Re: Windows Certificate Store with OpenSSL Certificate
Sorry for this late reply, I have been otherwise busy for some time. Yes, I did this via Server 2008 R2. What I actually did was to add the certificate via Group policy, so it was automatically propagated to the trusted CA store on all computers in the domain (including Windows 2000/XP/2003/Vista/2008/Win7/2008R2). Specifically, I started Group Policy Management (on a 2008R2 DC), navigated to Forest:our.domain, Domains, our.domain, Group Policy Objects, Default Domain Policy, right clicked to Edit. Then in the Group Policy Management Editor, I navigated to Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies, Trusted Root Certification Authorities, right clicked the (initially blank) right pane and chose Import. As for the general safety of data stored in group policies on a Windows DC, I will leave it to others to speculate, but once you are using that DC to authenticate access to all your computers anyway, any doubts about its safety are mostly moot. However just in case, I keep read only copies of the certificate (as an ordinary PEM format file) on a file server, so I can easily import it to programs that don't use the MS certificate store, such as OpenSSL and Mozilla, on any machine with access to the network. I also made that file available on a hidden https URL that uses a commonly trusted public CA for its certificate, to provide a way to securely bootstrap off-site laptops into trusting our private certificates. Have fun, On 08-09-2010 04:42, Mohan Radhakrishnan wrote: Hi, Have a question. Is this the Windows native store for CA certificates ? Which MS help doc. are you referring ? We want a secure storage facility for all our certificates but we don't to buy a separate product. Thanks, Mohan On Wed, Sep 8, 2010 at 5:10 AM, Dongsheng Songdongsheng.s...@gmail.com wrote: Are you test with 2008/win7 ? My self-signed certificate can automatically goto 'Trusted Root Certification Authorities' on XP/2k3 box, but not 2008 box. If the answer is 'YES', could you share the configuration ? Because I compared my self-signed certificate with microsoft 2010 ROOT CA, no valuable difference. Thanks, Dongsheng On Wed, Sep 8, 2010 at 01:59, Jakob Bohmjb-open...@wisemo.com wrote: On 07-09-2010 09:59, Dongsheng Song wrote: Hi, When I install my self-signed certificate to 'Certificate Store' of Windows 2008, if I select 'Automatically select the certificate store based on the type of certificate', then the self-signed certificate will be in the 'Intermediate Certification Authorities', not 'Trusted Root Certification Authorities'. How can I create self-signed certificate with correct certificate TYPE ? Regards, Dongsheng Note that this did NOT happen with the self-signed CA root cert that I created with openssl (via a GUI front end) for our internal network CA. (Used for such boring tasks as SSL certificates for domain controllers etc.). It has the following attributes (anonymised here): Certificate: Data: Version: 3 (0x2) Serial Number: f8:dd:1a:38:49:01:61:a4 Signature Algorithm: sha1WithRSAEncryption Issuer: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc. Validity Not Before: Apr 19 18:41:02 2010 GMT Not After : Apr 16 18:41:02 2020 GMT Subject: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc. Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): (Omitted) Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35 X509v3 Authority Key Identifier: keyid:9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35 DirName:/C=XX/L=Somecity/O=OurComapany/CN=OurCompany Inc. serial:F8:DD:1A:38:49:01:61:A4 X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA X509v3 Issuer Alternative Name: EMPTY Netscape Comment: WiseMo Internal CA Netscape CA Revocation Url: https://SomeInternalServer/somename.crl Netscape Revocation Url: https://SomeInternalServer/somename.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption (omitted) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Windows Certificate Store with OpenSSL Certificate
Hi, When I install my self-signed certificate to 'Certificate Store' of Windows 2008, if I select 'Automatically select the certificate store based on the type of certificate', then the self-signed certificate will be in the 'Intermediate Certification Authorities', not 'Trusted Root Certification Authorities'. How can I create self-signed certificate with correct certificate TYPE ? Regards, Dongsheng
Re: Windows Certificate Store with OpenSSL Certificate
Dongsheng, One solution is to manually specify the location to install the certificate. This will pop up a dialog box with a list of all the certificate stores that are available, and from here you can select Trusted Root Certificate. As far as tweaking your certificate so that it looks like a root certificate to windows, I'm afraid I don't have an answer, but at least in the mean time this will get you by. Hope this helps! -Sam On Tue, Sep 7, 2010 at 2:59 AM, Dongsheng Song dongsheng.s...@gmail.comwrote: Hi, When I install my self-signed certificate to 'Certificate Store' of Windows 2008, if I select 'Automatically select the certificate store based on the type of certificate', then the self-signed certificate will be in the 'Intermediate Certification Authorities', not 'Trusted Root Certification Authorities'. How can I create self-signed certificate with correct certificate TYPE ? Regards, Dongsheng -- Sam Jantz Software Engineer
Re: Windows Certificate Store with OpenSSL Certificate
On 07-09-2010 09:59, Dongsheng Song wrote: Hi, When I install my self-signed certificate to 'Certificate Store' of Windows 2008, if I select 'Automatically select the certificate store based on the type of certificate', then the self-signed certificate will be in the 'Intermediate Certification Authorities', not 'Trusted Root Certification Authorities'. How can I create self-signed certificate with correct certificate TYPE ? Regards, Dongsheng Note that this did NOT happen with the self-signed CA root cert that I created with openssl (via a GUI front end) for our internal network CA. (Used for such boring tasks as SSL certificates for domain controllers etc.). It has the following attributes (anonymised here): Certificate: Data: Version: 3 (0x2) Serial Number: f8:dd:1a:38:49:01:61:a4 Signature Algorithm: sha1WithRSAEncryption Issuer: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc. Validity Not Before: Apr 19 18:41:02 2010 GMT Not After : Apr 16 18:41:02 2020 GMT Subject: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc. Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): (Omitted) Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35 X509v3 Authority Key Identifier: keyid:9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35 DirName:/C=XX/L=Somecity/O=OurComapany/CN=OurCompany Inc. serial:F8:DD:1A:38:49:01:61:A4 X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA X509v3 Issuer Alternative Name: EMPTY Netscape Comment: WiseMo Internal CA Netscape CA Revocation Url: https://SomeInternalServer/somename.crl Netscape Revocation Url: https://SomeInternalServer/somename.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption (omitted) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows Certificate Store with OpenSSL Certificate
Are you test with 2008/win7 ? My self-signed certificate can automatically goto 'Trusted Root Certification Authorities' on XP/2k3 box, but not 2008 box. If the answer is 'YES', could you share the configuration ? Because I compared my self-signed certificate with microsoft 2010 ROOT CA, no valuable difference. Thanks, Dongsheng On Wed, Sep 8, 2010 at 01:59, Jakob Bohm jb-open...@wisemo.com wrote: On 07-09-2010 09:59, Dongsheng Song wrote: Hi, When I install my self-signed certificate to 'Certificate Store' of Windows 2008, if I select 'Automatically select the certificate store based on the type of certificate', then the self-signed certificate will be in the 'Intermediate Certification Authorities', not 'Trusted Root Certification Authorities'. How can I create self-signed certificate with correct certificate TYPE ? Regards, Dongsheng Note that this did NOT happen with the self-signed CA root cert that I created with openssl (via a GUI front end) for our internal network CA. (Used for such boring tasks as SSL certificates for domain controllers etc.). It has the following attributes (anonymised here): Certificate: Data: Version: 3 (0x2) Serial Number: f8:dd:1a:38:49:01:61:a4 Signature Algorithm: sha1WithRSAEncryption Issuer: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc. Validity Not Before: Apr 19 18:41:02 2010 GMT Not After : Apr 16 18:41:02 2020 GMT Subject: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc. Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): (Omitted) Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35 X509v3 Authority Key Identifier: keyid:9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35 DirName:/C=XX/L=Somecity/O=OurComapany/CN=OurCompany Inc. serial:F8:DD:1A:38:49:01:61:A4 X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA X509v3 Issuer Alternative Name: EMPTY Netscape Comment: WiseMo Internal CA Netscape CA Revocation Url: https://SomeInternalServer/somename.crl Netscape Revocation Url: https://SomeInternalServer/somename.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption (omitted) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows Certificate Store with OpenSSL Certificate
Hi, Have a question. Is this the Windows native store for CA certificates ? Which MS help doc. are you referring ? We want a secure storage facility for all our certificates but we don't to buy a separate product. Thanks, Mohan On Wed, Sep 8, 2010 at 5:10 AM, Dongsheng Song dongsheng.s...@gmail.com wrote: Are you test with 2008/win7 ? My self-signed certificate can automatically goto 'Trusted Root Certification Authorities' on XP/2k3 box, but not 2008 box. If the answer is 'YES', could you share the configuration ? Because I compared my self-signed certificate with microsoft 2010 ROOT CA, no valuable difference. Thanks, Dongsheng On Wed, Sep 8, 2010 at 01:59, Jakob Bohm jb-open...@wisemo.com wrote: On 07-09-2010 09:59, Dongsheng Song wrote: Hi, When I install my self-signed certificate to 'Certificate Store' of Windows 2008, if I select 'Automatically select the certificate store based on the type of certificate', then the self-signed certificate will be in the 'Intermediate Certification Authorities', not 'Trusted Root Certification Authorities'. How can I create self-signed certificate with correct certificate TYPE ? Regards, Dongsheng Note that this did NOT happen with the self-signed CA root cert that I created with openssl (via a GUI front end) for our internal network CA. (Used for such boring tasks as SSL certificates for domain controllers etc.). It has the following attributes (anonymised here): Certificate: Data: Version: 3 (0x2) Serial Number: f8:dd:1a:38:49:01:61:a4 Signature Algorithm: sha1WithRSAEncryption Issuer: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc. Validity Not Before: Apr 19 18:41:02 2010 GMT Not After : Apr 16 18:41:02 2020 GMT Subject: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc. Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): (Omitted) Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35 X509v3 Authority Key Identifier: keyid:9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35 DirName:/C=XX/L=Somecity/O=OurComapany/CN=OurCompany Inc. serial:F8:DD:1A:38:49:01:61:A4 X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA X509v3 Issuer Alternative Name: EMPTY Netscape Comment: WiseMo Internal CA Netscape CA Revocation Url: https://SomeInternalServer/somename.crl Netscape Revocation Url: https://SomeInternalServer/somename.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption (omitted) __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org