Re: bit-size necessary in the command: openssl req -newkey rsa:bits?
I’m sorry to disturb you again, but isn’t there anybody who knows the answer to my question? I'm thankful for everything that could help me. Best regards domi domi wrote: > > Hello, > > I have got a question concerning the command openssl req -newkey rsa:bits > …. which I use for creating a self-signed certificate for my small private > CA. > Some time ago I used the command like this with OpenSSL 0.9.7g (on Suse > 10.0): > openssl req –x509 –newkey rsa –out cacert.pem –outform PEM > As you can see I did it without giving the bit-size because of the > following section in my openssl.cnf: > [ req ] > default_bits = 2048 > > A few days ago I wanted to built up my CA on a different computer (Suse > 10.2 with OpenSSL 0.9.8d). I did everything as I was used to. But this > time I had to add the bit-size although I used the default_bits option > again in my openssl.cnf: > openssl req -x509 –newkey rsa:2048 –out cacert.pem –outform PEM > > As you can see there is no real problem as long as everything works as I > want but I would like to know why I have to add the bit-size with the new > version of OpenSSL. Is it a feature/fault of the version? Can the same be > observed with a newer version? (I know that I could test it on my own with > a newer version but I don`t want to because everything works quiet fine > right now.) > > Of course I took a look into the news and the changelog on > http://www.openssl.org/news/news.html but I wasn’t able to find an answer > for my question. So I hope that somebody in this forum can help me. > > Best regards > domi > > -- View this message in context: http://www.nabble.com/bit-size-necessary-in-the-command%3A-openssl-req--newkey-rsa%3Abits--tf3790387.html#a10964297 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AW: Database file structure
Thank you Bernhard/ Ted (?), that is exactly what I was looking for. For everyone who wants to know the time format: start reading Bernhards link from behind. Best regards Dominic Bernhard Froehlich wrote: > > > Have a look at > http://www.mail-archive.com/openssl-users@openssl.org/msg45982.html > > Ted > ;) > > -- > PGP Public Key Information > Download complete Key from http://www.convey.de/ted/tedkey_convey.asc > Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 > > > > > -- View this message in context: http://www.nabble.com/Database-file-structure-tf3810867.html#a10814776 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AW: Database file structure
Hello Bruno and Thomas, Number 1 and 4-6 are definitively right as long as I know. I think that number 2 and 3 are correct too. But I‘m not quiet sure. Thomas would you be so kind and tell me in what format the time is written? Or just give me link where I can find the information; my search wasn’t succesful. Thanks in advance and best regards Dominic thomas.beckmann wrote: > > Bruno, > > A database line is structured as followed: > > 1. state of the cert (V=valid, R=revoked, E=expired where the state is not > changes automatically if a cert expires) > 2. end of validity > 3. revocation time (empty when the cert ist not revoked) > 4. serial number in hex > 5. Where the cert can be found (only value is "unknown" today) > 6. Name of certificate holder (normally the DN) > > Regards > > Thomas > >> -Ursprüngliche Nachricht- >> Von: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Im Auftrag von Bruno >> Costacurta >> Gesendet: Donnerstag, 24. Mai 2007 17:30 >> An: openssl-users@openssl.org >> Betreff: Database file structure >> >> Dears, >> >> just for curiosity, >> what are the structure & description of the database file >> (often) called 'index' and which corresponds in fact to the >> parameter 'database' in openssl.cnf ? >> Please find a sample hereafter as it's mainly human readable. >> >> Thanks for any info. >> Bye, >> Bruno >> >> ... >> V100221212735Z 03 unknown /C=BE/ST=Brussels >> Region/L=Brussels/O=Acme.org/CN=acer9100 radius >> client/[EMAIL PROTECTED] >> V100523143810Z 04 unknown /C=BE/ST=Brussels >> Region/L=Brussels/O=Acme.org/CN=pc34ghz.org/emailAddress=bruno >> @Acme.org >> V100523144327Z 05 unknown /C=BE/ST=Brussels >> Region/L=Brussels/O=Acme.org/CN=pc34ghz.org/emailAddress=bruno >> @Acme.org >> V100523151137Z 06 unknown /C=BE/ST=Brussels >> Region/L=Brussels/O=Acme.org/CN=Bruno >> Acme/[EMAIL PROTECTED]/description=test only >> V100523151243Z 07 unknown /C=BE/ST=Brussels >> Region/L=Brussels/O=Acme.org/CN=pc34ghz.org/emailAddress=bruno >> @Acme.org/description=for >> apache2 SSL server & client >> ... >> >> -- >> PGP key ID: 0x2e604d51 >> Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html >> Key fingerprint = 713F 7956 9441 7DEF 58ED 1951 7E07 569B 2E60 4D51 >> -- >> > > Atos Origin GmbH, Theodor-Althoff-Str. 47, D-45133 Essen, Postfach 100 > 123, D-45001 Essen > Telefon: +49 201 4305 0, Fax: +49 201 4305 689095, www.atosorigin.de > Dresdner Bank AG, Hamburg: Kto. 0954411200, BLZ 200 800 00, Swift Code > DRESDEFF200, IBAN DE6920080954411200 > Geschäftsführer: Dominique Illien, Handelsregister Essen HRB 19354, > Ust.-ID.-Nr.: DE147861238 > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > -- View this message in context: http://www.nabble.com/Database-file-structure-tf3810867.html#a10801535 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
bit-size necessary in the command: openssl req -newkey rsa:bits?
Hello, I have got a question concerning the command openssl req -newkey rsa:bits …. which I use for creating a self-signed certificate for my small private CA. Some time ago I used the command like this with OpenSSL 0.9.7g (on Suse 10.0): openssl req –x509 –newkey rsa –out cacert.pem –outform PEM As you can see I did it without giving the bit-size because of the following section in my openssl.cnf: [ req ] default_bits = 2048 A few days ago I wanted to built up my CA on a different computer (Suse 10.2 with OpenSSL 0.9.8d). I did everything as I was used to. But this time I had to add the bit-size although I used the default_bits option again in my openssl.cnf: openssl req -x509 –newkey rsa:2048 –out cacert.pem –outform PEM As you can see there is no real problem as long as everything works as I want but I would like to know why I have to add the bit-size with the new version of OpenSSL. Is it a feature/fault of the version? Can the same be observed with a newer version? (I know that I could test it on my own with a newer version but I don`t want to because everything works quiet fine right now.) Of course I took a look into the news and the changelog on http://www.openssl.org/news/news.html but I wasn’t able to find an answer for my question. So I hope that somebody in this forum can help me. Best regards domi -- View this message in context: http://www.nabble.com/bit-size-necessary-in-the-command%3A-openssl-req--newkey-rsa%3Abits--tf3790387.html#a10719161 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Question about Partitioned CRLs; how to split a CRL?
As long as nobody could help me I continued my search on my own and found the following http://tools.ietf.org/html/draft-ietf-pkix-ocdp-00 In chapter 3 you can find: …Examples of CRL partition scopes are: (1) All of the certificates of a CA with serial numbers between 10,000 and 19,999 inclusive. … The scope of a CRL is indicated within that CRL using the following CRL extension: cRLScope EXTENSION ::= { SYNTAX CRLScopeSyntax IDENTIFIED BY { } } CRLScopeSyntax ::= SEQUENCE { serialNumberRange [0] NumberRange OPTIONAL, subjectKeyIdRange [1] NumberRange OPTIONAL, nameSubtrees[2] GeneralNames OPTIONAL, notBeforeRange [3] NotBeforeRange OPTIONAL, onlyContainsUserCerts [4] BOOLEAN DEFAULT FALSE, onlyContainsCACerts [5] BOOLEAN DEFAULT FALSE, onlySomeReasons [6] ReasonFlags OPTIONAL, indirectCRL [7] BOOLEAN DEFAULT FALSE } NumberRange ::= SEQUENCE { startingNumber INTEGER, endingNumberINTEGER, modulus INTEGER OPTIONAL } notBeforeRange ::= SEQUENCE { startingNotBeforeTime GeneralizedTime, endingNotBeforeTime GeneralizedTime } …. What I had in mind (in my initial post) is something like the serialNumberRange but now I don’t know how to handle it. Just copying the crlscope into my crl extension section doesn’t work. In the following you can see my openssl.cnf. When I try to create a CRL with the command „openssl ca –gencrl –out my.crl“ I get the following error: error on line 87 of config file `/opt/myca/openssl.cnf` 6434: error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 87 Here is my openssl.cnf where I marked the line 87: # I’ve added this but I guess that I’ll have to enter something here because this ###section is quiet empty ;-) oid_section = [ new_oids ] [ new_oids ] [ ca ] default_ca = myca [myca ] dir = /opt/myca # Where everything is kept certificate = $dir/cacert.pem # The CA certificate database= $dir/index.txt# database index file. new_certs_dir = $dir/certs# default place for new certs. private_key = $dir/private/cakey.pem# The private key serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber default_crl_hours= 1# how long before next CRL default_days= 365 # how long to certify for default_md = md5 # which md to use. policy = myca_policy x509_extensions = certificate_extensions # copy_extensions = copy crl_extensions = crl_ext [ myca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress= optional organizationName= supplied organizationalUnitName = optional [certificate_extensions] basicConstraints = CA:false crlDistributionPoints= URI:http://192.168.0.2/my.crl [ req ] default_bits = 2048 default_keyfile = /opt/myca/private/cakey.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ crl_ext ] ## and I’ve added this section cRLScope EXTENSION ::= {##line 87 SYNTAX CRLScopeSyntax IDENTIFIED BY { } } CRLScopeSyntax ::= SEQUENCE { serialNumberRange [0] NumberRange OPTIONAL, subjectKeyIdRange [1] NumberRange OPTIONAL, nameSubtrees[2] GeneralNames OPTIONAL, notBeforeRange [3] NotBeforeRange OPTIONAL, onlyContainsUserCerts [4] BOOLEAN DEFAULT FALSE, onlyContainsCACerts [5] BOOLEAN DEFAULT FALSE, onlySomeReasons [6] ReasonFlags OPTIONAL, indirectCRL [7] BOOLEAN DEFAULT FALSE } NumberRange ::= SEQUENCE { startingNumber INTEGER, endingNumberINTEGER, modulus INTEGER OPTIONAL } notBeforeRange ::= SEQUENCE { startingNotBeforeTime GeneralizedTime, endingNotBeforeTime GeneralizedTime } [ root_ca_distinguished_name ] commonName = my CA stateOrProvinceName = some state countryName = US organizationName = some organization [ root_ca_extensions ] basicConstraints = CA:true Thank you for reading my post. I hope that somebody might help me to include the crlScope stuff or help me with some other solution. best regards domi -- View this message in context: http://www.nabble.com/Question-about-Partitioned-CRLs--how-to-split-a-CRL--tf3419056.html#a9549707 Sent from the OpenSSL - User mailing list archive at Nabble.com
Question about Partitioned CRLs; how to split a CRL?
Hello, I’ve set up an Apache webserver for some testing purposes. I’ve also built my own little CA, I can create certificates and CRLs (using the commandline for everything). Everthing works quiet fine but now I’ve got the following question concerning CRL Distribution Points / Partitioned CRLs. Assume that I’ve got a lot of certificates and and lot of them are revoked. Is it possible to create a CRL (called A) for the first part of my certificates and a second CRL (called B) for the second part of my certitificates? Going one step further, I want to have a look at my index.txt (where I can find all my issued certificates) and create a CRL telling openssl the range of the certificates. Is there a command (an option or something else) that my CRL will begin with the certificate X (serialnumber X) and end with the certificate Y (serialnumber Y)? I’m thankful for any ideas. Please let me know if you need further information like my config-files or something else. best regards domi -- View this message in context: http://www.nabble.com/Question-about-Partitioned-CRLs--how-to-split-a-CRL--tf3419056.html#a9529138 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: crlDistributionPoints in a certificate request
Hello everbody, in the end I was able to solve my problem and here is what I’ve done. If you want to follow my example just be careful and read the warnings in the other comments concerning this topic. As Patrick suggested I was in need of the "copy extensions" but at that time I just didn’t know what to do with it. ;) When you generate a certificate request you need the following in the openssl.cnf: req_extensions = v3_req [ v3_req ] crlDistributionPoints = URI:http://192.168.0.2/my.crl And when you issue the certificate from this request you’ll need in your openssl.cnf: [ ca ] default_ca = myca [myca] copy_extensions = copy best regards domi -- View this message in context: http://www.nabble.com/crlDistributionPoints-in-a-certificate-request-tf3148251.html#a8844382 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: A problem with the use of CRLs. I'm still able to access a site although the certificate is revoked.
Hello Goetz, again thanks for your quick answer. I think I found a solution with the help of the Apache-HTTP-Server forum. Everyone who is interested in it, take a look at http://www.nabble.com/Problem-with-revoked-certificates.-tf3169656.html In the end I think, that it was no OpenSSL problem. But it is good to know that there is a place where I can ask my OpenSSL questions ;) best regards domi -- View this message in context: http://www.nabble.com/A-problem-with-the-use-of-CRLs.-I%27m-still-able-to-access-a-site-although-the-certificate-is-revoked.-tf3169634.html#a8808160 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
A problem with the use of CRLs. I'm still able to access a site although the certificate is revoked.
pem SSLCertificateKeyFile /some/path/testkey.pem SSLCertificateChainFile /some/path/cacert.pem All the steps in OpenSSL and Apache work as far as I can say. Now follow some steps to access my site. step 1: start the Apache with /etc/init.d/apache2 startssl The certificate in the Apache ssl-global.conf is NOT revoked. step 2: start Firefox 2.0.1 and call the site https://192.168.0.2 Of course you must trust the certificate. step 3: import the CRL in the Firefox under settings-advanced-encryption. Here you can enter the URL https://192.168.0.2/derexample.crl and import the CRL step 4: The certificate of the CA has to be imported and trusted as well. step 5: Close Firefox and stop Apache with /etc/init.d/apache2 stop step 6: Now I change the ssl-global.conf and enter a certificate which was revoked from me in the forefront. Of course the CRL is up to date. step 7: new start of Apache und Firefox. The site can still be accessed although the certificate is revoked; no error message or something like that is shown. I also deleted the private internet files and the last visited pages to avoid that my site still lies somewhere in the cache. Does anyone know why I’m still able to access this site? I’m very thankful for all comments, hints and solutions. If you need my complete configs or something else feel free to ask. best regards domi -- View this message in context: http://www.nabble.com/A-problem-with-the-use-of-CRLs.-I%27m-still-able-to-access-a-site-although-the-certificate-is-revoked.-tf3169634.html#a8792524 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: crlDistributionPoints in a certificate request
After one day pending-status I'll post this message again. domi wrote: > > I won’t quote our complete conversation because it has grown to a rather > huge amount of text. I just will say: Yes, Goetz you are right ;) > So I come to the conclusion that I can’t to those things in OpenSSL which > I had in mind because of the considerations and disadvantages Goetz > mentioned. > Just some last explanations: Of course my scenario is just fictional and I > won’t try to set up a commercial CA or web-server using it. Only for > testing purposes isolated from the rest of the world. > And it just makes sense for a huge CA (like Verisign) with a very short > lifetime of CRLs and the MUST use of the CRLs (OCSP is not an option for > me). > > > By the way, another problem occurred during my testing: The Apache2 server > works using a certificate and the CRL has been imported to the browser > (Firefox in my case. Other browsers will follow). But I don’t have any > problems to connect to the site although the certificate is revoked. I was > not able to discover the reason but I’m still searching. Any guesses? > > greetings domi > > -- View this message in context: http://www.nabble.com/crlDistributionPoints-in-a-certificate-request-tf3148251.html#a8780236 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: crlDistributionPoints in a certificate request
Goetz wrote: I think your security model is broken. A CRL and with that the server clients can download it from is part of the chain of security of the CA. So theses servers must be on (best case) dedicated servers that are specially hardened for this usage. These servers are a (potentially outsourced) part of the CA. So the CA needs this list anyway and can incorperate it into all certificates. Letting the client set the crlDistributionPoints may lead to something like: To check if the security of www.server.net is compromised, go to www.server.net and download the CRL. But if the security of this site is compromised, you can't trust any data you downloaded from it. What you can do is something like: * The CA generates the CRLs. * The CA sends the CRLs to a (fixed) known list of external servers clients can download them from. * On signing the CA incorperates this list of CRL download servers into the certificates. * Clients that want to download the CRL contact one of these servers. The server the client contacts to download the CRL is decided on the client. Bye Goetz Hello Goetz, Thank you for your comments and critics concerning my scenario. I’m analysing and trying to built up this scenario by order of my professor. So “it doesn’t make any sense” is an acceptable result as well ;) --“I think your security model is broken….” In this scenario the CRL shall be kept on the www.server.net. And this server is NOT a part of the CA’s security chain. The CA creates, signs and stores the CRL as usual. But in addition the CA also sends a copy of the CRL to www.server.net, which stores the CRL wherever it wants. (Pushing or pulling the CRL is not important to me.) --“But if the security of this site is compromised, you can't trust any data you downloaded from it.” For this reason the CA has to sign the CRL before sending it to www.server.net. When the site is compromised it won’t publish the current CRL. And a missing up-to-date CRL tells everbody that this site is compromised. I hope this idea is not too strange and I’m not telling to much nonsense ;) So I still have got the problem, that the certificate request shall include the CRL distribution point and that the CA has to “copy” it when signing the certificate without knowing the CRL DP in the forefront. I’m looking forward to get more comments, critics and probably the solution to my problem. Greetings domi -- View this message in context: http://www.nabble.com/crlDistributionPoints-in-a-certificate-request-tf3148251.html#a8749031 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: crlDistributionPoints in a certificate request
Thank you for your quick answer, which is helpful but not exactly what I had in mind ;) You couldn’t know this because I forgot to mention my aims. I’m trying to realise the following scenario: The CRL shall be kept on the server of the SSL-website and not within the servers of the CA in order to reduce the huge amount of traffic which goes hand in hand with the periodic CRL-update. The CRL has to be created and signed by the CA and then send to server of the SSL-website where the CRL is stored and can be accessed by the rest of the SSL-world. As you can see, an environment variable goes in the right direction but having a variable for each client of the CA is not yet ideal. I know that this scenario is probably not realisable today but that should not care us in the meantime. I’m anxious to read comments about “my” scenario or probably a solution for my problem. best regards domi Patrick Patterson-3 wrote: > > On Wednesday 31 January 2007 06:45, domi wrote: >> Hello, >> >> I searched and tried a lot but wasn't able to solve the following >> problem: >> >> I have built my own little CA (with the help of the OpenSSL book of >> O'Reilly). I can create certificate requests and issue certificate from >> them. Now I want to do the following: >> >> The certificate request should include the crlDistributionPoints. (I'm >> able >> to enter the DP under certificate_extensions) Thats no problem so far. >> But now should the CA create the certificate without knowing the CRL DP >> in >> the forefront. The CA should take CRL DP entered by the user and put it >> into the certificate. Unfortunately I wasn't able to manage this. >> I tried a lot of things like crlDistributionPoints=supplied for example >> but >> nothing worked. >> >> Summary: The certificate shall include the crlDistributionPoints without >> being written static into the openssl.cnf of the CA. >> > I'm not sure how this would be doable (I suppose "copy extensions" might > be > what you want), however, I also have no idea why you would ever want a > subject to be defining the distribution point for the CA. If you are > trying > to roll over the CRLdp (for instance, if you are trying to have only a > given > number of certificates in a particular CRL), you might want to have an > environment variable ($ENV::CRLNUMBER), and have that appended to the URI > in > the certificateDistributionPoint extension. i.e: > > export CRLNUMBER=5 > openssl ca -in certreq.pem -out cert.pem > > (where there is a usr_ext section in your stock openssl.cnf with the line: > > crlDistributionPoints = > URI:http://www.example.com/someurl/$ENV::CRLNUMBER.crl > > However, with OpenSSL, this is probably a bit tricky, since you'll have to > keep a mapping for the certificate, and parse that before you do the > revoke > so that you can do the right thing. > > > > -- > Patrick Patterson > President and Chief PKI Architect > Carillon Information Security Inc. > http://www.carillon.ca > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > -- View this message in context: http://www.nabble.com/crlDistributionPoints-in-a-certificate-request-tf3148251.html#a8744148 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
crlDistributionPoints in a certificate request
Hello, I searched and tried a lot but wasn't able to solve the following problem: I have built my own little CA (with the help of the OpenSSL book of O'Reilly). I can create certificate requests and issue certificate from them. Now I want to do the following: The certificate request should include the crlDistributionPoints. (I'm able to enter the DP under certificate_extensions) Thats no problem so far. But now should the CA create the certificate without knowing the CRL DP in the forefront. The CA should take CRL DP entered by the user and put it into the certificate. Unfortunately I wasn't able to manage this. I tried a lot of things like crlDistributionPoints=supplied for example but nothing worked. Summary: The certificate shall include the crlDistributionPoints without being written static into the openssl.cnf of the CA. greetings domi -- View this message in context: http://www.nabble.com/crlDistributionPoints-in-a-certificate-request-tf3148251.html#a8727537 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]