Re: Wildcard certs?
Le vendredi 23 juillet 2010 22:06:44, Kyle Hamilton a écrit : There's a company called StartCom (http://www.startssl.com/) who will do 2-year validity wildcard certs, upon verification of your identity and verification that you have control of the domain for which you are requesting certificates. Oh, and they're included in the latest Microsoft Root Certificate Update for Windows XP, and all later versions; Firefox recognizes them, they're part of Apple's certificate store, and it's pretty much only Opera who doesn't recognize them for whatever reason. -Kyle H On 7/23/10 6:24 PM, Mounir IDRASSI wrote: Hi, All major commercial CAs do provide wildcard SSL certificates and the price is usually high. Googling gives the following links for Comodo, Thawte and Verisign : - http://www.comodo.com/e-commerce/ssl-certificates/wildcard-ssl.php - http://www.thawte.com/ssl/wildcard-ssl-certificates/ - http://www.verisign.com/ssl-certificates/wildcard-ssl-certificates/ Cheers, On 7/24/2010 2:02 AM, Luis Daniel Lucio Quiroz wrote: Just wondering who i must do request for a wildcard cert, for example to accept all the *.mydomain.com Regards, LD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org I was meaning, for my openssl local installation how i may do the request? shall i put *.mydomain.com in dn? or what __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Why does my browser give a warning about a mismatched hostname
I generated the ssl request, I signed it in my CA (openssl) and uploaded signed certificate back to device. I generated also ca.der and uploaded it to my Internet browser. When I trying open ilo my browser give a warning about a mismatched hostname. I'm accessing this device via IP address. I don't want add this addresses to my DNS. You told your browser you wanted a secure connection to 1.2.3.4 (or whatever) and instead it got a secure connection to some-iLO-2-Subsystem-Name. It has no reason to think you want to send your secrets to some-iLO-2-Subsystem-Name -- hence the warning. Simply put, you did not get a secure connection to the thing you requested a secure connection to. You got a secure connection to something else. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Why does my browser give a warning about a mismatched hostname
So what i should do to avoid warnings? CN (some-iLO-2-Subsystem-Name) is included in certificate request, witch is automatically generated by device. I can't upload other certificate (with other CN) because i got alert that certificate doesn't match the request. Is possible to access device via IP without warnings? michu162 wrote: I generated the ssl request, I signed it in my CA (openssl) and uploaded signed certificate back to device. I generated also ca.der and uploaded it to my Internet browser. When I trying open ilo my browser give a warning about a mismatched hostname. I'm accessing this device via IP address. I don't want add this addresses to my DNS. In certificate request was: CN = some-iLO-2-Subsystem-Name OU = ISS O = Hewlett-Packard Development Company ST = Texas C = US In my CA certificate, witch I used to sign the request I've got: CN = in...@mycompany.com C = US ST = MyState L = myCity E = in...@mycompany.com OU = Infrastructure O = MyCompany SP zoo What should I do to connect to ilo without any warnings? To create my own CA i used: openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf To sign my certificate request i used: openssl ca -notext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem My OpenSSL configuration file: # # Establish working directory. dir= /etc/ssl [ ca ] default_ca= CA_default [ CA_default ] serial= $dir/serial database= $dir/index.txt new_certs_dir= $dir/certs certificate= $dir/cacert.pem private_key= $dir/private/cakey.pem default_days= 3650 default_md= md5 preserve= no email_in_dn= no nameopt= default_ca certopt= default_ca policy= policy_match [ policy_match ] countryName= optional stateOrProvinceName= optional organizationName= optional organizationalUnitName= optional commonName= supplied emailAddress= optional [ req ] default_bits= 1024# Size of keys default_keyfile= key.pem# name of generated keys default_md= md5# message digest algorithm string_mask= nombstr# permitted characters distinguished_name= req_distinguished_name req_extensions= v3_req [ req_distinguished_name ] # Variable namePrompt string #- -- 0.organizationName= Organization Name (company) organizationalUnitName= Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName= State or Province Name (full name) countryName= Country Name (2 letter code) countryName_min= 2 countryName_max= 2 commonName= Common Name (hostname, IP, or your name) commonName_max= 64 # Default values for the above, for consistency and less typing. # Variable nameValue # -- 0.organizationName_default= My Company localityName_default= My Town stateOrProvinceName_default= State or Providence countryName_default= US [ v3_ca ] basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier= keyid:always,issuer:always [ v3_req ] basicConstraints= CA:FALSE subjectKeyIdentifier= hash Can anyone help me? -- View this message in context: http://old.nabble.com/Why-does-my-browser-give-a-warning-about-a-mismatched-hostname-tp29237337p29255142.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wildcard certs?
Yes set the Common Name field to *.yourdomain.com On Sat, Jul 24, 2010 at 2:45 AM, Luis Daniel Lucio Quiroz luis.daniel.lu...@gmail.com wrote: Le vendredi 23 juillet 2010 22:06:44, Kyle Hamilton a écrit : There's a company called StartCom (http://www.startssl.com/) who will do 2-year validity wildcard certs, upon verification of your identity and verification that you have control of the domain for which you are requesting certificates. Oh, and they're included in the latest Microsoft Root Certificate Update for Windows XP, and all later versions; Firefox recognizes them, they're part of Apple's certificate store, and it's pretty much only Opera who doesn't recognize them for whatever reason. -Kyle H On 7/23/10 6:24 PM, Mounir IDRASSI wrote: Hi, All major commercial CAs do provide wildcard SSL certificates and the price is usually high. Googling gives the following links for Comodo, Thawte and Verisign : - http://www.comodo.com/e-commerce/ssl-certificates/wildcard-ssl.php - http://www.thawte.com/ssl/wildcard-ssl-certificates/ - http://www.verisign.com/ssl-certificates/wildcard-ssl-certificates/ Cheers, On 7/24/2010 2:02 AM, Luis Daniel Lucio Quiroz wrote: Just wondering who i must do request for a wildcard cert, for example to accept all the *.mydomain.com Regards, LD __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org I was meaning, for my openssl local installation how i may do the request? shall i put *.mydomain.com in dn? or what __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wildcard certs?
Well, your question was who i must do request for... that's why we gave you links for outside CAs. If you are dealing with your own CA, then using a wildcard character in the DN will do the job. -- Mounir IDRASSI IDRIX http://www.idrix.fr Le vendredi 23 juillet 2010 22:06:44, Kyle Hamilton a écrit : There's a company called StartCom (http://www.startssl.com/) who will do 2-year validity wildcard certs, upon verification of your identity and verification that you have control of the domain for which you are requesting certificates. Oh, and they're included in the latest Microsoft Root Certificate Update for Windows XP, and all later versions; Firefox recognizes them, they're part of Apple's certificate store, and it's pretty much only Opera who doesn't recognize them for whatever reason. -Kyle H On 7/23/10 6:24 PM, Mounir IDRASSI wrote: Hi, All major commercial CAs do provide wildcard SSL certificates and the price is usually high. Googling gives the following links for Comodo, Thawte and Verisign : - http://www.comodo.com/e-commerce/ssl-certificates/wildcard-ssl.php - http://www.thawte.com/ssl/wildcard-ssl-certificates/ - http://www.verisign.com/ssl-certificates/wildcard-ssl-certificates/ Cheers, On 7/24/2010 2:02 AM, Luis Daniel Lucio Quiroz wrote: Just wondering who i must do request for a wildcard cert, for example to accept all the *.mydomain.com Regards, LD __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org I was meaning, for my openssl local installation how i may do the request? shall i put *.mydomain.com in dn? or what __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
PEM-DER-CSR-CRT
I have been reading HOWTOs all over the internet trying to figure out how to generate a self-signed and/or CA (mine) signed certificate. What I can't understand is, WHY do I need an RSA key or certificate. I think it's a key. WHY do I need a PEM certificate, and why a DER certificate? No where on any website does it say WHEN to use one type of certificate or just a key? Apache httpd.conf files will reference both .key and .crt files in their syntax; isn't the .crt a PEM-encoded certificate file? If so, why not give it a more meaningful .pem extension instead. Can anyone clarify for me? I am trying not to chase my tail and want to learn this stuff on a deeper level. When do I know if I need to perform the openssl req and then openssl x509 commands and NOT the openssl rsa command. This is all very confusing and I see no simplified (non-doctoral) documentation on this material. Anyone have a book to suggest? Thanks to anyone that can respond. -- *Warron French, SCSA* ** signature.asc Description: OpenPGP digital signature
