RE: using prompt=no option with multiple CNs
Thank You, I am still not sure what you mean though, what command do I have to issue inside the loop? When I am done I only want 1 certificate. I am not looking to generate a seperate one for each server. --- Marco \Kiko\ Carnut [EMAIL PROTECTED] wrote: Hi Zachary, I am using openssl 0.96 on redhat 7.1. I am trying to write a script to generate CERTs for me, since I have hundreds of servers to generate certs for. Because of this I want to use the prompt=no option for the openssl config file. However I have multiple CN entries in my config file and I am not sure how this translates to the Prompt=no format of the config file, since the prompt=no takes a different config file format. You will have to generate a new temporary config file from a master config file each time you generate your new cert or CSR. You'd have something like: [ req ] default_bits= 1024 distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] C = US ST = Los Angeles L = California O = ZakDen OU = IT Department CN = %CURRENTCN% emailAddress= [EMAIL PROTECTED] Say this is master.cnf. Then in the inner loop of your mass-generation script, you'd read master.cnf, replace all occurrences of %CURRENTCN% with the name of the server and save it to, say, temp.cnf; then, use this config file to do the actual generation. -K. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
using prompt=no option with multiple CNs
Hi, I am using openssl 0.96 on redhat 7.1. I am trying to write a script to generate CERTs for me, since I have hundreds of servers to generate certs for. Because of this I want to use the prompt=no option for the openssl config file. However I have multiple CN entries in my config file and I am not sure how this translates to the Prompt=no format of the config file, since the prompt=no takes a different config file format. This is my original config file format (excerpt only): [ req ] default_bits= 1024 distinguished_name = req_DN [ req_DN ] 0.countryName = 1. Country Name (2 letter code) 0.countryName_min = 2 0.countryName_max = 2 0.countryName_default = US 0.stateOrProvinceName = 2. State or Province Name (full name) 0.stateOrProvinceName_default = Los Angeles 0.localityName= 3. Locality Name (city name) 0.localityName_default= California 0.organizationName= 4. Organization Name(company name) 0.organizationName_default= ZakDen 0.organizationalUnitName = 5. Organizational Unit Name (department) 0.organizationalUnitName_default = IT Department 0.commonName = 6. Common Name (real fqdn) 0.commonName_max = 64 0.commonName_default = imap.zakden.com 1.commonName = 6. Common Name (real fqdn) 1.commonName_max = 64 1.commonName_default = mail.zakden.com 2.commonName = 6. Common Name (real fqdn) 2.commonName_max = 64 2.commonName_default = smtp.zakden.com and below you can see what currently I have for my prompt=no version of the file: (note: I have tried SEVERAL different ways.. NONE of them works) Does anyone know the correct syntax when dealing with multiple CNs in a prompt=no scenario? Thank you. Zachary. First try: - [ req ] default_bits= 1024 distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] C = US ST = Los Angeles L = California O = ZakDen OU = IT Department CN = imap.zakden.com CN = mail.zakden.com CN = smtp.zakden.com emailAddress= [EMAIL PROTECTED] Second Try: --- [ req ] default_bits= 1024 distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] C = US ST = Los Angeles L = California O = ZakDen OU = IT Department CN.1= imap.zakden.com CN.2= mail.zakden.com CN.3= smtp.zakden.com emailAddress= [EMAIL PROTECTED] Third Try: -- [ req ] default_bits= 1024 distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] C = US ST = Los Angeles L = California O = ZakDen OU = IT Department CN = @cnlist emailAddress= [EMAIL PROTECTED] [ cnlist ] CN.1=imap.zakden.com CN.2=mail.zakden.com CN.3=smtp.zakden.com __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: netscape reacting strangely to SSL CERT
With the wildcard CERT which is signed by my own CA cert I get no warning from netscape or IE.My frustration was that IE was properly reading the subjectAltName DNS tags but netscape was not... If you know of a way to get netscape NOT to complain when accessing a server with SEVERAL hostnames.. and without doing in in wildcard, please let me know. --- Peter Sylvester [EMAIL PROTECTED] wrote: You haven't *wasted* your time. Anyway, IMHO You are not right in accusing netscape (at least not for that part). THEY have created the rule 'if DN=hostname == no warning'. There is not rule in any PKIX text or X509 that tell how to fill subjectaltnames or DNs. And what does IE tell You about these certificates with wild cards? Have fun. __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: installing root CA certificates under windows NT and 2000
I do have rundll32.exe on NT, and netscape keeps calling this program when I try to install the cert. what if I get rid of this program, will it work? --- Luo, Feng (Exchange) [EMAIL PROTECTED] wrote: check if you have rundll32.exe on NT -Original Message- From: Zachary Denison [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 13, 2001 9:43 AM To: OpenSSL Users Subject: installing root CA certificates under windows NT and 2000 Hi, I have generated a root CA certificate for use within my organization, using openssl, and intend to sign all certificates with this root CA certificate. I want to install the root CA on the client workstations which are either NT or 2000 for people running both Explorer 5.5/6.0 and Netscape 4.7x/6.x, and I have the following problem: success on win2000: I can install the root CA for explorer simply by double clicking on it, for netscape if I drag it to the main netscape window, it calls up the netscape rootca installer and installs it fine. failure on winNT: double clicking on the root ca, installs it for explorer. However no matter what I try I cannot get netscape to install the cert. dragging the cert to the netscape window invokes the EXPLORER installer. Is this a known problem on NT ? Does anyone know what I can do to get the root cert installed on netscape on NT? Thank you Zachary. __ Do You Yahoo!? Find the one for you at Yahoo! Personals http://personals.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] *** Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. *** __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Find the one for you at Yahoo! Personals http://personals.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
using own CA certs with various clients
Hi, I am using openssl to secure a number of services in my organization: http, imap, smtp, ldap etc... For our internal servers we have been able to generate CA certs with openssl and sign our own certificates and all the services work great, EXCEPT the client software always complains that the certificate chain doesn't end with a trusted CA. I am speaking specifically about MS-outlook and netscape. outlook complains every single session where netscape at least gives you the option to accept the certificate forever. Anyway I am sure other clients would complain too. My question is how can I prevent these messages, how can I get the client software to trust our own CA cert. On the web I searched and someone said to make a pkcs12 client cert.. anyway I tried that in a number of ways and it didnt work... And I really dont care about verifying the client... I to just make the client trust the homegrown ca. Any help would be much appreciated. Thanks Zachary. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using own CA certs with various clients
Thank you all for posting solutions.. It was just a matter of importing the rootCA into the client. On my systems (outlook and netscape), I just needed to import the rootCA and then it stopped complaining about all certs signed by that root. It seems to have worked Do I need to import the server cert as well? --- Sean O'Riordain [EMAIL PROTECTED] wrote: sorry, I was unclear - the client needs BOTH the server cert and your CA cert. what i did was i puts the certs in a shared directory... and then each machine that wanted them just double clicked on the CA.cer and server.cer ... done... cheers, Sean Steve Barnes wrote: I have the same problem... (sort of).. I have been trying a similar thing, and failing... I'm trying to be my own CA and generate a server cert so I can enable SSL on a IIS4 webserver. I made myself a CA by running the command... #openssl req -new -x509 -newkey rsa:1024 -md5 -keyout ./certs/CAkey.pem -out ./certs/CAcert.pem -days 365 Then I made a Certificate request in IIS Key Manager and signed it using the command... #openssl ca -policy policy_match -days 365 -md md5 -out ./certs/iis-ssl-cert.pem -keyfile ./certs/CAkey.pem -cert ./certs/CAcert.pem -outdir ./certs -infiles ./certs/iis-ssl-req.txt ... where iis-ssl-req.txt is the file from IIS Key Manager. I can then import the cert into IIS Key Manager and enable Secure Channel for my web server, but when I connect to https://secure-server, it gives me an error saying the cert is ok apart from the fact that it was issued by a company you have chosen not to trust . When I try importing the cert into IE, it imports it ok, but then it doesn't appear in the Trusted Root Certificate Authorities . So everytime I go to the site, it gives me the same error over over If I rename the file from 'iis-ssl-cert.pem' to 'iis-ssl-cert.cer', Windows Exploder recognises it as a Security Certificate, when i double click, I get Windows does not have enough information to verify this certificate Any way I'm lost... I've gotten this far and it's really bugging me now... Can anyone help...? -Original Message- From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] Sent: 17 October 2001 09:53 To: [EMAIL PROTECTED] Subject: Re: using own CA certs with various clients under windows 2000 (and nt4 afaik) with outlook 2000 and IE5 (don't know if works for less than this) you can install the certificate in each client by hand quite easily... if the file name has ending .cer then windows appears to recognize it and calls it Security Certificate... double click on this and hit Install Certificate... / Next / Next / Finish / OK / OK ... thats it... getting the cert to the client is another matter :-) Sean Haikel wrote: Hello, I think you have to install the CA certificates in your client browser. I know two techniques you can use: 1. your client can download your CA certificate from you web site ( you need to use the mime type application/x-x509-ca-cert in your httpd.conf file) 2. or you can generate, for each one of your end users, a PKCS#12 file containing his private key his certificate and your CA certificate I' hope that my answer, be helpful bye Zachary Denison a écrit : Hi, I am using openssl to secure a number of services in my organization: http, imap, smtp, ldap etc... For our internal servers we have been able to generate CA certs with openssl and sign our own certificates and all the services work great, EXCEPT the client software always complains that the certificate chain doesn't end with a trusted CA. I am speaking specifically about MS-outlook and netscape. outlook complains every single session where netscape at least gives you the option to accept the certificate forever. Anyway I am sure other clients would complain too. My question is how can I prevent these messages, how can I get the client software to trust our own CA cert. On the web I searched and someone said to make a pkcs12 client cert.. anyway I tried that in a number of ways and it didnt work... And I really dont care about verifying the client... I to just make the client trust the homegrown ca. Any help would be much appreciated. Thanks Zachary. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED
wrong version number
I am trying to configure an application to use openssl (courierimap to be exact). I keep getting the error starttls: accept: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number in the log files... Both the client and server are usign the same exact version of openssl. namely openssl 0.96b. Does anyone know how to remedy this problem? Thank you. __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]