use the system(); command from php for one, on the other hand, you may want to try to run some background cgi theres plenty of ways to call commands from a webpage... Greetings Oliver That didn't answer the OP's question. You should specify what platform you are working under. Under Windows, using stdin to fill in the fields is difficult (if not impossible) because the password field does not use stdin but rather the Console APIs. Personally, I think there should be a command-line option to define those fields in a URL-encoded format. That would go a long way to eliminating the .cnf files, which, under Windows, are considered to be a special file type such that they can't be opened in notepad very easily. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ Ask me about discounts on any Shining Light Productions product! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL version 3 application data.
I'm using s_client and s_server tools to create a ssl connection and send data over a ssl connection. I'm observing the traffic using ssldump with the -Adx flags. The first time I type text into s_client program I see 2 application data records. I'm not sure what the purpose or what is in the first application data record. Could somebody explain this to me? 1 12 2.0899 (0.) CSV3.0(32) application_data Packet data[37]= 17 03 00 00 20 06 f5 7d d7 e1 3e 91 ec 60 88 2f 3c 02 11 5f f4 f6 0f 07 a9 a4 8a 22 04 55 2f 02 cf 9e 17 62 1b 1 13 13.2663 (11.1764) CSV3.0(32) application_data Packet data[37]= 17 03 00 00 20 87 e2 47 47 41 4d 28 09 4a cc 7f fa b8 08 cd be c4 ca ae 6c be 51 2f 09 bb 80 7b e5 2f e8 27 64 I've been looking at the specifications and figuring out what the data in the application data record means. If anybody can explain this to me in greater detail, that would be great. 17 (application data) 23 03 (major version 3) 00 (minor version 0) 00 (?? cipher specification?) 20 (length) 32 Thanks, Matt Rodriguez __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL version 3 application data.
Matt Rodriguez [EMAIL PROTECTED] writes: I've been looking at the specifications and figuring out what the data in the application data record means. If anybody can explain this to me in greater detail, that would be great. The application data is encrypted. Everything after the 5th byte is ciphertext. 17 (application data) 03 (major version) 00 (minor version) 00 20 (length 16bits) ... (32 bytes of encrypted data) -- Jostein Tveit [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Automation question
Hi, While creating self signed certificates and certificate requests use -subj to specify the the subject name and -nodes for not prompting for password (private key will not be encrypted) If you want the password to be encrypted generate the rsakey using genrsa command with -passout option and use this key to generate the certificate While signing certificate requests using ca command use -batch option (In this mode no questions will be asked and all certificates will be certified automatically) Try using the following script.## ssl_dir="usr/local/openssl" if [ ! d $ssl_dir ]then echo "OpenSSL not installed in $ssl_dir" exit 1fi cd $ssl_dir##Set up the CA# echo "Create a self signed certificate for the CA"openssl req -x509 -out $ssl_dir/bin/cacert.pem -new -keyout $ssl_dir/bin/cakey.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=prakash -nodes echo "Set us the CA using the CA.pl script"echo "$ssl_dir/bin/cacert.pem" | $ssl_dir/misc/CA.pl -newca echo "Copy the CA private key to the private directory"cp $ssl_dir/bin/cakey.pem $ssl_dir/demoCA/private/ Generete Number of Requests### echo "Create certificate request for user 1..\n"openssl req -out cert_req_user1.pem -new -keyout priv_key_user1.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=user1 -nodes echo "Create certificate request for user 2..\n"openssl req -out cert_req_user2.pem -new -keyout priv_key_user2.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=user2 -nodes ##Issue Certificate#echo "Issue Certificate for the first user"openssl ca -in cert_req_user1.pem -batch echo "Issue Certificate for the secon user"openssl ca -in cert_req_user2.pem -batch ## regards, Prakash Brian DeGeeter [EMAIL PROTECTED] wrote: You need to set the cnf so it won't prompt.Here's a little excerpt from a shell script:cat @eof $CONFFILE# openssl x509 extfile paramsextensions = extend[req] # openssl req paramsprompt = nodistinguished_name = dn-param[dn-param] # DN fieldsC = USST = WAL = YaddaO = YaddaOU = Chain OneCN = chain-one.dig.netemailAddress = [EMAIL PROTECTED][extend] # openssl extensions#subjectKeyIdentifier = hash#authorityKeyIdentifier = keyid:always#basicConstraints = critical,CA:true#keyUsage = keyCertSign,cRLSign#nsCertType = sslCA,emailCA,objCA#certificatePolicies = ia5org,@policy[policy]@eofecho 01 $SNUMFILE $OPENSSL req -config $CONFFILE \-newkey rsa:2048 -passout pass:yadda -keyout inter.key.pem |$OPENSSL x509 -req -sha1 -extfile $CONFFILE \-CAserial $SNUMFILE -days 364 -passin pass:yadda \-CA /root/ssl/file.crt -CAkey /root/ssl/file.key -out inter.cert.pem-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of McCann, BrianSent: Tuesday, 23 August, 2005 1:00 PMTo: openssl-users@openssl.orgSubject: RE: Automation questionIn reply to you both, the PHP part I got down..that's not the problem.It's what to tell openssl to do. I'm trying now to make a cnf file tomake a CA without prompting, then to make a certificate req and sign itwithout prompting...at least now I know I'm in the right direction.Thanks!--Brian-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Thomas J. HruskaSent: Tuesday, August 23, 2005 15:59To: openssl-users@openssl.orgSubject: Re: Automation questionOliver Leitner wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 McCann, Brian wrote: | Hi all...I'm new to the list and for the most part OpenSSL aswell...so | sorry if I use the wrong terminology. I've searched the listarchives, | as well as Google, and cannot figure this out. I'm trying to createa | CA certificate, as well as certificates for users using a script(called | from a web browser). For the life of me, I cannot figure out how to | send the "openssl req" and "openssl ca" command the answers to the | questions it needs (O,OU,State,etc) through a text file or stdin...I'm | sure this is possible...I just can't find how! Any help would be | greatly appreciated! | | Thanks, | --Brian McCann | | |__ | OpenSSL Projecthttp://www.openssl.org | User Support Mailing Listopenssl-users@openssl.org | Automated List Manager[EMAIL PROTECTED] | | you could use the system(); command from php for one, on the otherhand, you may want to try to run some background cgi theres plenty of ways to call commands from a webpage... Greetings OliverThat didn't answer the OP's question. You should specify what platformyou are working under. Under Windows, using stdin to fill in the fieldsis difficult (if not impossible) because the password field does not usestdin but rather the Console APIs.Personally, I think there should be a command-line option to definethose fields in a
Odd behaviour with diffie-hellman on 64-bit HP-UX 11iv1
Hi all, I'm using OpenSSL 0.9.8 on a 64-bit HP-UX 11i v1 platform as a part of my effort to compile libssh2 c-library (http://www.libssh2.org/) that is using openssl resources. OpenSSL compiles nicely and passes 'make test'. When trying to use it to create a ssh2 connection, I get complaints from the ssh server (OpenSSH) telling me that I've sent 'invalid public DH value' and I'm disconnected. I've managed to compile and use OpenSSL with libssh2 successfully on Solaris9, Linux and AIX 5.2, but on HP-UX 11i the Diffie-Hellman key exchange method failes to the aforementioned problem. I've compiled OpenSSL with following configuration: ./Configure no-asm shared no-idea no-mdc2 no-rc5 no-engines --prefix=$(INSTALL_DIR) --openssldir=$(INSTALL_DIR)/openssl hpux64-parisc2-cc -D_REENTRANT +DA2.0W -L$(LIBDIR) I've tried to reduce compilers optimization levels but to no avail. If anyone has any insight or hints what might be wrong I would be very greatful. br, Jussi Mononen Efficiency is intelligent laziness. Disclaimer: This message and any attachments thereto are intended solely for the addressed recipient(s) and may contain confidential information. If you are not the intended recipient, please notify the sender by reply e-mail and delete the e-mail (including any attachments thereto) without producing, distributing or retaining any copies thereof. Any review, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient(s) is prohibited. Thank you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
