Re: X.509 certificate overview + status

2009-03-03 Thread Peter Saint-Andre 
Travis wrote:

 Recently I set up certificates for my server's SSL, SMTP, IMAP, XMPP,
 and OpenVPN services.  Actually, I created my own CA for some of the
 certificates, and in other cases I used self-signed.

plug

BTW, we give away free certificates for XMPP services here:

http://xmpp.org/ca/

The root CA is StartCom, which is accepted in Mozilla, OS X, and various
other cert stores. I've noticed that these certs are becoming quite
popular on the XMPP network (plus, they result none of those cert
warnings that scare of normal users).

/plug

Peter

-- 
Peter Saint-Andre
https://stpeter.im/



smime.p7s
Description: S/MIME Cryptographic Signature

Re: X.509 certificate overview + status

2009-03-03 Thread Werner Koch 
On Mon,  2 Mar 2009 17:35, marcus.brinkm...@ruhr-uni-bochum.de said:

 Ubuntu comes with dumpasn1.  There are also quite a few libraries.

You may also import the certificate into GnuPG (gpgsm --import foo)
and run gpgsm --dump-cert to get a human readable printout.  Example:

$ gpgsm --dump-cert 0x39F4F81B
/home/foo/.gnupg/pubring.kbx
---
   ID: 0x39F4F81B
  S/N: 01D8
   Issuer: CN=12R-CA 1:PN,O=Bundesnetzagentur,C=DE
  Subject: CN=TeleSec PKS SigG CA 17:PN,O=Deutsche Telekom AG,C=DE
 sha1_fpr: 13:0C:16:2D:91:68:7C:E0:AE:95:6F:11:08:34:3A:26:39:F4:F8:1B
  md5_fpr: D7:2B:65:D3:E6:5C:54:DB:B7:4A:47:49:6E:CF:36:F1
   certid: D6C0C14EE753E3D147C0827A4C8D579F130DEFD4.01D8
  keygrip: EC4EC0D13B47680C28869929D76B3357838CEC11
notBefore: 2007-11-08 09:22:57
 notAfter: 2012-01-01 12:00:00
 hashAlgo: 1.2.840.113549.1.1.13 (sha512WithRSAEncryption)
  keyType: 2048 bit RSA
subjKeyId: 57A001BB58498529AEE9DFAD6810FA056F5F3A9B
authKeyId: [none]
 authKeyId.ki: 04DE9D7FDF437289BA694901F4E84928DE02196F
 keyUsage: certSign
  extKeyUsage: [none]
 policies: 1.3.36.8.1.1
  chainLength: 0
crlDP: 
ldap://ldap.nrca-ds.de:389/CN=CRL,O=Bundesnetzagentur,C=DE,dc=ldap,dc=nrca-ds,dc=de?certificateRevocationList;binary?base?objectClass=cRLDistributionPoint
   issuer: none
 authInfo: 1.3.6.1.5.5.7.48.1 (ocsp)
   http://ocsp.nrca-ds.de:8080/ocsp-ocspresponder
 subjInfo: [none]
 extn: 1.3.6.1.5.5.7.1.3 (qcStatements)  [12 octets]
 extn: 1.3.6.1.5.5.7.1.1 (authorityInfoAccess)  [62 octets]
 extn: 1.3.6.1.4.1.8301.3.5 (validityModel)  [14 octets]


CERTID and KEYGRIP are GnuPG specific.



Shalom-Salam,

   Werner



-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: X.509 certificate overview + status

2009-03-02 Thread Marcus Brinkmann 
Travis wrote:
 Recently I set up certificates for my server's SSL, SMTP, IMAP, XMPP,
 and OpenVPN services.  Actually, I created my own CA for some of the
 certificates, and in other cases I used self-signed.  It took me
 substantially more time than I had anticipated, and I'm left with
 feelings of unease.

Welcome to the club!

 Further, trying to dig into ASN.1 was extremely difficult.  The specs
 are full of obtuse language, using terms like object without
 defining them first.  Are there any tools that will dump certificates
 in human-readable formats?  I would really like something that could
 take a PEM file of a cert and display it in XML or something of the
 sort.

Ubuntu comes with dumpasn1.  There are also quite a few libraries.

 I'm plowing through the O'Reilly OpenSSL book, but are there other
 resources out there that could help me, or others like me?

You should be aware of Peter Gutmann's style guide:

http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt

Thanks,
Marcus

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: X.509 certificate overview + status

2009-03-02 Thread Eric Murray 
On Mon, Mar 02, 2009 at 05:35:20PM +0100, Marcus Brinkmann wrote:
 Travis wrote:
  Further, trying to dig into ASN.1 was extremely difficult.  The specs
  are full of obtuse language, using terms like object without
  defining them first.  Are there any tools that will dump certificates
  in human-readable formats?  I would really like something that could
  take a PEM file of a cert and display it in XML or something of the
  sort.
 
 Ubuntu comes with dumpasn1.  There are also quite a few libraries.
 

openssl will print certs in a more human readable but
slightly less complete format than dumpasn1:

% openssl x509 -text  cert

dumpasn1 does not read PEM, so you need to do

% openssl enc -d -c  cert  cert.der; dumpasn1 cert.der


It's a little old but RFC3280 is the most concise
and easiest to understand description of X.509 et. al.
that I have found.


Eric

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: X.509 certificate overview + status

2009-03-02 Thread Dave Howe 
Travis wrote:
 Hello,
 
 Recently I set up certificates for my server's SSL, SMTP, IMAP, XMPP,
 and OpenVPN services.  Actually, I created my own CA for some of the
 certificates, and in other cases I used self-signed.  It took me
 substantially more time than I had anticipated, and I'm left with
 feelings of unease.

odd. the openssl installations I am familiar with came with example
config files that were perfectly functional, took me about ten minutes
to figure out what needed doing purely from the man pages and the
example config.

if ten minutes is too long, just go with xca
(http://sourceforge.net/projects/xca) which does it all in a nice,
pretty gui for you. A few distros (suse, for example) also have a gui
for certificate issuing in their central admin tool.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com