Re: Importing Self Signed Cert in Oracle 8i
Hi there, I have no idea what it is that is bothering Oracle 8i about your cert(s) so I can simply make guesses here ... On Tuesday 20 November 2001 02:32, viswanath wrote: Here are the differences found MY CERT|VERISIGN 1) 1024-bit 1) 512-bit 2) serial no. 02) serial no. 52:a9:f4:24:da:67:4c:9d:af:4f:53:78:52:ab:ef:6e 3) has C,L,ST,O,OU,CN 3) has O,OU,OU only. 4)has the x509 v3 extension 4) does not have any x509 v3 extensions Wat i did was the last differences were removed? but still it did not work You removed all the differences? In particular did you generate a a non-v3 cert? A quick search on google turned up this; http://www-rohan.sdsu.edu/doc/oracle/network803/A54088_01/conc1.htm which mentions in passing that it doesn't support v3 certs (for now). There may be other things it doesn't support, but that's one they come clean about. :-) Another difference I noted with a quick scan was that your cert contained email addresses - in particular these are encoded as IA5STRING whereas the verising one has nothing but PRINTABLESTRINGs. I'd have hoped that wouldn't make a difference but you never know - are you able to play around with generating a few varieties of certs and importing each in turn to see if you can find the difference between acceptable and unacceptable? Cheers, Geoff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Importing Self Signed Cert in Oracle 8i - PROBLEM SOLVED
I removed all x509 occurrences in openssl.cnf
removed all x509 extensions like CA:true etc from cnf file.
Generated a 512 bit CA key Cert with only O,OU,C .
Was able to import it into Oracle
Also signed a CSR
Able to import user certificate into oracle.
Thanx a lot guys,
especially Geoff Thorpe
and Franck martin.
bye,
vish.
Geoff Thorpe wrote:
20011120101945.KYYV13078.mta4-rme.xtra.co.nz@there">
Hi there,I have no idea what it is that is bothering Oracle 8i about your cert(s) so I can simply make guesses here ...On Tuesday 20 November 2001 02:32, viswanath wrote:
Here are the differences found MY CERT|VERISIGN1) 1024-bit 1) 512-bit2) serial no. 02) serial no.52:a9:f4:24:da:67:4c:9d:af:4f:53:78:52:ab:ef:6e3) has C,L,ST,O,OU,CN 3) has O,OU,OU only.4)has the x509 v3 extension 4) does not have any x509 v3 extensionsWat i did was the last differences were removed? but still it did notwork
You removed all the differences? In particular did you generate a a non-v3 cert?A quick search on google turned up this; http://www-rohan.sdsu.edu/doc/oracle/network803/A54088_01/conc1.htmwhich mentions in passing that it doesn't support v3 certs ("for now"). There may be other things it doesn't support, but that's one they come clean about. :-)Another difference I noted with a quick scan was that your cert contained email addresses - in particular these are encoded as IA5STRING whereas the verising one has nothing but PRINTABLESTRINGs. I'd have hoped that wouldn't make a difference but you never know - are you able to play around with generating a few varieties of certs and importing each in turn to see if you can find the difference between "acceptable" and "unacceptable"?
Cheers,Geoff__OpenSSL Project http://www.openssl.orgUser Support Mailing List[EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]
Re: Importing Self Signed Cert in Oracle 8i
But the self signed certificate that has been generated contains the following X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA which means that it is a CA certificate. So what else could be the problem. Franck Martin wrote: My guess, is a self signed certificate is not a CA certificate. In your openssl.cnf file you should se an option like CA=true, which is used only to sign CA certificate. Cheers. Franck Martin Network and Database Development Officer SOPAC South Pacific Applied Geoscience Commission Fiji E-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Web site: http://www.sopac.org/ http://www.sopac.org/ Support FMaps: http://fmaps.sourceforge.net/ http://fmaps.sourceforge.net/ This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views expressed in this e-mail may not be necessarily the views of SOPAC. -Original Message- From: viswanath [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 20 November 2001 4:43 To: openssl users Subject: Importing Self Signed Cert in Oracle 8i Hi, trying to import self signed cert in Oracle 8i but it is not accepting it. Error msg given is Not a trusted certificate. But it accepted the versign root certificate. So wat could be the problem? thanx, vish. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Importing Self Signed Cert in Oracle 8i
On Tuesday 20 November 2001 00:20, viswanath wrote: But the self signed certificate that has been generated contains the following X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA which means that it is a CA certificate. So what else could be the problem. Can you give us a side-by-side of the differences between the CA cert that was imported OK and the CA cert you can't get imported? Logic (or a first-order approximation thereof) tells me that's where you should find your answer ... though of course it could be something like the way the strings are encoded rather than the nature of the attributes. Perhaps openssl asn1parse -i the two and take a look at what kind of differences you find? Cheers, Geoff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Importing Self Signed Cert in Oracle 8i
Here are the differences found MY CERT|VERISIGN 1) 1024-bit 1) 512-bit 2) serial no. 02) serial no. 52:a9:f4:24:da:67:4c:9d:af:4f:53:78:52:ab:ef:6e 3) has C,L,ST,O,OU,CN 3) has O,OU,OU only. 4)has the x509 v3 extension 4) does not have any x509 v3 extensions Wat i did was the last differences were removed? but still it did not work The ASN.1 for both the certificates obtained by using openssl asn1parse is given as below But not much differences were found; For verisign certificate: 0:d=0 hl=4 l= 589 cons: SEQUENCE 4:d=1 hl=4 l= 503 cons: SEQUENCE 8:d=2 hl=2 l= 16 prim: INTEGER :52A9F424DA674C9DAF4F537852ABEF6E 26:d=2 hl=2 l= 13 cons: SEQUENCE 28:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption 39:d=3 hl=2 l= 0 prim: NULL 41:d=2 hl=3 l= 169 cons: SEQUENCE 44:d=3 hl=2 l= 22 cons: SET 46:d=4 hl=2 l= 20 cons: SEQUENCE 48:d=5 hl=2 l= 3 prim: OBJECT :organizationName 53:d=5 hl=2 l= 13 prim: PRINTABLESTRING :VeriSign, Inc 68:d=3 hl=2 l= 71 cons: SET 70:d=4 hl=2 l= 69 cons: SEQUENCE 72:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 77:d=5 hl=2 l= 62 prim: PRINTABLESTRING :www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD. 141:d=3 hl=2 l= 70 cons: SET 143:d=4 hl=2 l= 68 cons: SEQUENCE 145:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 150:d=5 hl=2 l= 61 prim: PRINTABLESTRING :For VeriSign authorized testing only. No assurances (C)VS1997 213:d=2 hl=2 l= 30 cons: SEQUENCE 215:d=3 hl=2 l= 13 prim: UTCTIME :98060700Z 230:d=3 hl=2 l= 13 prim: UTCTIME :060606235959Z 245:d=2 hl=3 l= 169 cons: SEQUENCE 248:d=3 hl=2 l= 22 cons: SET 250:d=4 hl=2 l= 20 cons: SEQUENCE 252:d=5 hl=2 l= 3 prim: OBJECT :organizationName 257:d=5 hl=2 l= 13 prim: PRINTABLESTRING :VeriSign, Inc 272:d=3 hl=2 l= 71 cons: SET 274:d=4 hl=2 l= 69 cons: SEQUENCE 276:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 281:d=5 hl=2 l= 62 prim: PRINTABLESTRING :www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD. 345:d=3 hl=2 l= 70 cons: SET 347:d=4 hl=2 l= 68 cons: SEQUENCE 349:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 354:d=5 hl=2 l= 61 prim: PRINTABLESTRING :For VeriSign authorized testing only. No assurances (C)VS1997 417:d=2 hl=2 l= 92 cons: SEQUENCE 419:d=3 hl=2 l= 13 cons: SEQUENCE 421:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 432:d=4 hl=2 l= 0 prim: NULL 434:d=3 hl=2 l= 75 prim: BIT STRING 511:d=1 hl=2 l= 13 cons: SEQUENCE 513:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption 524:d=2 hl=2 l= 0 prim: NULL 526:d=1 hl=2 l= 65 prim: BIT STRING For my certificate: 0:d=0 hl=4 l= 875 cons: SEQUENCE 4:d=1 hl=4 l= 724 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 1 prim: INTEGER :00 16:d=2 hl=2 l= 13 cons: SEQUENCE 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption 29:d=3 hl=2 l= 0 prim: NULL 31:d=2 hl=3 l= 134 cons: SEQUENCE 34:d=3 hl=2 l= 11 cons: SET 36:d=4 hl=2 l= 9 cons: SEQUENCE 38:d=5 hl=2 l= 3 prim: OBJECT :countryName 43:d=5 hl=2 l= 2 prim: PRINTABLESTRING :IN 47:d=3 hl=2 l= 20 cons: SET 49:d=4 hl=2 l= 18 cons: SEQUENCE 51:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 56:d=5 hl=2 l= 11 prim: PRINTABLESTRING :MAHARASHTRA 69:d=3 hl=2 l= 15 cons: SET 71:d=4 hl=2 l= 13 cons: SEQUENCE 73:d=5 hl=2 l= 3 prim: OBJECT :localityName 78:d=5 hl=2 l= 6 prim: PRINTABLESTRING :MUMBAI 86:d=3 hl=2 l= 12 cons: SET 88:d=4 hl=2 l= 10 cons: SEQUENCE 90:d=5 hl=2 l= 3 prim: OBJECT :organizationName 95:d=5 hl=2 l= 3 prim: PRINTABLESTRING :TCS 100:d=3 hl=2 l= 12 cons: SET 102:d=4 hl=2 l= 10 cons: SEQUENCE 104:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 109:d=5 hl=2 l= 3 prim: PRINTABLESTRING :CSP 114:d=3 hl=2 l= 15 cons: SET 116:d=4 hl=2 l= 13 cons: SEQUENCE 118:d=5 hl=2 l= 3 prim: OBJECT :commonName 123:d=5 hl=2 l= 6 prim: PRINTABLESTRING :KMS CA 131:d=3 hl=2 l= 35 cons: SET 133:d=4 hl=2 l= 33 cons: SEQUENCE 135:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 146:d=5 hl=2 l= 20 prim: IA5STRING :[EMAIL PROTECTED] 168:d=2 hl=2 l= 30 cons: SEQUENCE 170:d=3 hl=2 l= 13 prim: UTCTIME :011109062441Z 185:d=3 hl=2 l= 13 prim: UTCTIME :040805062441Z 200:d=2 hl=3 l= 134 cons: SEQUENCE 203:d=3 hl=2 l= 11 cons: SET 205:d=4 hl=2 l= 9 cons: SEQUENCE 207:d=5 hl=2 l= 3 prim: OBJECT :countryName 212:d=5 hl=2 l= 2 prim: PRINTABLESTRING :IN 216:d=3 hl=2 l= 20 cons: SET 218:d=4 hl=2 l= 18 cons: SEQUENCE 220:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 225:d=5 hl=2 l= 11 prim: PRINTABLESTRING :MAHARASHTRA 238:d=3 hl=2 l= 15 cons: SET 240:d=4 hl=2 l= 13 cons: SEQUENCE 242:d=5 hl=2 l= 3 prim: OBJECT :localityName 247:d=5 hl=2 l= 6 prim: PRINTABLESTRING :MUMBAI 255:d=3 hl=2 l= 12 cons: SET 257:d=4 hl=2 l= 10 cons: SEQUENCE 259:d=5 hl=2 l= 3 prim: OBJECT :organizationName 264:d=5 hl=2 l= 3 prim: PRINTABLESTRING :TCS 269:d=3 hl=2 l= 12 cons: SET 271:d=4 hl=2 l= 10 cons: SEQUENCE 273:d=5 hl=2 l= 3 prim: OBJECT
RE: Importing Self Signed Cert in Oracle 8i
My guess, is a self signed certificate is not a CA certificate. In your openssl.cnf file you should se an option like CA=true, which is used only to sign CA certificate. Cheers. Franck Martin Network and Database Development Officer SOPAC South Pacific Applied Geoscience Commission Fiji E-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Web site: http://www.sopac.org/ http://www.sopac.org/ Support FMaps: http://fmaps.sourceforge.net/ http://fmaps.sourceforge.net/ This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views expressed in this e-mail may not be necessarily the views of SOPAC. -Original Message- From: viswanath [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 20 November 2001 4:43 To: openssl users Subject: Importing Self Signed Cert in Oracle 8i Hi, trying to import self signed cert in Oracle 8i but it is not accepting it. Error msg given is Not a trusted certificate. But it accepted the versign root certificate. So wat could be the problem? thanx, vish. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
