On Tue, May 16, 2006, Phil Dibowitz wrote:
OpenSSL folks,
I'm having an issue when making an intermediate CA.
As I understand the specs (and please, correct me if I'm wrong), a root
(i.e. self-signed) CA can be a v1 certificate, but intermediate CAs must:
(a) be v3
(b) have
This is probably a real noob question but I've no idea
where to start looking. I've inherited an openssl
based CA. The ROOT CA certificate is 512 bits long.
RSA Public Key: (512 bit)
Modulus (512 bit):
The is the best way to change this? I thought maybe
renewal might be the best
Hello,
This is probably a real noob question but I've no idea
where to start looking. I've inherited an openssl
based CA. The ROOT CA certificate is 512 bits long.
RSA Public Key: (512 bit)
Modulus (512 bit):
The is the best way to change this? I thought maybe
renewal
Hi folks,
What I want to do is to get the name of the cipher suite server is trying to
use when I receive a server hello.
From server hello's header (SSL version 3.0), I can read out the cipher
suite number, which is, for example 0x0004, and my Ethereal (Version
0.10.13) shows it is
Hi, I am new to the openssl. I just compiled openssl FIPS version and I found out that other crypto functions are OK, but I couldn't call those RC5 crypto function. Is this due to RC5 disabled in FIPS version or RC5 is not FIPS approved? I highly appreciate for any helps. Shicai
Blab-away
In some cases I see serial numbers as octet strings, i.e.:
Serial Number:
ef:e1:73:da:b3:6a:cf:ad:6b:18:dd:58:7f:6b:49:fe
And other cases as an integer, i.e.:
Serial Number: 2 (0x2)
In openssl's case, self-signed certs use an octet-string (though this
seems to not
You must generate new private key (longer) for CA
and self certify. Next you should publish your new
CA certificate.
As a transition aide, you might want to have your old root also sign the
new CA key.
/r$
--
SOA Appliances
Application Integration Middleware
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Phil Dibowitz schrieb:
Hello Phil,
In some cases I see serial numbers as octet strings, i.e.:
Serial Number:
ef:e1:73:da:b3:6a:cf:ad:6b:18:dd:58:7f:6b:49:fe
And other cases as an integer, i.e.:
Serial Number: 2
Goetz Babin-Ebell wrote:
Phil Dibowitz schrieb:
Hello Phil,
In some cases I see serial numbers as octet strings, i.e.:
Serial Number:
ef:e1:73:da:b3:6a:cf:ad:6b:18:dd:58:7f:6b:49:fe
And other cases as an integer, i.e.:
Serial Number: 2 (0x2)
The only
Hello,
Hi, I am new to the openssl. I just compiled openssl FIPS version and
I found out that other crypto functions are OK, but I couldn't call
those RC5 crypto function. Is this due to RC5 disabled in FIPS version
or RC5 is not FIPS approved? I highly appreciate for any helps.
Look at
On Wed, May 17, 2006, Phil Dibowitz wrote:
Thanks for the quick reply.
Hmm. Then why is it when I create a self-signed CA with openssl I get
the former displayed, but when when I then sign a cert with that CA, I
get the latter? I don't understand why it is using different byte lengths?
Dr. Stephen Henson wrote:
On Wed, May 17, 2006, Phil Dibowitz wrote:
Thanks for the quick reply.
Hmm. Then why is it when I create a self-signed CA with openssl I get
the former displayed, but when when I then sign a cert with that CA, I
get the latter? I don't understand why it is using
On Wed, May 17, 2006, Phil Dibowitz wrote:
CA.pl -newca takes a random 64-bit number for the serial number of the
CA, and then auto-incriments that for all of the certs it signs.
Why random? Why not start at 64-bits of 0s? Is there some benefit here?
The serial number is an integer. 64
I know this is a noob question but I have inherited an
existing CA based on openssl. I need to change some
existing certificates from 512 bit to 2048 bit. I have
the private keys and was wondering if the proper
approach was to renew the certificate and modify them
there? Or is this not possible?
Dr. Stephen Henson wrote:
On Wed, May 17, 2006, Phil Dibowitz wrote:
CA.pl -newca takes a random 64-bit number for the serial number of the
CA, and then auto-incriments that for all of the certs it signs.
Why random? Why not start at 64-bits of 0s? Is there some benefit here?
The
Dr. Stephen Henson wrote:
Your problem is that you are telling OpenSSL to include the AKID
extension by
copying the SKID from the issuing CA. That CA doesn't have an SKID
extension
so it gives the error.
Either remove that extension from the config file or include SKID in the
root
CA.
I know this is a noob question but I have inherited an
existing CA based on openssl. I need to change some
existing certificates from 512 bit to 2048 bit. I have
the private keys and was wondering if the proper
approach was to renew the certificate and modify them
there? Or is this not
Alicia,
Thank you for getting back to me
I need to take the Root CA certificate/private key and
change the modulus from 512 bit to 2048 bit. I assume
that I have to make a new Root CA Certificate request
and then sign it with the old one?
The problem that I have is newer devices are not
On Wed, May 17, 2006, Phil Dibowitz wrote:
Dr. Stephen Henson wrote:
The reason for the random nature is so that OpenSSL by default makes it
very
unlikely to duplicate issuer names and serial numbers, which is a standard
violation and can cause peculiar hard to trace errors in common
On Wed, May 17, 2006, Phil Dibowitz wrote:
Dr. Stephen Henson wrote:
Your problem is that you are telling OpenSSL to include the AKID
extension by
copying the SKID from the issuing CA. That CA doesn't have an SKID
extension
so it gives the error.
Either remove that extension from
Thank you for getting back to me
I need to take the Root CA certificate/private key and
change the modulus from 512 bit to 2048 bit. I assume
that I have to make a new Root CA Certificate request
and then sign it with the old one?
The problem that I have is newer devices are not
allowing me
21 matches
Mail list logo
