RE: Anyone using OpenSSL for a CA or PKI Deployment?
Hi Try out http://www.medracen.net/ This is another implementation of the OpenSSL CA functionality. I have tried out the openssl CA for development purposes & found it to be very flexible. Cheers Amol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Paul L. Allen Sent: Wednesday, 17 July, 2002 7:03 AM To: [EMAIL PROTECTED] Subject: Re: Anyone using OpenSSL for a CA or PKI Deployment? Geoff Thorpe wrote: > > Hi, > > On Tue, 16 Jul 2002, Wienckowski, Justin wrote: > > > [...] > > I'd love to re-implement our CA and directory in Unix using OpenSSL. > > Anyone know of companies or organizations who may have already done > > this? I'm finding very little publicized on the web, and dropping some > > names would help immensely. > > I haven't had a chance to play with it - but you might want to try OpenCA > and see how it pans out. http://www.openca.org Justin, if you actually try to use OpenCA, please post your experiences to the list. We looked at OpenCA to use in a research project here and ended up taking advantage of a site license for the Netscape CA instead. The Netscape product may be huge and complex, but it is at least well-documented and stable. It looked as if OpenCA would have taken more energy than we wanted to devote to that component of the project. I'll be following OpenCA over time. The notion of a free CA is fairly attractive, and if it was also well-documented, standards-compliant, and stable, it would be compelling. Paul Allen -- Boeing Phantom Works \ Paul L. Allen, (425) 865-3297 Math & Computing Technology \ [EMAIL PROTECTED] POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: settings for making a local CA
Check out: http://www.linuxdoc.org/HOWTO/SSL-Certificates-HOWTO/ Amol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of amit limaye Sent: Wednesday, 27 March, 2002 10:50 AM To: [EMAIL PROTECTED]; Bhavin Shah; [EMAIL PROTECTED] Subject: settings for making a local CA ne ideas how can i set a new local CA on my machine -SIGTERM amit On Wed, 27 Mar 2002, Bhavin Shah wrote: > Hi Amit, > > I cannot exactly solve the particular problem which you mention, but you can > go through the directory: > /apps > > This directory contains a number of applications that make up the openssl > binary which you can run from the command line. > It has example code on using the OpenSSL APIs which you will find pretty > useful. > Files that may particularly interest you include : > s_server.c (A SSL server app) > s_client.c (A SSL client app) > s_cb.c > s_socket.c > apps.c > and app_rand.c > > also check out the other CA, certs related source files there. > > Hey, and something in the subject line does help people judge whether they > know anything about your problem and may be able to help you much better, > much faster. > > Regards, > Bhavin Shah > Software Engineer > Pace Soft Silicon > > - Original Message - > From: "amit limaye" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, March 27, 2002 10:13 AM > > > > > > HI > > this is what i get when i try to verify a client cert i have generated > > thesecertificates using openssl and made a local CA > > > > the steps i followb4 registering the verify callback are > > > > SSL_CTX_load_verify_locations(m_context,CA_FILE,CA_PATH); > > cert_names = SSL_load_client_CA_file("/certificates/client/CA.pem"); > > > > if(cert_names != NULL) > > SSL_CTX_set_client_CA_list(m_context,cert_names); > > else > > cout<<"\n**\n***Certificate names could not be loaded** > \n*** "< > SSL_CTX_set_verify(m_context,SSL_VERIFY_PEER,verify_client); > > > > > > can neone help me with something im missing > > > > > > SSL3 alert write:fatal:unknown CA > > SSL_accept:error in SSLv3 read client certificate B > > returnvalue of ssl write-1 (This is the when i try to write > > > > > > -SIGTERM > > amit > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Apache mod-ssl: VirtualHost and certificates
Hi Shlomi You would need to include certificate related directives under the section defined for each virtual host within the httpd.conf. e.g: Port 'port_number' ServerName server_name SSLCertificateFile /location/certificate_file_name SSLCertificateKeyFile /location/key_file_name SSLCertificateChainFile /location/certchain_file_name SSLCipherSuite ... .. Regards Amol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Shlomi Sent: Friday, November 30, 2001 2:00 AM To: [EMAIL PROTECTED] Subject: Apache mod-ssl: VirtualHost and certificates Hi all, Is someone know if there is a way to use a certificate for each domain on a server which configured to use VirtualHost (a single IP for all of the domains) ? I am trying to configure Apache (mod-ssl) to use a certificate for each VirtualHost but without success. Each VirtualHost needs a private key and a certificate, but the browser receives the main certificate for all of the domains. How can I set it to send the relevant certificate for each domain ? Thank you in advance, Shlomi. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL + VirtualHost in Apache 1.3.x
Hi Michael, Here's an example of how virtual hosts would be implemented with different certs. Port 443 SSLEngine on ServerName abc.com DocumentRoot "/usr/local/www/htdocs" SSLCertificateKeyFile /usr/local/www/conf/ssl.key/abc.key SSLCertificateChainFile /usr/local/www/conf/ssl.crt/ca.crt SSLCertificateFile /usr/local/www/conf/ssl.crt/abc.crt Port 443 SSLEngine on ServerName xyz.com DocumentRoot "/usr/local/www/htdocs" SSLCertificateKeyFile /usr/local/www/conf/ssl.key/xyz.key SSLCertificateChainFile /usr/local/www/conf/ssl.crt/xyzchain.crt SSLCertificateFile /usr/local/www/conf/ssl.crt/xyz.crt Regards Amol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Poetsch, Michael Sent: Friday, October 13, 2000 12:49 PM To: '[EMAIL PROTECTED]' Subject: SSL + VirtualHost in Apache 1.3.x Hello Apache user community, does anybody know if it is possible to configure multiple virtual hosts with different SSL certificates? Basically it should be possible to include all SSL related directives in a ... section? Would that work? Thanks for your answers! Kind Reagrds Michael Poetsch E-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
The paper I wrote once... Document Attached
Hi Lenoid The document you mentioned is attached alongwith. Regards Amol Mr. Tariq, I am copying this mail to you as per your request. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tariq Habib Sent: Friday, May 19, 2000 9:25 AM To: [EMAIL PROTECTED] Subject: RE: The paper I wrote once... Hi Leonid: It is sad to hear that. The name of your paper seems to be very interesting. Once somebody returns the original copy, can we have it again over the mailing list. I would like to have a copy myself. Thanks. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Lenya Khachaturov > Sent: Tuesday, April 18, 2000 10:52 PM > To: [EMAIL PROTECTED] > Subject: The paper I wrote once... > > > Hello everybody, > > About a month ago I posted a paper to this list, called "Client-server > authentication with Apache using OpenSSL". Unfortunately, I've > recently lost all my data, and want somebody to send me a copy of this > paper to my e-mail, if you still have it. Thanks ahead for your help. > > > -- > With best regards, > Leonid Khachaturov > mailto:[EMAIL PROTECTED] > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Client-server authentication in Apache Web Server with OpenSSL.doc smime.p7s
RE: Create Certificates, key etc on NT
Can we please have an English version of this document. Thanx Amol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lenya Khachaturov Sent: Thursday, March 02, 2000 7:47 AM To: Grebelsky, Konstantin Subject: Re: Create Certificates, key etc on NT Hello Konstantin, Wednesday, March 01, 2000, 11:22:06 PM, you wrote: GK> Hi, GK> Has anybody successfully created a self-signed certificate and all the other GK> files that need to be created on NT? GK> Anybody has directions on setup that is required to do that? How config file GK> should be modified in terms of directories and settings? GK> What (files or anything else) needs to be created/generated/set and how in GK> order to do this? What files will be created and how they should be used? If GK> I get this working with I promise I will write up and post instructions for GK> the next person who needs it :-) GK> Thanks, GK> Kostia GK> __ GK> OpenSSL Project http://www.openssl.org GK> User Support Mailing List[EMAIL PROTECTED] GK> Automated List Manager [EMAIL PROTECTED] You can find a step-by-step guide in the attachment. You don't need to write it by yourself :-) -- Best regards, Lenyamailto:[EMAIL PROTECTED] smime.p7s
RE: Help me!
The WinZip 8.0 beta is able to extract the tar.gz files. I am not sure of the earlier versions. Amol -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED]Sent: Monday, February 28, 2000 8:10 AMTo: [EMAIL PROTECTED]Subject: Re: Help me!You can use Winzip to extract zipped file. There is a Readme file on the directory, follow instructions there, you can compile OpenSSL in WinNT. The output file will be OpenSSL in out32dll directory. Consider ActivePerl as a compiler to run a Batch file (you know that OpenSSL is mainly inteded for Unix, so Perl is a kind of Batch file on this environment) "tinhocvdc3" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 04/28/2000 03:29 AM Please respond to openssl-users To: <[EMAIL PROTECTED]> cc: Subject: Help me!Where I can download and how install OpenSSL, Crypt-SSLeay for use ActivePerl on WinNT4.0. Which unzip tool can use to unzip files .tar.gz. I've been downloaded openssl-0.9.4.tar.gz but I can't unzip this file on WinNT4.0. Please show me! Thanks. smime.p7s