I just had to ask Dr. Google the right question:
openssl subjectaltname in a selfsigned certificate
Afterall, a root cert is a selfsigned cert.
And I learned to put SAN in the [ v3_ca ] section, rather than the [ req
] section then all it takes is what I already had:
openssl req -config open
It IS working with -selfsign. So this step is done.
openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 -notext
-md sha256 \
-selfsign -in csr/ca.csr.pem -out certs/ca.cert.pem
openssl x509 -in certs/ca.cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
NO does not work. It worked because I had the old root CA cert there.
Without it it fails.
I tried adding -selfsign and that did something, but did not create a
trusted cert...
On 08/17/2017 08:44 PM, Robert Moskowitz wrote:
Kind of...
Does not put SAN in CA cert:
openssl req -config op
Kind of...
Does not put SAN in CA cert:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem
Does put SAN in CA cert:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -sha256 -exte
On 08/17/2017 07:01 PM, Jakob Bohm wrote:
On 18/08/2017 00:09, Robert Moskowitz wrote:
On 08/17/2017 05:38 PM, Salz, Rich wrote:
declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You should not set it
On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz wrote:
I guess I am making progress. I am not getting SAN into the root cert. my
cnf has in it:
[ req ]
# Options for the `req` tool (`man req`).
default_bits= 2048
prompt =
On 18/08/2017 00:09, Robert Moskowitz wrote:
On 08/17/2017 05:38 PM, Salz, Rich wrote:
declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You should not set it and see if
that works
organizationalUnitN
On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz wrote:
> I guess I am making progress. I am not getting SAN into the root cert. my
> cnf has in it:
>
> [ req ]
> # Options for the `req` tool (`man req`).
> default_bits= 2048
> prompt = no
> distinguished_name = req_distin
I guess I am making progress. I am not getting SAN into the root cert.
my cnf has in it:
[ req ]
# Options for the `req` tool (`man req`).
default_bits= 2048
prompt = no
distinguished_name = req_distinguished_name
string_mask = utf8only
req_extensions = req_e
On 08/17/2017 05:38 PM, Salz, Rich wrote:
declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You should not set it and see if that works
organizationalUnitName = "." puts a . in it. So I have to
ARGH!!!
On 08/17/2017 05:38 PM, Salz, Rich wrote:
declare -x organizationalUnitName=""
routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You should not set it and see if that works
So now I have to figure out how to handle an empty variabl
> declare -x organizationalUnitName=""
> routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You should not set it and see if that works
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 08/17/2017 04:17 PM, Robert Moskowitz wrote:
On 08/17/2017 04:09 PM, Salz, Rich wrote:
Use the –batch flag to avoid all prompting
I commented out the prompt line and tried again:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
> -new -x509 -days 7300 -sha256 -batch
On 08/17/2017 04:17 PM, Robert Moskowitz wrote:
On 08/17/2017 04:09 PM, Salz, Rich wrote:
Use the –batch flag to avoid all prompting
I commented out the prompt line and tried again:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
> -new -x509 -days 7300 -sha256 -batch
On 08/17/2017 04:09 PM, Salz, Rich wrote:
Use the –batch flag to avoid all prompting
I commented out the prompt line and tried again:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
> -new -x509 -days 7300 -sha256 -batch -extensions v3_ca -out
certs/ca.cert.pem
Enter p
Use the –batch flag to avoid all prompting
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 08/17/2017 03:39 PM, Salz, Rich via openssl-users wrote:
In the CA section, you have to specify which fields you need/want in the DN.
This is the “policy” identifier which points to a section that names the RDN’s
you want/need.
I have that:
[ ca ]
# `man ca`
default_ca = CA_default
[
In the CA section, you have to specify which fields you need/want in the DN.
This is the “policy” identifier which points to a section that names the RDN’s
you want/need.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
In the [ ca ] section I have:
prompt = no
If I leave the = out I get an error, so I am assuming I got the format
of this right.
Then I have
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = $ENV::countryName
stateOrProvinceNa
> Le 17 août 2017 à 17:36, Jeffrey Walton a écrit :
>
> On Thu, Aug 17, 2017 at 11:34 AM, Erwann Abalea
> wrote:
>>
>>> Le 17 août 2017 à 17:26, Jeffrey Walton a écrit :
>>>
> When you see a name like "example.com" in the CN, its usually a CA
> including a domain name and not a hostn
Erwann,
thank you for your response.
On 08/17/2017 11:29 AM, Erwann Abalea via openssl-users wrote:
Bonjour,
Le 17 août 2017 à 17:10, Robert Moskowitz a écrit :
On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote:
And RFC 5280, which is still the standard, says serial# must be <=
On Thu, Aug 17, 2017 at 11:34 AM, Erwann Abalea
wrote:
>
>> Le 17 août 2017 à 17:26, Jeffrey Walton a écrit :
>>
When you see a name like "example.com" in the CN, its usually a CA
including a domain name and not a hostname.
>>>
>>> That's nonsense.
>>
>> If a certificate is issued under
> Le 17 août 2017 à 17:26, Jeffrey Walton a écrit :
>
>>> When you see a name like "example.com" in the CN, its usually a CA
>>> including a domain name and not a hostname.
>>
>> That's nonsense.
>
> If a certificate is issued under CA/B policies, and CN=example.com but
> it _lacks_ SAN=exampl
Bonjour,
> Le 17 août 2017 à 17:10, Robert Moskowitz a écrit :
>
>
>
> On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote:
>> And RFC 5280, which is still the standard, says serial# must be <= 20 bytes.
>> Which means, you want to make sure the high bit is off, else the DER
>> encod
Viktor,
thanks for the reply.
On 08/17/2017 11:15 AM, Viktor Dukhovni wrote:
On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote:
Remove commonName and emailAddress completely from the cnf file. They no
longer belong in any cert, root or intermediate CA certs, server or user
certs.
>> When you see a name like "example.com" in the CN, its usually a CA
>> including a domain name and not a hostname.
>
> That's nonsense.
If a certificate is issued under CA/B policies, and CN=example.com but
it _lacks_ SAN=example.com, then its a not a hostname and it should
not be matched.
I'm
On 08/17/2017 10:49 AM, Karl Denninger wrote:
On 8/17/2017 09:40, Robert Moskowitz wrote:
I have been researching serial number in cert based on Jakob's comment:
"- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
standalone
numbers and as DER-encoded numbers. Note that th
On Thu, Aug 17, 2017 at 12:56:20AM -0400, Jeffrey Walton wrote:
> > Remove commonName and emailAddress completely from the cnf file. They no
> > longer belong in any cert, root or intermediate CA certs, server or user
> > certs.
>
> CommonName is supplied for viewing by tools like certificate vie
On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote:
And RFC 5280, which is still the standard, says serial# must be <= 20 bytes.
Which means, you want to make sure the high bit is off, else the DER encoding will
make it 21 bytes.
So the new –rand_serial flag I am adding to the CA co
On 8/17/2017 09:40, Robert Moskowitz wrote:
> I have been researching serial number in cert based on Jakob's comment:
>
> "- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
> standalone
> numbers and as DER-encoded numbers. Note that this is not the
> default in
> the openssl c
And RFC 5280, which is still the standard, says serial# must be <= 20 bytes.
Which means, you want to make sure the high bit is off, else the DER encoding
will make it 21 bytes.
So the new –rand_serial flag I am adding to the CA command will make call
RAND_bytes to get 18 bytes.
On 8/17/17,
https://cabforum.org/2016/07/08/ballot-164/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
I have been researching serial number in cert based on Jakob's comment:
"- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
standalone
numbers and as DER-encoded numbers. Note that this is not the default in
the openssl ca program.
- Serial numbers contain cryptographically s
Thank you for your response.
I am basically skipping 20 years of PKI development and trying to get to
current best practices...
On 08/17/2017 09:50 AM, Erwann Abalea via openssl-users wrote:
Bonjour,
Le 17 août 2017 à 15:20, Robert Moskowitz a écrit :
Should digitalSignature be included i
Bonjour,
> Le 17 août 2017 à 15:20, Robert Moskowitz a écrit :
>
> Should digitalSignature be included in keyusage in CA certs?
It depends on what you plan to do with the corresponding private key.
If you want this private key to sign messages other than certificates and CRLs
(such as OCSP res
AFAIK it must.
Regards,
Uri
Sent from my iPhone
> On Aug 17, 2017, at 09:21, Robert Moskowitz wrote:
>
> Should digitalSignature be included in keyusage in CA certs?
>
>
> https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
>
> Includes it.
>
> https://stack
Should digitalSignature be included in keyusage in CA certs?
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
Includes it.
https://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority/21340898#2134
On 08/17/2017 12:56 AM, Jeffrey Walton wrote:
On Thu, Aug 17, 2017 at 12:28 AM, Robert Moskowitz wrote:
I have skimmed through a few RFCs following today's postings and a few web
sites. It would seem to me that I should:
Remove commonName and emailAddress completely from the cnf file. They
38 matches
Mail list logo