RE: Question about Self-Signed Certificates
From: owner-openssl-us...@openssl.org On Behalf Of Kyle Safford Sent: Monday, 25 January, 2010 11:49 I am using Self-Signed Certificates and had a few questions about them. When running the command to verify whether the certificate chain is valid or not (in weblogic), I receive a message stating that the chain is invalid: java -cp %BEA_HOME%\weblogic81\server\lib\weblogic.jar utils.ValidateCertChain -file openca_crt.pem However, when I leave off the -cp option, it says the certificate chain is valid. What is the -cp option used for in determining if the certificate chain is valid, and is it required? The -cp/-classpath jar/dirs option sets the classpath used by (this) java run (at least for the default loader). If you leave it out, your environment variable CLASSPATH is used, or if none . (current directory). Using a different path might result in a different jar or jars being found, containing different code that produces different results. Do you believe this cert should be valid? How was it generated? Is the file just a (single) selfsigned cert, or a child cert that references some CA cert, or a partial or complete chain? Is the validation supposed to be done against a truststore (or the JRE default) that does or does not include the ss or root cert? Does the command that says it is invalid (with -cp) state a reason that agrees with these answers? Second question is in regards to installing the certificate. Weblogic starts up without issues, and when I go to the https link I get the following message: The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority. I select the View Certificate option and install the certificate. It states that it is installed successfully, but when I leave the site and come back I get prompted with the same message and have to install it again. Shouldn't the first install take care of this? (In IE) It should, assuming it's the same client (machine and browser). When looking into this it stated that I needed to install it into the Trusted Root Certification Authorities section. when I try that, it says it was successfully You shouldn't actually need to pick that; if the cert is selfsigned (and not for your key) automatic should select trusted root. (Even if it wasn't actually used to issue any children, and I think even if it doesn't have usage allowing it to issue any children.) installed, however it is not in that section when I go to it in Internet Explorer. Does anyone know why this might be? Not really. There might be some permissions error(s) that would prevent it from saving, but if so it should have given an error. One specific possibility: if you're in a corporate or other group environment, (recent) Windows has features that allow a central manager (typically the IT department) to remotely lock down features and options on users' machines. I don't know if 'add trusted root' is one of them, but it very well might. But again I would expect an error message if so. From this same IE, have you accepted/imported, and then used silently, a 'new' selfsigned or CA cert from/to any other server/site? I.e. does it not work at all, or does it not work only for this cert/server? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Question about Self-Signed Certificates
Hi All, I am using Self-Signed Certificates and had a few questions about them. When running the command to verify whether the certificate chain is valid or not (in weblogic), I receive a message stating that the chain is invalid: java -cp %BEA_HOME%\weblogic81\server\lib\weblogic.jar utils.ValidateCertChain -file openca_crt.pem However, when I leave off the -cp option, it says the certificate chain is valid. What is the -cp option used for in determining if the certificate chain is valid, and is it required? Second question is in regards to installing the certificate. Weblogic starts up without issues, and when I go to the https link I get the following message: The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority. I select the View Certificate option and install the certificate. It states that it is installed successfully, but when I leave the site and come back I get prompted with the same message and have to install it again. Shouldn't the first install take care of this? When looking into this it stated that I needed to install it into the Trusted Root Certification Authorities section... when I try that, it says it was successfully installed, however it is not in that section when I go to it in Internet Explorer. Does anyone know why this might be? Thank you in advance for any help you can provide. Thank you, Kyle
About self signed certificates
Hi all, I am using a self signed certificate as a CA certificate. My entity certificate is signed by this self signed CA. in my test programs But another programmer who is doing client part is saying I need to include keyUsage field in my self signed certifcate refering to RFC 3280 ( section 4.2.1.3 Key Usage) This extension MUST appear in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs. But I heard self signed certificates should not have keyUsage field. I want to know the limitation of self signed certicate.. Thanks in advance. -- with regards Subramanaim Engineer Software SCM Microsytems (INDIA) Pvt. Ltd. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: About self signed certificates
On Wed, Oct 03, 2007 at 11:47:33AM +0530, Subramaniam wrote: I am using a self signed certificate as a CA certificate. Post the CA certificate to the list. My entity certificate is signed by this self signed CA. in my test programs Post the entity certificate to the list. But another programmer who is doing client part is saying I need to include keyUsage field in my self signed certifcate refering to RFC 3280 ( section 4.2.1.3 Key Usage) This extension MUST appear in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs. Here's a typical CA cert, in fact a one of the Thawte root CA certs: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/[EMAIL PROTECTED] Validity Not Before: Aug 1 00:00:00 1996 GMT Not After : Dec 31 23:59:59 2020 GMT Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/[EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d3:a4:50:6e:c8:ff:56:6b:e6:cf:5d:b6:ea:0c: 68:75:47:a2:aa:c2:da:84:25:fc:a8:f4:47:51:da: 85:b5:20:74:94:86:1e:0f:75:c9:e9:08:61:f5:06: 6d:30:6e:15:19:02:e9:52:c0:62:db:4d:99:9e:e2: 6a:0c:44:38:cd:fe:be:e3:64:09:70:c5:fe:b1:6b: 29:b6:2f:49:c8:3b:d4:27:04:25:10:97:2f:e7:90: 6d:c0:28:42:99:d7:4c:43:de:c3:f5:21:6d:54:9f: 5d:c3:58:e1:c0:e4:d9:5b:b0:b8:dc:b4:7b:df:36: 3a:c2:b5:66:22:12:d6:87:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: md5WithRSAEncryption 07:fa:4c:69:5c:fb:95:cc:46:ee:85:83:4d:21:30:8e:ca:d9: a8:6f:49:1a:e6:da:51:e3:60:70:6c:84:61:11:a1:1a:c8:48: 3e:59:43:7d:4f:95:3d:a1:8b:b7:0b:62:98:7a:75:8a:dd:88: 4e:4e:9e:40:db:a8:cc:32:74:b9:6f:0d:c6:e3:b3:44:0b:d9: 8a:6f:9a:29:9b:99:18:28:3b:d1:e3:40:28:9a:5a:3c:d5:b5: e7:20:1b:8b:ca:a4:ab:8d:e9:51:d9:e2:4c:2c:59:a9:da:b9: b2:75:1b:f6:42:f2:ef:c7:f2:18:f9:89:bc:a3:ff:8a:23:2e: 70:47 -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]