Re: Generating a smime certificate
On Monday 28 May 2007 17:34, Marek Marcola wrote: > Hello, > > > However, there's something else I noticed. In index.txt I have an entry > > field that says "unknown": > > > > V 080527095411Z 01 unknown /C=GB/ST=... > > > > Do you know how this is can be edited/where is it being red from? > > Look at: > > http://www.nabble.com/Database-file-structure-tf3810867.html Thank you very much for all your help! Now, if I could only make Kmail to work with smime ;) -- Regards, Mick pgpyvEA4QcnfW.pgp Description: PGP signature
Re: Generating a smime certificate
Hello, > However, there's something else I noticed. In index.txt I have an entry > field > that says "unknown": > > V 080527095411Z 01 unknown /C=GB/ST=... > > Do you know how this is can be edited/where is it being red from? Look at: http://www.nabble.com/Database-file-structure-tf3810867.html Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generating a smime certificate
On Sunday 27 May 2007 23:40, Marek Marcola wrote: > When issuing certificate you will see certificate details > with (or without :-) keyUsage information: > > $ openssl ca -config openssl.cnf -in req.pem Thank you Marek! Using openssl ca with -verbose did all sort of checks and was quite informative. I was not adding a Company Name (I though that it was not required) and that was clashing with the ca cert. It seems that changing this to be the same with the ca cert made all the difference. Now I have all the extensions I need. :) However, there's something else I noticed. In index.txt I have an entry field that says "unknown": V 080527095411Z 01 unknown /C=GB/ST=... Do you know how this is can be edited/where is it being red from? -- Regards, Mick pgp3aXfIAfkBu.pgp Description: PGP signature
Re: Generating a smime certificate
Hello, > On Saturday 26 May 2007 21:38, Victor Duchovni wrote: > > On Sat, May 26, 2007 at 10:11:08PM +0200, Marek Marcola wrote: > > > $ openssl x509 -in cert.pem -text -noout > > > . > > > . > > > X509v3 extensions: > > > X509v3 Basic Constraints: > > > CA:FALSE > > > X509v3 Key Usage: > > > Digital Signature, Non Repudiation, Key Encipherment > > > . > > > > Perhaps a mini-ca will help. See "ca.sh", "cert.sh" and "openssl.cnf" > > used as follows: > [snip] > > Thanks Victor, > > Can you see anything amiss with my attached openssl.cnf? Your openssl.cnf looks good, but to get certificate with keyUsage you must issue new certificate and then check for extensions. This file is only consulted when issuing certificate. When issuing certificate you will see certificate details with (or without :-) keyUsage information: $ openssl ca -config openssl.cnf -in req.pem Using configuration from openssl.cnf Enter pass phrase for /some/path/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Key Agreement Certificate is to be certified until May 26 22:37:53 2008 GMT (365 days) Sign the certificate? [y/n]: Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generating a smime certificate
On Sunday 27 May 2007 03:38, Victor Duchovni wrote: > On Sun, May 27, 2007 at 12:13:38AM +0100, Mick wrote: > > On Saturday 26 May 2007 21:38, Victor Duchovni wrote: > > > On Sat, May 26, 2007 at 10:11:08PM +0200, Marek Marcola wrote: > > > > $ openssl x509 -in cert.pem -text -noout > > > > . > > > > . > > > > X509v3 extensions: > > > > X509v3 Basic Constraints: > > > > CA:FALSE > > > > X509v3 Key Usage: > > > > Digital Signature, Non Repudiation, Key Encipherment > > > > . > > > > > > Perhaps a mini-ca will help. See "ca.sh", "cert.sh" and "openssl.cnf" > > > used as follows: > > > > [snip] > > > > Thanks Victor, > > > > Can you see anything amiss with my attached openssl.cnf? > > Sorry, for me openssl.cnf is a write-only interface... Perhaps someone > else can help you. I find the files easier to write than read. Just a clarification: my user certificate has no x509v3 extensions as I mentioned in a previous message; on the other hand my CA certificate has the following extensions: = [snip...] X509v3 extensions: X509v3 Subject Key Identifier: 3B:9A:F7:7D:8D:15:F2:5C:88:82:D8:C2:00:F2:7C:77:41:CD:79:AF X509v3 Authority Key Identifier: keyid:3B:9A:F7:7D:8D:15:F2:5C:88:82:D8:C2:00:F2:7C:77:41:CD:79:AF DirName: [snip...] serial:9A:32:DA:E9:94:87:E4:CD X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption = There's no keyUsage in there. In my openssl.cnf I see this para which has been commented out: = # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign = Is this significant, or related to my problem of getting all these errors in Kmail and gpgsm with the user certificates? -- Regards, Mick pgp2iNeK4PfbX.pgp Description: PGP signature
Re: Generating a smime certificate
On Sun, May 27, 2007 at 12:13:38AM +0100, Mick wrote: > On Saturday 26 May 2007 21:38, Victor Duchovni wrote: > > On Sat, May 26, 2007 at 10:11:08PM +0200, Marek Marcola wrote: > > > $ openssl x509 -in cert.pem -text -noout > > > . > > > . > > > X509v3 extensions: > > > X509v3 Basic Constraints: > > > CA:FALSE > > > X509v3 Key Usage: > > > Digital Signature, Non Repudiation, Key Encipherment > > > . > > > > Perhaps a mini-ca will help. See "ca.sh", "cert.sh" and "openssl.cnf" > > used as follows: > [snip] > > Thanks Victor, > > Can you see anything amiss with my attached openssl.cnf? > Sorry, for me openssl.cnf is a write-only interface... Perhaps someone else can help you. I find the files easier to write than read. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generating a smime certificate
On Saturday 26 May 2007 21:38, Victor Duchovni wrote:
> On Sat, May 26, 2007 at 10:11:08PM +0200, Marek Marcola wrote:
> > $ openssl x509 -in cert.pem -text -noout
> > .
> > .
> > X509v3 extensions:
> > X509v3 Basic Constraints:
> > CA:FALSE
> > X509v3 Key Usage:
> > Digital Signature, Non Repudiation, Key Encipherment
> > .
>
> Perhaps a mini-ca will help. See "ca.sh", "cert.sh" and "openssl.cnf"
> used as follows:
[snip]
Thanks Victor,
Can you see anything amiss with my attached openssl.cnf?
--
Regards,
Mick
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
#dir = ./demoCA # Where everything is kept
dir = .
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK: a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization N
Re: Generating a smime certificate
On Saturday 26 May 2007 21:11, Marek Marcola wrote: > > Check that you really have proper extensions in certificate: > > $ openssl x509 -in cert.pem -text -noout > . > . > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > X509v3 Key Usage: > Digital Signature, Non Repudiation, Key Encipherment > . > . OK, I don't have any X509v3 extensions! Would these be created by default? I haven't really altered my default openssl.cnf to any extent and definitely not commented out any parts of it. -- Regards, Mick pgpyDWY6k97wC.pgp Description: PGP signature
Re: Generating a smime certificate
On Sat, May 26, 2007 at 10:11:08PM +0200, Marek Marcola wrote: > $ openssl x509 -in cert.pem -text -noout > . > . > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > X509v3 Key Usage: > Digital Signature, Non Repudiation, Key Encipherment > . Perhaps a mini-ca will help. See "ca.sh", "cert.sh" and "openssl.cnf" used as follows: $ ./ca.sh rsa 2048 Generating RSA private key, 2048 bit long modulus .+++ +++ e is 65537 (0x10001) Using configuration from ca.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'New York' localityName :PRINTABLE:'New York' organizationName :PRINTABLE:'Example Corp' commonName:PRINTABLE:'Insecure CA' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until May 26 20:22:33 2017 GMT (3653 days) Write out database with 1 new entries Data Base Updated $ ./cert.sh rsa 1024 Generating RSA private key, 1024 bit long modulus ..++ ..++ e is 65537 (0x10001) Using configuration from ca.cnf DEBUG[load_index]: unique_subject = "no" Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'New York' localityName :PRINTABLE:'New York' organizationName :PRINTABLE:'Example Corp' organizationalUnitName:PRINTABLE:'Marketing Department' commonName:PRINTABLE:'mktg.example.com' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until May 25 20:22:59 2008 GMT (365 days) Write out database with 1 new entries Data Base Updated To tweak the subject names, ... of the CA and issued cert, edit the names at the top of openssl.cnf: [ cert_distinguished_name ] countryName = US stateOrProvinceName = New York localityName= New York organizationName= Example Corp organizationalUnitName = Marketing Department commonName = mktg.example.com emailAddress= [EMAIL PROTECTED] [ ca_distinguished_name ] countryName = US stateOrProvinceName = New York localityName= New York organizationName= Example Corp commonName = Insecure CA emailAddress= [EMAIL PROTECTED] the rest should not need tweaks. The cert in myCA/rsacert.pem looks like this: ... X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Key Identifier: B1:54:85:D9:40:45:30:E1:E2:2C:9B:D8:BC:A8:93:EE:61:B8:19:A5 X509v3 Authority Key Identifier: keyid:36:95:DB:50:85:3A:2F:1E:A8:34:EB:ED:C2:C6:34:F9:4B:38:28:8 E DirName:/C=US/ST=New York/L=New York/O=Example Corp/CN=Insecure CA/[EMAIL PROTECTED] serial:EE:05:5D:8D:9F:D7:56:72 ... -- Viktor. ca.sh Description: Bourne shell script cert.sh Description: Bourne shell script newkey.sh Description: Bourne shell script [ cert_distinguished_name ] countryName = US stateOrProvinceName = New York localityName= New York organizationName= Example Corp organizationalUnitName = Marketing Department commonName = mktg.example.com emailAddress= [EMAIL PROTECTED] [ ca_distinguished_name ] countryName = US stateOrProvinceName = New York localityName= New York organizationName= Example Corp commonName = Insecure CA emailAddress= [EMAIL PROTECTED] [ ca ] default_ca = req # The default ca section [ policy_match ] countryName = match stateOrProvinceName = match localityName= match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional [ ca_cert ] basicConstraints= critical,CA:true subjectKeyIdentifier= hash # this first authorityKeyIdentifier = keyid:always, issuer:always # and now this [ usr_cert ] basicConstraints= critical,CA:false keyUsage= digitalSignature, keyEncipherment extendedKeyUsage= serverAuth, clien
Re: Generating a smime certificate
Hello, > On Saturday 26 May 2007 19:55, Marek Marcola wrote: > > Hello, > > > > Some mail systems (eg Lotus Notes) requires proper extensions in > > certificates. Certificates without this extensions are not > > treated as candidates for signing/encryption. > > With default configuration OpenSSL certificates > > are created without extensions for signing and encryption. > > To change this remove comment from line: > > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > from proper section of openssl.cnf file and generate > > new certificate and check if this works. > > Thanks Marek, > > I uncommented the line from the section [ usr_cert ] and also checked that > the > same line was uncommented under the section [ v3_req ]. However, I am > getting the same error. :( > > This is so frustrating. > > Anything else I could check? Check that you really have proper extensions in certificate: $ openssl x509 -in cert.pem -text -noout . . X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment . . Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generating a smime certificate
On Saturday 26 May 2007 19:55, Marek Marcola wrote: > Hello, > > Some mail systems (eg Lotus Notes) requires proper extensions in > certificates. Certificates without this extensions are not > treated as candidates for signing/encryption. > With default configuration OpenSSL certificates > are created without extensions for signing and encryption. > To change this remove comment from line: > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > from proper section of openssl.cnf file and generate > new certificate and check if this works. Thanks Marek, I uncommented the line from the section [ usr_cert ] and also checked that the same line was uncommented under the section [ v3_req ]. However, I am getting the same error. :( This is so frustrating. Anything else I could check? -- Regards, Mick pgptfliThZJR9.pgp Description: PGP signature
Re: Generating a smime certificate
Hello, Some mail systems (eg Lotus Notes) requires proper extensions in certificates. Certificates without this extensions are not treated as candidates for signing/encryption. With default configuration OpenSSL certificates are created without extensions for signing and encryption. To change this remove comment from line: keyUsage = nonRepudiation, digitalSignature, keyEncipherment from proper section of openssl.cnf file and generate new certificate and check if this works. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Generating a smime certificate
Hi All, I have been trying for some time now to generate a smime certificate that works in Kmail. Unfortunately, when I import it it shows some kind of error with certain extensions: = keyType: 4096 bit RSA subjKeyId: [?] authKeyId: [?] keyUsage: [error: No value] extKeyUsage: [none] policies: [none] chainLength: [error: No value] crlDP: [error] authInfo: [error] subjInfo: [error] = As a result of the above I cannot set it to be used with the respective email account in Kmail (I suspect that this is because of the keyUsage error). gpgsm -k shows: key usage: [error: No value] chain length: [error: No value] When I look at the certificate that I used to generate the pkcs12 bundle, I see this: = No Trusted Uses. No Rejected Uses. Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No = Is keyUsage and -purpose two different things? Firefox does not seem to have a problem with this pkcs12 file and it recognises all the 'use' flags. I am at a loss as to why this happens. Can you please suggest ways for troubleshooting it? -- Regards, Mick pgpHhANzYl8Ca.pgp Description: PGP signature
