Re: X.509 certificate overview + status
Travis wrote: Recently I set up certificates for my server's SSL, SMTP, IMAP, XMPP, and OpenVPN services. Actually, I created my own CA for some of the certificates, and in other cases I used self-signed. plug BTW, we give away free certificates for XMPP services here: http://xmpp.org/ca/ The root CA is StartCom, which is accepted in Mozilla, OS X, and various other cert stores. I've noticed that these certs are becoming quite popular on the XMPP network (plus, they result none of those cert warnings that scare of normal users). /plug Peter -- Peter Saint-Andre https://stpeter.im/ smime.p7s Description: S/MIME Cryptographic Signature
Re: X.509 certificate overview + status
On Mon, 2 Mar 2009 17:35, marcus.brinkm...@ruhr-uni-bochum.de said: Ubuntu comes with dumpasn1. There are also quite a few libraries. You may also import the certificate into GnuPG (gpgsm --import foo) and run gpgsm --dump-cert to get a human readable printout. Example: $ gpgsm --dump-cert 0x39F4F81B /home/foo/.gnupg/pubring.kbx --- ID: 0x39F4F81B S/N: 01D8 Issuer: CN=12R-CA 1:PN,O=Bundesnetzagentur,C=DE Subject: CN=TeleSec PKS SigG CA 17:PN,O=Deutsche Telekom AG,C=DE sha1_fpr: 13:0C:16:2D:91:68:7C:E0:AE:95:6F:11:08:34:3A:26:39:F4:F8:1B md5_fpr: D7:2B:65:D3:E6:5C:54:DB:B7:4A:47:49:6E:CF:36:F1 certid: D6C0C14EE753E3D147C0827A4C8D579F130DEFD4.01D8 keygrip: EC4EC0D13B47680C28869929D76B3357838CEC11 notBefore: 2007-11-08 09:22:57 notAfter: 2012-01-01 12:00:00 hashAlgo: 1.2.840.113549.1.1.13 (sha512WithRSAEncryption) keyType: 2048 bit RSA subjKeyId: 57A001BB58498529AEE9DFAD6810FA056F5F3A9B authKeyId: [none] authKeyId.ki: 04DE9D7FDF437289BA694901F4E84928DE02196F keyUsage: certSign extKeyUsage: [none] policies: 1.3.36.8.1.1 chainLength: 0 crlDP: ldap://ldap.nrca-ds.de:389/CN=CRL,O=Bundesnetzagentur,C=DE,dc=ldap,dc=nrca-ds,dc=de?certificateRevocationList;binary?base?objectClass=cRLDistributionPoint issuer: none authInfo: 1.3.6.1.5.5.7.48.1 (ocsp) http://ocsp.nrca-ds.de:8080/ocsp-ocspresponder subjInfo: [none] extn: 1.3.6.1.5.5.7.1.3 (qcStatements) [12 octets] extn: 1.3.6.1.5.5.7.1.1 (authorityInfoAccess) [62 octets] extn: 1.3.6.1.4.1.8301.3.5 (validityModel) [14 octets] CERTID and KEYGRIP are GnuPG specific. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
X.509 certificate overview + status
Hello, Recently I set up certificates for my server's SSL, SMTP, IMAP, XMPP, and OpenVPN services. Actually, I created my own CA for some of the certificates, and in other cases I used self-signed. It took me substantially more time than I had anticipated, and I'm left with feelings of unease. It seems the way to do this revolves around openssl, but while I was able to find instructions*, they were cookbook-style, and didn't really give me as complete an understanding as I had hoped. [*] http://sial.org/howto/openssl/ I experimented with tinyca2, which appears only to create certificates with passphrases, which is obnoxious. Only some applications (e.g. dovecot) allow you to specify passphrases, and in most cases the config file with the passphrase is protected the same way as the key itself, using filesystem permissions, making it pointless. However, I still have problems with dovecot. Whenever I connect to IMAPS, it complains that the certificate is for '' (empty string), and I'm not sure what I did wrong in the certificate creation. In other cases, such as openvpn, there are some scripts there (easy-rsa) which take care of it for you. I couldn't, in particular, find comprehensive information on the openssl.cnf file, particularly the v3 extensions. In some cases, such as OpenBSD's isakmpd, I had to abandon my plans completely because they had requirements that the certificates have some fields (subjectAltName, I think) that weren't well documented. I can't remember exactly if I couldn't create this field, or merely didn't know what to put in it. However, in this case, the main problem I found was that the Linux port of isakmpd was not reliable, and nearly impossible to debug. It just would work 50% of the time, and not the other 50%. OpenBSD's isakmpd is pretty sexy - it detects NAT traversal and automagically encapsulates in UDP - but apart from the Linux reliability issue, I also had issues with multiple tunnels going through the same NAT/fw box that was itself running IPSec. Whereas by contrast, OpenVPN handles that situation well, and has support for MS-Windows should I ever want it. Further, trying to dig into ASN.1 was extremely difficult. The specs are full of obtuse language, using terms like object without defining them first. Are there any tools that will dump certificates in human-readable formats? I would really like something that could take a PEM file of a cert and display it in XML or something of the sort. Although I have it all working, I am considering redoing all the work, hopefully all under one CA cert that I control. But I'm not sure if that's wise. I'm plowing through the O'Reilly OpenSSL book, but are there other resources out there that could help me, or others like me? -- Obama Nation | It's not like I'm encrypting... it's more like I've developed a massive entropy deficiency | http://www.subsubpacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: X.509 certificate overview + status
Travis wrote: Recently I set up certificates for my server's SSL, SMTP, IMAP, XMPP, and OpenVPN services. Actually, I created my own CA for some of the certificates, and in other cases I used self-signed. It took me substantially more time than I had anticipated, and I'm left with feelings of unease. Welcome to the club! Further, trying to dig into ASN.1 was extremely difficult. The specs are full of obtuse language, using terms like object without defining them first. Are there any tools that will dump certificates in human-readable formats? I would really like something that could take a PEM file of a cert and display it in XML or something of the sort. Ubuntu comes with dumpasn1. There are also quite a few libraries. I'm plowing through the O'Reilly OpenSSL book, but are there other resources out there that could help me, or others like me? You should be aware of Peter Gutmann's style guide: http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt Thanks, Marcus - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: X.509 certificate overview + status
On Mon, Mar 02, 2009 at 05:35:20PM +0100, Marcus Brinkmann wrote: Travis wrote: Further, trying to dig into ASN.1 was extremely difficult. The specs are full of obtuse language, using terms like object without defining them first. Are there any tools that will dump certificates in human-readable formats? I would really like something that could take a PEM file of a cert and display it in XML or something of the sort. Ubuntu comes with dumpasn1. There are also quite a few libraries. openssl will print certs in a more human readable but slightly less complete format than dumpasn1: % openssl x509 -text cert dumpasn1 does not read PEM, so you need to do % openssl enc -d -c cert cert.der; dumpasn1 cert.der It's a little old but RFC3280 is the most concise and easiest to understand description of X.509 et. al. that I have found. Eric - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: X.509 certificate overview + status
Travis wrote: Hello, Recently I set up certificates for my server's SSL, SMTP, IMAP, XMPP, and OpenVPN services. Actually, I created my own CA for some of the certificates, and in other cases I used self-signed. It took me substantially more time than I had anticipated, and I'm left with feelings of unease. odd. the openssl installations I am familiar with came with example config files that were perfectly functional, took me about ten minutes to figure out what needed doing purely from the man pages and the example config. if ten minutes is too long, just go with xca (http://sourceforge.net/projects/xca) which does it all in a nice, pretty gui for you. A few distros (suse, for example) also have a gui for certificate issuing in their central admin tool. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
