certificate chain
Hi, I need create Root CA and Sub CA, which will release certificate for web server and will have certificate chain ok. I tried it myself but all certificates were damaged and useless. Can me anyone please write a step by step manual? Peter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: certificate chain
Hi Peter: On 2010-11-12, at 5:21 AM, Petr wrote: Hi, I need create Root CA and Sub CA, which will release certificate for web server and will have certificate chain ok. I tried it myself but all certificates were damaged and useless. Can me anyone please write a step by step manual? You can find such a guide here: http://www.carillon.ca/library/openssl_testca_howto_1.3.pdf Have fun! --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: certificate chain
thx Hi Peter: On 2010-11-12, at 5:21 AM, Petr wrote: Hi, I need create Root CA and Sub CA, which will release certificate for web server and will have certificate chain ok. I tried it myself but all certificates were damaged and useless. Can me anyone please write a step by step manual? You can find such a guide here: http://www.carillon.ca/library/openssl_testca_howto_1.3.pdf Have fun! --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Option -issuer_hash vs signature validation with -CAfile?
On 2010-11-09, Dr. Stephen Henson wrote: On Tue, Nov 09, 2010, Jens Lechtenboerger wrote: Hi there, I received an SMIME certificate and want to know the correct filename to use in the command openssl smime -verify -CAfile filename... The hash based filename doesn't apply to the -CAfile option: you can name the file anything you want. It does apply to -CApath Thank you for your quick reply, my fault. I meant to use that option. The problem below remains, however. In my particular example, openssl x509 -in smime.pem -issuer_hash -noout results in 9ec3a561. However, if I use that certificate (available as /etc/ssl/certs/9ec3a561.0 on my system) then verification fails. What is issuer_hash good for? Running strace on openssl smime -verify with the preinstalled list of certificates shows that /etc/ssl/certs/75680d2e.0 is the CAfile necessary for validation. What is the recommended way to find the hash value 75680d2e? Note the hash algorithm changed from OpenSSL 0.9.8 and 1.0.0 so be careful you aren't using different versions for the hash calculation and the verification. I retried on the command line with: OpenSSL 0.9.8k 25 Mar 2009 The usual reason for a different hash is that it isn't the correct issuer certificate. If you do: openssl x509 -in smime.pem -issuer -noout I find: issuer= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Client Authentication and Email it should match: openssl x509 -in ca.pem -subject -noout I get: openssl x509 -in 75680d2e.0 -subject -noout subject= /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services (Besides, -subject_hash results in 75680d2e.) and: openssl x509 -in 9ec3a561.0 -subject -noout subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Client Authentication and Email (-subject_hash results in 9ec3a561.) Surprisingly, verification succeeds if I put 75680d2e.0 into a separate directory for CApath, it fails with a directory containing only 9ec3a561.0. Again, with /etc/ssl/certs as CApath, openssl figures out that it needs 75680d2e.0. How? Thanks Jens __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Legal RSA exponents
OpenSSL will hang if one asks it to create a key with an illegal (e.g., even) public exponent. Is there a simple test for a legal public exponent? If not, is there a list of commonly used ones. 3,17,65537, ...
Terminate chain at intermediate certificate.
Hi, Is there a way to instruct openssl to treat an intermediate CA as a trusted CA, which need not have its issuer checked i.e. it will be the last certificate of the certificate chain. It seems that openssl insists on always terminating a chain at a self-signed certificate. However, in this case, we want to limit ourselves in a sub-tree of the CA and not expose ourselves to other branches of the hierarchy that are not relevant to us. We have no control over the generation of the certificates and we can't solve the problem by restructuring or recreating the CA hierarchy. To make things easier I will demonstrate with an example. Lets define 3 certificates A, B, and C. A is a self-signed root CA (root ca) B is a sub CA signed by A. (intermediate ca) C is a server certificate signed by B. (server certificate) A - B - C We would like to treat B as the end of the chain and never install A anywhere. As far as our setup is concerned, B is the root CA, it just happens to not be self-signed. We want to be able to connect a client, which trusts 'B', to a server that only has 'C'. 'A' should not enter the picture at all. What is the correct way to achieve this with openssl? Thanks, Dimitrios Siganos __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
reading DER encoded RSA cert file
Hi, I am trying to read in a DER encoded RSA public key using d2i_X509_fp(); I have generated an RSA key using openssl with the following commands: 1. openssl genrsa -out privkey.pem 2048 2. openssl rsa -pubout -in privkey.pem -out pubkey.der -outform der In my C++ program, I coded the following: FILE *fp = fopen(pubkey.der, rb); X509 *x = d2i_X509_fp(fp, NULL); However, x returns NULL after this point. How do I get a valid X509 structure from a DER encoded cert? -- View this message in context: http://old.nabble.com/reading-DER-encoded-RSA-cert-file-tp30186760p30186760.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
compiling openssl dev-c++
Hi Users. How I can compiling openssl in dev-c++ for Windows? I tried with -lssl and -lcrypto in linker option (Project-Project Options-Parameters-Linker), but it not work. Part of Compile log is: C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x40):bss_conn.c: undefined reference to `conn...@12' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0xe4):bss_conn.c: undefined reference to `setsock...@20' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x192):bss_conn.c: undefined reference to `ht...@4' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x1bf):bss_conn.c: undefined reference to `ht...@4' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x1d5):bss_conn.c: undefined reference to `soc...@12' ... I have installed the OpenSSL 0.9.8a package for Dev-C++ Thanks!! gabriel
RE: compiling openssl dev-c++
Are you linking with ws2_32.lib? Erik Tkal Juniper OAC/UAC/Pulse Development From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of g A b R i E L Sent: Friday, November 12, 2010 10:56 AM To: openssl-users@openssl.org Subject: compiling openssl dev-c++ Hi Users. How I can compiling openssl in dev-c++ for Windows? I tried with -lssl and -lcrypto in linker option (Project-Project Options-Parameters-Linker), but it not work. Part of Compile log is: C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x40):bss_conn.c: undefined reference to `conn...@12' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0xe4):bss_conn.c: undefined reference to `setsock...@20' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x192):bss_conn.c: undefined reference to `ht...@4' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x1bf):bss_conn.c: undefined reference to `ht...@4' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x1d5):bss_conn.c: undefined reference to `soc...@12' ... I have installed the OpenSSL 0.9.8a package for Dev-C++ Thanks!! gabriel
adding crldistributionpoints without re-issuing the CA ?
I've discovered that Microsoft Exchange 2007, presumably also 2010, expects to have/check a CRL when setting up TLS for an SMTP connection. So far, I have not found a way to disable this check. Our root CA does not have a 'crlDistributionPoints' setting, is it possible to add this without having to re-issue the CA? thanks /Per Jessen, Zürich __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: adding crldistributionpoints without re-issuing the CA ?
Hi there: On 2010-11-12, at 12:04 PM, Per Jessen wrote: I've discovered that Microsoft Exchange 2007, presumably also 2010, expects to have/check a CRL when setting up TLS for an SMTP connection. So far, I have not found a way to disable this check. Our root CA does not have a 'crlDistributionPoints' setting, is it possible to add this without having to re-issue the CA? crlDistribution point goes in End Entity certificates - (Server or User certificates), so you don't have to touch anything in the Root CA, you just have to include the CRL DP in the certificate that you issue to your servers. Have fun! --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: compiling openssl dev-c++
Hi Users. Me again, but this time I write to share the solution to my problem ;) To use openssl in Dev-C++ on Windows: 1.- Install Win32 OpenSSL v1.0.0ahttp://www.slproweb.com/download/Win32OpenSSL-1_0_0a.exeor Win32 OpenSSL v1.0.0a Lighthttp://www.slproweb.com/download/Win32OpenSSL_Light-1_0_0a.exe(from http://www.slproweb.com/products/Win32OpenSSL.html) 2.- Then, in Dev-C++: Go to 'Project-Project Options-Parameters-Linker' and add 'libeay32.a' and 'ssleay32.a' libs. Both are in 'C:\OpenSSL-Win32\lib\MinGW' directory. Go to 'Project-Project Options-Directories', and add 'C:\OpenSSL-Win32\include' directory. In this way I could compile my project. From Chile, best regards. gabriel 2010/11/12 g A b R i E L lie.in.our.d...@gmail.com Hi Users. How I can compiling openssl in dev-c++ for Windows? I tried with -lssl and -lcrypto in linker option (Project-Project Options-Parameters-Linker), but it not work. Part of Compile log is: C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x40):bss_conn.c: undefined reference to `conn...@12' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0xe4):bss_conn.c: undefined reference to `setsock...@20' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x192):bss_conn.c: undefined reference to `ht...@4' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x1bf):bss_conn.c: undefined reference to `ht...@4' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x1d5):bss_conn.c: undefined reference to `soc...@12' ... I have installed the OpenSSL 0.9.8a package for Dev-C++ Thanks!! gabriel
Re: compiling openssl dev-c++
Thanks Erik. I think that I could solved my problem. At least the project compiles. ;) Best regards from Chile. gabriel 2010/11/12 Erik Tkal et...@juniper.net Are you linking with ws2_32.lib? *Erik Tkal** *Juniper OAC/UAC/Pulse Development *From:* owner-openssl-us...@openssl.org [mailto: owner-openssl-us...@openssl.org] *On Behalf Of *g A b R i E L *Sent:* Friday, November 12, 2010 10:56 AM *To:* openssl-users@openssl.org *Subject:* compiling openssl dev-c++ Hi Users. How I can compiling openssl in dev-c++ for Windows? I tried with -lssl and -lcrypto in linker option (Project-Project Options-Parameters-Linker), but it not work. Part of Compile log is: C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x40):bss_conn.c: undefined reference to `conn...@12' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0xe4):bss_conn.c: undefined reference to `setsock...@20' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x192):bss_conn.c: undefined reference to `ht...@4' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x1bf):bss_conn.c: undefined reference to `ht...@4' C:/Dev-Cpp/lib/libcrypto.a(bss_conn.o)(.text+0x1d5):bss_conn.c: undefined reference to `soc...@12' ... I have installed the OpenSSL 0.9.8a package for Dev-C++ Thanks!! gabriel
Re: adding crldistributionpoints without re-issuing the CA ?
Patrick Patterson wrote: Hi there: On 2010-11-12, at 12:04 PM, Per Jessen wrote: I've discovered that Microsoft Exchange 2007, presumably also 2010, expects to have/check a CRL when setting up TLS for an SMTP connection. So far, I have not found a way to disable this check. Our root CA does not have a 'crlDistributionPoints' setting, is it possible to add this without having to re-issue the CA? crlDistribution point goes in End Entity certificates - (Server or User certificates), so you don't have to touch anything in the Root CA, you just have to include the CRL DP in the certificate that you issue to your servers. Have fun! Patrick, that's great, many thanks! /Per Jessen, Zürich __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org