How to set CA:TRUE, in an existing cert
Hi to everyone on the list, Please help me figure out this. I'm trying to add the CA:TRUE constraint to one of my existing cert (the GTE CyberTrust Global Root, actually, can be downloaded here: http://ugykezelo.elte.hu/files/gte-cybertrust-global-root.crt ). I found in a different cert, that when I issue the $ openssl x509 -text -in good-ca-cert.crt command, it includes the following info: X509v3 Basic Constraints: CA:TRUE And the GTE cert lacks in this. Explanation why I need this: I'm trying to install a CA cert on my Android phone, to use my university WiFi account, via http://www.realmb.com/droidCert/ I would need to install the GTE CyberTrust Root cert, but it is getting registered as a client cert, not a CA one. If I try to install one with CA:TRUE, then it's working properly. Can you tell me how to add this CA:TRUE propery to a certificate? Thanks in advance, --Attila __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CA.pl/CA.sh fail - can't create root CA
On Tue, May 11, 2010, asc123 wrote:
I'm getting a segv when trying to run CA.pl/.sh to create a rootCA:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
unknown option -create_serial
usage: ca args
-verbose- Talk alot while doing things
-config file- A config file
-name arg - The particular CA definition to use
-gencrl - Generate a new CRL
-crldays days - Days is when the next CRL is due
-crlhours hours - Hours is when the next CRL is due
-startdate YYMMDDHHMMSSZ - certificate validity notBefore
-enddate YYMMDDHHMMSSZ- certificate validity notAfter (overrides -days)
-days arg - number of days to certify the certificate for
-md arg - md to use, one of md2, md5, sha or sha1
-policy arg - The CA 'policy' to support
-keyfile arg- private key file
-keyform arg- private key file format (PEM or ENGINE)
-key arg- key to decode the private key if it is encrypted
-cert file - The CA certificate
-in file- The input PEM encoded certificate request(s)
-out file - Where to put the output file(s)
-outdir dir - Where to put output certificates
-infiles - The last argument, requests to process
-spkac file - File contains DN and signed public key and challenge
-ss_cert file - File contains a self signed cert to sign
-preserveDN - Don't re-order the DN
-noemailDN - Don't add the EMAIL field into certificate' subject
-batch - Don't ask questions
-msie_hack - msie modifications to handle all those universal strings
-revoke file- Revoke a certificate (given in file)
-subj arg - Use arg instead of request's subject
-extensions .. - Extension section (override value in config file)
-extfile file - Configuration file with X509v3 extentions to add
-crlexts .. - CRL extension section (override value in config file)
-engine e - use engine e, possibly a hardware device.
-status serial - Shows certificate status given the serial number
-updatedb - Updates db for expired certificates
./CA.sh: line 197: 10495 Segmentation fault $CA -create_serial -out
${CATOP}/$CACERT $CADAYS -batch -keyfile ${CATOP}/private/$CAKEY -selfsign
-extensions v3_ca -infiles ${CATOP}/$CAREQ
I tried removing the -create_serial option and then it complains about the
-selfsign option. Removed that too - but it just errors out, never creating
my root ca cert.
Any one encountered this before? Happens with openssl 0.9.8m/1.0.0 on suse
linux 9.
Thanks in advance!
The CA.pl script from OpenSSL 1.0.0 is using the openssl utility from 0.9.8
and failing due to unimplemented options. I'd suggest you either use he 0.9.8
CA.pl or ammend your path so the 1.0.0 openssl utility is used.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RE: CA.pl/CA.sh fail - can't create root CA
Hello asc123,
-Original Message-
From: owner-openssl-users On Behalf Of asc123
I'm getting a segv when trying to run CA.pl/.sh to create a rootCA:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
unknown option -create_serial
usage: ca args
-verbose- Talk alot while doing things
-config file- A config file
-name arg - The particular CA definition to use
-gencrl - Generate a new CRL
-crldays days - Days is when the next CRL is due
-crlhours hours - Hours is when the next CRL is due
-startdate YYMMDDHHMMSSZ - certificate validity notBefore
-enddate YYMMDDHHMMSSZ- certificate validity notAfter
(overrides -days)
-days arg - number of days to certify the certificate for
-md arg - md to use, one of md2, md5, sha or sha1
-policy arg - The CA 'policy' to support
-keyfile arg- private key file
-keyform arg- private key file format (PEM or ENGINE)
-key arg- key to decode the private key if it is encrypted
-cert file - The CA certificate
-in file- The input PEM encoded certificate request(s)
-out file - Where to put the output file(s)
-outdir dir - Where to put output certificates
-infiles - The last argument, requests to process
-spkac file - File contains DN and signed public key and
challenge
-ss_cert file - File contains a self signed cert to sign
-preserveDN - Don't re-order the DN
-noemailDN - Don't add the EMAIL field into
certificate' subject
-batch - Don't ask questions
-msie_hack - msie modifications to handle all those
universal strings
-revoke file- Revoke a certificate (given in file)
-subj arg - Use arg instead of request's subject
-extensions .. - Extension section (override value in config file)
-extfile file - Configuration file with X509v3 extentions to add
-crlexts .. - CRL extension section (override value in
config file)
-engine e - use engine e, possibly a hardware device.
-status serial - Shows certificate status given the serial number
-updatedb - Updates db for expired certificates
./CA.sh: line 197: 10495 Segmentation fault $CA
-create_serial -out
${CATOP}/$CACERT $CADAYS -batch -keyfile
${CATOP}/private/$CAKEY -selfsign
-extensions v3_ca -infiles ${CATOP}/$CAREQ
I tried removing the -create_serial option and then it
complains about the
-selfsign option. Removed that too - but it just errors out,
never creating
my root ca cert.
Any one encountered this before? Happens with openssl
0.9.8m/1.0.0 on suse
linux 9.
if you check the error message, you see that there is neither a -create_serial
option nor a -selfsign option, so I guess it's no surprise that openssl
complains. The absence of -selfsign is a bit weird, as this option is
definitely available in v0.9.8 and v1.0.0, but you've got more bugs in your
invocation. Also, try replacing your variables by their values and check the
content of your input files. Do you have a proper configuration file with all
the necessary content? Try referencing your configuration file via the -config
option. Add the -verbose option to get more output. As a starter you should
read about the usage of the various openssl command line tools
(http://www.openssl.org/docs/apps/openssl.html) or via man {tool-name} on your
system. The latter approach makes sure you get the documentation for your
installed version of openssl. The documentation also contains extensive
examples. Try starting with an example and then modify it according to your
needs.
HTH,
Patrick Eisenacehr
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: [openssl-users] How to set CA:TRUE, in an existing cert
Hello, Hodie IV Id. Mai. MMX, Darázs Attila scripsit: Please help me figure out this. I'm trying to add the CA:TRUE constraint to one of my existing cert (the GTE CyberTrust Global Root, actually, can be downloaded here: http://ugykezelo.elte.hu/files/gte-cybertrust-global-root.crt ). First, you can't modify an existing certificate without invalidating its signature. Second, this certificate is a V1 one, and extensions were added to V3 of the X.509 standard. You can't then add the basicConstraints extension. Explanation why I need this: I'm trying to install a CA cert on my Android phone, to use my university WiFi account, via http://www.realmb.com/droidCert/ I would need to install the GTE CyberTrust Root cert, but it is getting registered as a client cert, not a CA one. If I try to install one with CA:TRUE, then it's working properly. -- Erwann ABALEA erwann.aba...@keynectis.com - Computers can never replace human stupidity. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
finding documentation/man pages
I bought a copy of Network Security with OpenSSL from a friend In chapter 7 section Secure HTTP Cookies the examples use functions EVP_EncodeBlock and EVP_DecodeBlock I can not find any mention of these in documentation or man pages Can someone point me to where I might find them Thanks Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] How to set CA:TRUE, in an existing cert
So basically if I don't find a cert with the correct options, I'm screwed. Thank you for the explanation. Attila 2010/5/12 Erwann ABALEA erwann.aba...@keynectis.com: Hello, Hodie IV Id. Mai. MMX, Darázs Attila scripsit: Please help me figure out this. I'm trying to add the CA:TRUE constraint to one of my existing cert (the GTE CyberTrust Global Root, actually, can be downloaded here: http://ugykezelo.elte.hu/files/gte-cybertrust-global-root.crt ). First, you can't modify an existing certificate without invalidating its signature. Second, this certificate is a V1 one, and extensions were added to V3 of the X.509 standard. You can't then add the basicConstraints extension. Explanation why I need this: I'm trying to install a CA cert on my Android phone, to use my university WiFi account, via http://www.realmb.com/droidCert/ I would need to install the GTE CyberTrust Root cert, but it is getting registered as a client cert, not a CA one. If I try to install one with CA:TRUE, then it's working properly. -- Erwann ABALEA erwann.aba...@keynectis.com - Computers can never replace human stupidity. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to set CA:TRUE, in an existing cert
I'm trying to install a CA cert on my Android phone, to use my university WiFi account, via http://www.realmb.com/droidCert/ I would need to install the GTE CyberTrust Root cert, but it is getting registered as a client cert, not a CA one. If I try to install one with CA:TRUE, then it's working properly. Can you tell me how to add this CA:TRUE propery to a certificate? Make your own root, and then cross-certify the GTE public key and id adding the appropriate extensions. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Open SSL without interactive mode?
Hello, I hope this post in n the right place. I have to generate Mime file through openssl (Win32 latest version: 1.0.0). Interactive mode works perfectly: openssl.exe - prompt - smime –sign –signer usercer.pem –in filetosign.xml –inkey userkey.pem –out outputfile.sign -outform PEM –passin pass:X But when sending command on one line: openssl smime –sign –signer usercer.pem –in filetosign.xml –inkey userkey.pem –out outputfile.sign -outform PEM –passin pass:X = Then I get the usage screen (Usage: smime [options] cert.pem ) without errors output. What should be done to sign using a one-line command ? Thanks in advance. Vincent -- View this message in context: http://old.nabble.com/Open-SSL-without-interactive-mode--tp28535574p28535574.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
BIO sockets usage
Hello All, I have some basic questions about BIO sockets. In order to use BIO sockets as simple network layer without SSL negotiation. Is SSL_library_init() needed or not ? I think it's not mandatory, but I want to have a confirmation of this. On Win32 platforms, there are two functions, BIO_sock_init(void ) and BIO_sock_cleanup(void). I've seen in the sources that BIO_sock_init() is called in some places to initialize Winsock (WSAStartup) but BIO_sock_cleanup() is not. Should it be done by the application ? Thank you. Patrice. P.S. Sorry for inconvenience, I've sent the previous e-mail to owners-openssl-users. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
