Change Issued By
Hello, Ok now its plain and simple i have generated a openssl certificate with php but when i view it, then it shows me the same issued by and issued to how do i change the issued by things now i know that we need to add a ca while signing the certificate from openssl_csr_sign() like openssl_csr_sign ( mixed $csr , mixed $cacert , mixed $priv_key , int $days [, array $configargs [, int $serial = 0 ]] ) where $cacert is the ca certificate and provide a ca certificate in it but when i do that it doesn't do any changes my main guess is that i have to edit the openssl.cnf but i don't get it where to edit to get this result. Can you please tell me how to change the issuer because i have a project and i would like to implement OpenSSL in it and its users can use it to create certificates and all the certificates they create will be issued by us as the issuer. Thanks You Keshav Nair
understanding fipsld usage
Let me first say I have read the User Guide and Security Policy repeatedly, as well as the Incore Tutorial, looked through this users group, and read anything else I could find - so I'm not being lazy, although my questions may be pedestrian... Please correct any misunderstandings along the way. I understand that when fipscanister.o is built, its SHA1 digest is calculated and saved. Then when an application links to fipscanister.o, fipsld is used, which checks that the SHA1 is correct, and then calculates the digest for the application and rebuilds it with that digest embedded. Then, when the application is run and calls FIPS_mode_set(), the digest is calculated and checked against the embedded value. I think that openssl itself is an example of an application built with the fipscanister.o, is that correct? When OpenSSL is built, it produces, among other things, the libcrypto.a static library, which contains what was sequestered in fipscanister.o.Is that correct? Now I have a big application to build, and it will have the FIPS-capable OpenSSL in it. When I do the build, I think the instructions say that the SHA1 digest has to be re-calculated on this application, and that value embedded where the previous standalone value was. Is that correct? Is my application pulling in the FIPS stuff by linking in the libcrypto.a? If my application is just too large and complex, do I pretty much need to go with the shared library, and avoid the part where the digest is recalculated/re-embedded in the application itself? Thanks Kevin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: How to do generate PKCS#7 to embedded system
Correcting myself for the record: From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson Sent: Thursday, 17 November, 2011 18:53 snip As I said, I don't believe any openssl commandline function will create a 'degenerate' (cert-only) PKCS#7, which is a signeddata with zero signerinfos (and zero digestalgs), omitted or dummy content, and your cert(s). You could: Looking for something else, I discovered that commandline 'crl2pkcs7 -nocrl -certfile' (obviously :-?) does do this. - (probably) write a tiny program using the PKCS7_* API; on a quick scan it looks like you can just create a (inner) PKCS7 and _set0_other(data,empty octet string), then a (outer) PKCS7 and _set_type(,signed) and _set_content(,thatdata) and _add_cert and write it out, but I haven't tested. and I was off some here. outer PKCS7 needs to have type signed and also version, and *point to* PKCS7_SIGNED whose 'contents' are the inner data, but are apparently preallocated and only need to be set to omitted data (although I bet empty would work). And it's _add_certificate, or inline which crl2p7.c does instead. snip other options, still correct but less important __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: PKCS7 parse
From: owner-openssl-us...@openssl.org On Behalf Of Anamitra Dutta Majumdar Sent: Thursday, 17 November, 2011 19:44 There is a requirement to process a pkcs7 bag of certificate chain. Is there an OpenSSL API to parse the certificates in a PKCS7 bag and get each of the certificates in the bag as Base64 encoded string. See src/pkcs7.c, which is (already) a commandline utility to read signeddata or signenvdata PKCS7 from a file, extract the certs and/or CRLs, and write them to files. You can convert each in-memory cert to base64 by i2d_X509_bio on a BIO_f_base64 over BIO_s_{mem,file,fp} as needed. Or i2d_X509 to memory and run through EVP_EncodeBlock. But if you really want PEM, which is base64 with linebreaks and labels, just use PEM_write_bio_X509 or PEM_write_X509. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org