RE: Create certificates and keys from C/C++
Thank you, but where can I find apps/ca.c, apps/req.c, and apps/x509.c files...I don't have in my computer, but openssl it works. I usually create keys with command: openssl req -days 3650 -nodes -new -keyout XY.key -out XY.csr -config openssl.cnf. Regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: mercoledì, 2. maggio 2007 17:58 To: openssl-users@openssl.org Subject: RE: Create certificates and keys from C/C++ Hi, is there a function or something similar to create keys and certificates directly from code? Thank You Yes. There are functions like RSA_generate_key, DSA_generate_key, X509_sign, and so on. It is not a particularly simple thing to do though. Look at the example code in apps/ca.c, apps/req.c, and apps/x509.c, also demos/selfsign.c may be helpful. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Create certificates and keys from C/C++
hi Download the openssl-0.9.8e.tar.gz(or other version) tar ball from ww.openssl.org and uncompress it you will have apps directory in it there u can find all necessary files. Thanks, subbu On 5/4/07, muggiasca [EMAIL PROTECTED] wrote: Thank you, but where can I find apps/ca.c, apps/req.c, and apps/x509.c files...I don't have in my computer, but openssl it works. I usually create keys with command: openssl req -days 3650 -nodes -new -keyout XY.key -out XY.csr -config openssl.cnf. Regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: mercoledì, 2. maggio 2007 17:58 To: openssl-users@openssl.org Subject: RE: Create certificates and keys from C/C++ Hi, is there a function or something similar to create keys and certificates directly from code? Thank You Yes. There are functions like RSA_generate_key, DSA_generate_key, X509_sign, and so on. It is not a particularly simple thing to do though. Look at the example code in apps/ca.c, apps/req.c, and apps/x509.c, also demos/selfsign.c may be helpful. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- with regards Subramanaim Engineer Software SCM Microsytems (INDIA) Pvt. Ltd.
SSL_get_verify_result returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (20)
Hi all,
I try to check a server's certificate on the client like this, using an
operating system whose name contains an o:
GC_SSL_Error retVal = GC_SSL_NO_ERROR;
X509* x509cert = SSL_get_peer_certificate(m_ssl_p);
if (x509cert != NULL)
{
//load cert
if(1 != SSL_CTX_load_verify_locations(m_ctx_p,
C:\\openssl\\certs\\thawteCp.pem, NULL)) retVal = GC_SSL_CERT_LOAD_ERROR;
else {
// check cert
long certVerifyResult = SSL_get_verify_result(m_ssl_p);
// the only successful return code is X509_V_OK = 0
if((certVerifyResult != X509_V_OK) (GC_SSL_NO_ERROR ==
retVal)) retVal = GC_SSL_CERT_VALID_ERROR;
}
X509_free(x509cert);
}
else retVal = GC_SSL_NO_PEER_CERT;
The problem is, that I receive always the retrun value 20
(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY), when calling the
function SSL_CTX_load_verify_locations.
The certificate thawteCp.pem is located in the given path, the
certificate itself has been delivered by the openssl installation.
I really cannot imagine, what the problem is. Maybe anybody could give
me a hint?.
Thank you and bye
Christian
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL,SMTP,STARTTLS how does it work?
Then, i'm doing that:
SSL * connection=SSL_new(ctx);
SSL_set_bio(connection,bio,bio);
SSL_set_connect_state(connection);
if( SSL_do_handshake(connection) =0 )
{
return false;
}
I'm not a guru on this and my experience is with native sockets
instead of BIO but your code should actually do SSL_connect at that
time instead of SSL_do_handshake.
SSL* connection = SSL_new(ctx);
SSL_set_bio(connection,bio,bio);
if (SSL_connect(mSSL_con) != 1)
{
...
--
Olivier Mascia
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: SSL_get_verify_result returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (20)
The load verify location has to be done before you make the connection.
Christian Graf wrote:
Hi all,
I try to check a server's certificate on the client like this, using an
operating system whose name contains an o:
GC_SSL_Error retVal = GC_SSL_NO_ERROR;
X509* x509cert = SSL_get_peer_certificate(m_ssl_p);
if (x509cert != NULL)
{
//load cert
if(1 != SSL_CTX_load_verify_locations(m_ctx_p,
C:\\openssl\\certs\\thawteCp.pem, NULL)) retVal =
GC_SSL_CERT_LOAD_ERROR;
else {
// check cert
long certVerifyResult = SSL_get_verify_result(m_ssl_p);
// the only successful return code is X509_V_OK = 0
if((certVerifyResult != X509_V_OK) (GC_SSL_NO_ERROR ==
retVal)) retVal = GC_SSL_CERT_VALID_ERROR;
}
X509_free(x509cert);
}
else retVal = GC_SSL_NO_PEER_CERT;
The problem is, that I receive always the retrun value 20
(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY), when calling the
function SSL_CTX_load_verify_locations.
The certificate thawteCp.pem is located in the given path, the
certificate itself has been delivered by the openssl installation.
I really cannot imagine, what the problem is. Maybe anybody could give
me a hint?.
Thank you and bye
Christian
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
smime.p7s
Description: S/MIME Cryptographic Signature
RE: Create certificates and keys from C/C++
Thank you I did it but I think that is too difficult for me without explications of functions and structures and ... There isnt a manual (guide?) or a document about this functions? Regards P.S: Sorry for this stupids questions _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Subramaniam Sent: venerdì, 4. maggio 2007 11:31 To: openssl-users@openssl.org Subject: Re: Create certificates and keys from C/C++ hi Download the openssl-0.9.8e.tar.gz(or other version) tar ball from ww.openssl.org and uncompress it you will have apps directory in it there u can find all necessary files. Thanks, subbu On 5/4/07, muggiasca [EMAIL PROTECTED] wrote: Thank you, but where can I find apps/ca.c, apps/req.c, and apps/x509.c files...I don't have in my computer, but openssl it works. I usually create keys with command: openssl req -days 3650 -nodes -new -keyout XY.key -out XY.csr -config openssl.cnf. Regards -Original Message- From: [EMAIL PROTECTED] [mailto: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of David Schwartz Sent: mercoledì, 2. maggio 2007 17:58 To: openssl-users@openssl.org Subject: RE: Create certificates and keys from C/C++ Hi, is there a function or something similar to create keys and certificates directly from code? Thank You Yes. There are functions like RSA_generate_key, DSA_generate_key, X509_sign, and so on. It is not a particularly simple thing to do though. Look at the example code in apps/ca.c, apps/req.c, and apps/x509.c, also demos/selfsign.c may be helpful. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org mailto:openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- with regards Subramanaim Engineer Software SCM Microsytems (INDIA) Pvt. Ltd.
RE: OpenSSL,SMTP,STARTTLS how does it work?
Hi,I tried what you proposed but it did exactly the same thing.At reading time,
the SSL_read return -1.With SSL_get_error(connection,ret) i saw that the error
was SSL_ERROR_SYSCALL.ERR_get_error() returns 0.Does it help to understand what
is going on? From: [EMAIL PROTECTED] Subject: Re: OpenSSL,SMTP,STARTTLS how
does it work? Date: Fri, 4 May 2007 12:32:09 +0200 To:
openssl-users@openssl.orgThen, i'm doing that: SSL *
connection=SSL_new(ctx); SSL_set_bio(connection,bio,bio);
SSL_set_connect_state(connection); if( SSL_do_handshake(connection) =0 )
{ return false; } I'm not a guru on this and my experience is
with native sockets instead of BIO but your code should actually do
SSL_connect at that time instead of SSL_do_handshake. SSL* connection =
SSL_new(ctx); SSL_set_bio(connection,bio,bio); if (SSL_connect(mSSL_con) !=
1) { ... -- Olivier Mascia
__ OpenSSL
Project http://www.openssl.org User Support
Mailing Listopenssl-users@openssl.org Automated List
Manager [EMAIL PROTECTED]
_
Essayez Live.com et créez l'Internet qui vous ressemble : infos, sports, météo
et bien plus encore !
http://www.live.com/getstarted
Re: how to extract signature from public key using openssl?
Janet N wrote: ... So we need somehow to be able to get the rsa public key from the user certificate. Assuming a DER X.509 cert, you just need to parse out the public key: cert-SubjectPublicKeyInfo-SubjectPublicKey __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl pub key to verify source?
Hi, Where is the public key used to sign openssl-0.9.8e source? Is it on a key server? Thanks __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Create certificates and keys from C/C++
Thank you I did it but I think that is too difficult for me without explications of functions and structures and ... There isnt a manual (guide?) or a document about this functions? Regards I would very strongly advice you to find a knowledgeable security expert to assist you. What you are trying to do is simple in principle but complex in implementation and if you do something wrong, things may appear to work but the security you are expecting to get may not actually be there. You cannot just drop a secure library into a project and get a secure result. You have to know exactly what you're doing and what the implications of what you do are. I honestly believe that helping people to just get it done in situations like this is harmful. For example, once you get what appears to be a valid certificate, do you know how to analyze every field in the certificate to make sure you actually generated the certificate that does what you expect it to? Do you know how to configure the certificate so that it can't be used for purposes other than those intended? I would recommend you find a web page explaining how to issue certificates with OpenSSL and use the built-in capabilities of the command line tool. If you follow someone else's recipe, you are much less likely to build certificates that don't do the right thing. I would still recommend you get an expert to at least examine one of your certificates (and the process by which you generate requests if you do that too) if this is a real application. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Doing smime sign...need signature...
An application that I am writing has the need to produce a signed SMIME document - that is easy (call PKCS7_sign). What comes next is hard - I also need to get access to the signature and send it out to another party. I see I can re-call PKCS7_sign with a flags equal to PKCS7_DETACH, and it seems to give me what I want. The problem is that some of the files I deal with are in the ranges of 100's of megabytes. My question is: Is there a way in one operation (PKCS7_sign, for example) to produce the SMIME part of the document as well as get the signature? Peace, Chaz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Rehandshake in tls1
Hello, I would like to know as an ssl server, when do I send a Hello request on the wire? Based on what parameters should I trigger that? I have quite a few questions based on this A) Does the re-handshake happen on the existing tcp connection? i.e the tcp connection over which the hello request message is sent by the my server? Yes. B) After the rehandshake is completed, does application data continue to flow in the same tcp connection but now with the new cipher parameters? Yes. C) Does rehandhake involve public key operations as well? i.e does the premaster secret change? Yes. You can experiment with SSL renegotiation using openssl command. Run in server window command: $ openssl s_server -key vpn-server-key.pem -cert vpn-server-crt.pem -msg -debug -cipher AES256-SHA -state next, in client window run: $ openssl s_client -msg -debug -state and you will see proper SSL session established connection. Now, in server windows type: Renter this will trigger renegotation, you will see a lot of messages and on client side you will see client_key_exchange packet sent to server with new pre_master_secret. I am really confused and I did spend sometime with the RFC, but I am really lost..I was thinking if I called the API : SSL_CTX_set_timeout(), then the session will eventually expire and end up triggering a rehandshake if application data was flowing in that session at expiration time. But I didnt see any such messages go out on the wire. This sets only timeout for session resumption. This is done for performance reasons to not overload server with time-consuming private key operation. For example browser connection to WWW server over https with HTTP/1.0 can generate new session for any gif, html and other. So if this connections are made within preconfigured time, server may use already established encryption parameters (identified by session_id in client_hello packet) to get abbreviated handshake. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
make test core dumps when compiling shared and on 64 bit
Hi, openssl version: 0.9.8e (and d) o/s: Solaris 10 or 8 on sparc gcc: 4.1.1 On Solaris 10 (or 8) when I compile openssl for 64 bit with shared (and static-libgcc) the make test fails. make[2]: Leaving directory `/tmp/build_openssl2425/openssl-0.9.8e' ../util/shlib_wrap.sh ./destest make[1]: *** [test_des] Segmentation Fault (core dumped) make[1]: Leaving directory `/tmp/build_openssl2425/openssl-0.9.8e/test' make: *** [tests] Error 2 This is confirmed later when I execute the openssl speed command. ... Doing des cbc for 3s on 16 size blocks: Segmentation Fault (core dumped) …. Other commands eg. s_client work. The make test works without hiccup for all other cases 32-bit or 64-bit without the shared flag and for Linux (32 or 64). So the problem is limited to DES for only shared and Solaris 64-bit.. Did anyone experienced the same ? Any CFLAGS/LDFLAGS/configuration suggestions or what to look for? Many many thanks, Fred detail: Operating system: sun4u-whatever-solaris2 WARNING! If you wish to build 32-bit library, then you have to invoke './Configure solaris-sparcv9-gcc' *manually*. Configuring for solaris64-sparcv9-gcc Configuring for solaris64-sparcv9-gcc no-camellia [default] OPENSSL_NO_CAMELLIA (skip dir) no-gmp [default] OPENSSL_NO_GMP (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-mdc2 [default] OPENSSL_NO_MDC2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir) no-zlib [default] no-zlib-dynamic [default] IsMK1MF=0 CC=gcc CFLAG =-fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -static-libgcc -m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN -DMD5_ASM EX_LIBS =-lsocket -lnsl -ldl CPUID_OBJ = BN_ASM=bn_asm.o DES_ENC =des_enc-sparc.o fcrypt_b.o AES_ASM_OBJ =aes_core.o aes_cbc.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM =md5-sparcv9.o SHA1_OBJ_ASM = RMD160_OBJ_ASM= PROCESSOR = RANLIB=/usr/ccs/bin/ranlib ARFLAGS = PERL =/usr/perl5.8.8/bin/perl SIXTY_FOUR_BIT_LONG mode DES_PTR used DES_RISC1 used DES_UNROLL used DES_INT used RC4 uses uchar RC4_CHUNK is unsigned long BF_PTR used e_os2.h = include/openssl/e_os2.h -- View this message in context: http://www.nabble.com/make-test-core-dumps-when-compiling-shared-and-on-64-bit-tf3693912.html#a10329260 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL,SMTP,STARTTLS how does it work?
Hello,
I'm trying to create a little smtp client that could deal with ssl
encryption within a c++ application.
To do that i'm using openssl and following the smtp protocol.
As i understood, i have to initialise the library first and several
other things. I'm doing that:
SSL_load_error_strings();
SSL_library_init();
You may try here to initialize PRNG, for example with command:
RAND_load_file(/dev/urandom, 1024);
(end check return code)
ctx=SSL_CTX_new(SSLv23_method());
SSL_CTX_set_options(ctx, SSL_OP_ALL);
You may try:
ctx=SSL_CTX_new(SSLv23_client_method());
(end check return code)
Then i'm openning a non-secured connection to the server with the BIO
objects.
bio=BIO_new_connect((char*)server_address.c_str());
if ( BIO_do_connect(bio) = 0 )
{
valid=false;
return false;
}
At that point, i can use the bio object to communicate with the
server. I can send an email on a non protected server (so my smtp
protocol is ok).
At the right time i'm sending STARTTLS to the server and it's replying
220 Ready for TLS.
Looks good, you may test this with openssl command using:
$ openssl s_client -connect host:25 -starttls smtp
to check that server behaves correctly.
Then, i'm doing that:
SSL * connection=SSL_new(ctx);
SSL_set_bio(connection,bio,bio);
SSL_set_connect_state(connection);
if( SSL_do_handshake(connection) =0 )
{
return false;
}
All I can say is that using connect(), SSL_set_fd() and SSL_connect()
works in this situation.
Don't know if it's important because the compiler never stopped on
it.
After that i'm sending a EHLO [xxx.xxx.xxx.xxx] command as specified
in the rfc for smtp with STARTTLS.
Then... nothing
The socket is still opened i can write and read on it but the server
never replied anything.
Are you using SSL_read()/SSL_write() for that ?
Best regards,
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: how to extract signature from public key using openssl?
Hello, Why do you need to get the public key at the time the certificate is issued? You already have it. We are using DKIM (domain key signing), it uses not the x509 public key, but the public key of the private key. The idea is to extract the rsa public key at the time the CA issue the cert and load this rsa public key to a db. This program is run against the CA. The CA can extract the public key from the certificate request. I see, so I can't extract the public key -BEGIN PUBLIC KEY- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/ E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP vVuGCAqfaps8J0FjOQIDAQAB -END PUBLIC KEY- from the already issued certificate? The certificate contains the public key. But you already have the public key, since you sent the certificate request in the first place, and you have the private key that the public key was generated with. The user won't be the one extracting the public key but the program running against the CA server. But, you could try: $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr $ openssl req -in file.csr -pubkey -noout (the '-noout' can be replaced with '-outform pem -out publickey.pem' if you need it to go to a file.) hmm, I'm running openca so I'm not sure where the certificate request are located at. Where are they located at in openssl? thanks, Janet -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to extract signature from public key using openssl?
The private key is paired with the public key, regardless of where it's retrieved or what format it's in. This means that the x509 public key is the same public key as you would retrieve from the openssl rsa command. Regardless: $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr This converts the already-issued certificate (contained in file.pem) into a certificate request, putting the request into 'file.csr'. I don't know if it's possible to extract it using the command-line tools directly from the certificate, but I do know that it can be extracted from a CSR generated from the certificate. $ openssl req -in file.csr -pubkey -noout This takes the 'file.csr' certificate request, extracts the public key from it, and prints it. $ openssl req -in file.csr -pubkey -outform PEM -out pubkey.pem This takes the 'file.csr' certificate request, extracts the public key from it, and writes it to pubkey.pem. I am not personally familiar with OpenCA, so I don't know where the CSRs are stored (if indeed they're stored at all). OpenSSL stores the requests in files. What tool is it you're using for DKIM? Perhaps if I can find out what that tool expects, I can find a way to make it possible. (Technically, if you're using OpenCA, you're using OpenLDAP to store all of the issued certificates -- and those certificates contain the keys necessary.) I am sorry that I didn't understand that you're running this on the server, disseminating information for verifiers. This explains a lot. :) -Kyle H On 5/4/07, Janet N [EMAIL PROTECTED] wrote: Hello, Why do you need to get the public key at the time the certificate is issued? You already have it. We are using DKIM (domain key signing), it uses not the x509 public key, but the public key of the private key. The idea is to extract the rsa public key at the time the CA issue the cert and load this rsa public key to a db. This program is run against the CA. The CA can extract the public key from the certificate request. I see, so I can't extract the public key -BEGIN PUBLIC KEY- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/ E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP vVuGCAqfaps8J0FjOQIDAQAB -END PUBLIC KEY- from the already issued certificate? The certificate contains the public key. But you already have the public key, since you sent the certificate request in the first place, and you have the private key that the public key was generated with. The user won't be the one extracting the public key but the program running against the CA server. But, you could try: $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr $ openssl req -in file.csr -pubkey -noout (the '-noout' can be replaced with '-outform pem -out publickey.pem ' if you need it to go to a file.) hmm, I'm running openca so I'm not sure where the certificate request are located at. Where are they located at in openssl? thanks, Janet -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to extract signature from public key using openssl?
Give me a bit, I'm going to set up a test CA environment and figure it out. -Kyle H On 5/4/07, Janet N [EMAIL PROTECTED] wrote: But, you could try: $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr $ openssl req -in file.csr -pubkey -noout # openssl x509 -inform PEM -in usercert.pem -x509toreq -out file.csr Getting request Private Key no request key file specified When I checked the file.csr file it is empty. I tried to throw the -key in the command did not work :) thanks, Janet (the '-noout' can be replaced with '-outform pem -out publickey.pem' if you need it to go to a file.) -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to extract signature from public key using openssl?
Hi Kyle, What tool is it you're using for DKIM? DKIM uses openssl library to produce a public and private key. The private key should be saved on a MTA server. The public key will used in the DNS TXT record for DKIM. They use the following openssl command below to produce the public and private key: - Enter the following command to generate your private key: openssl genrsa -out rsa.private 1024 - Enter the following command to generate your public key: openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM The public key entry in DNS TXT record looks like the following: mail._domainkey.example.com. IN TXT k=rsa; t=y; p=MEwwPQRJKoZIhvcNADAQCQADOwAwOAIxANPpYHdE2tevfEpvL1Tk2dDYv0pF28/f5MxU83x/0b sn4R4p7waPaz1IbOGs/6bm5QIDAQAB The string after *p=* is the base64 encoding of your public key. If the *rsa.public* file which was generated contains -BEGIN PUBLIC KEY- MEwwPQRJKoZIhvcNADAQCQADOwAwOAIxANPpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB -END PUBLIC KEY- You can find more info about DKIM setup using openssl pub and priv keys at: http://www.elandsys.com/resources/sendmail/dkim.html that tool expects, I can find a way to make it possible. (Technically, if you're using OpenCA, you're using OpenLDAP to store all of the issued certificates -- and those certificates contain the keys necessary.) I am sorry that I didn't understand that you're running this on the server, disseminating information for verifiers. This explains a lot. :) -Kyle H On 5/4/07, Janet N [EMAIL PROTECTED] wrote: Hello, Why do you need to get the public key at the time the certificate is issued? You already have it. We are using DKIM (domain key signing), it uses not the x509 public key, but the public key of the private key. The idea is to extract the rsa public key at the time the CA issue the cert and load this rsa public key to a db. This program is run against the CA. The CA can extract the public key from the certificate request. I see, so I can't extract the public key -BEGIN PUBLIC KEY- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/ E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP vVuGCAqfaps8J0FjOQIDAQAB -END PUBLIC KEY- from the already issued certificate? The certificate contains the public key. But you already have the public key, since you sent the certificate request in the first place, and you have the private key that the public key was generated with. The user won't be the one extracting the public key but the program running against the CA server. But, you could try: $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr $ openssl req -in file.csr -pubkey -noout (the '-noout' can be replaced with '-outform pem -out publickey.pem ' if you need it to go to a file.) hmm, I'm running openca so I'm not sure where the certificate request are located at. Where are they located at in openssl? thanks, Janet -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
