s_client verify error

-vm5.tubit.tu-berlin.de:636 everything works smoothly - no errors. Any help will be apreciated, Gerd P.S: I add the complete exerpt from the ldap log a attachment. -- -- -- Gerd Schering, Email: scher...@tubit.tu-berlin.de

Re: How to use a hardware RNG with openssl?

Lutz Jaenicke wrote: Gerd Schering wrote: Hello, we purchased a hrng for the generation of RSA keys for instance. It is an USB device an shows up as /dev/qrandom. So, in order to generate rsa keys, is it sufficient to use it as a replacement for /dev/urandom and to call genrsa as openssl

How to use a hardware RNG with openssl?

shure about the role of /dev/urandom: does it deliver a (pseudo) random number or the salt for the PRNG? Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- smime.p7s Description: S/MIME

Configuration file error

sions Test-Server-CA_extensions -notext \ -out /home/tc/new-cert.pem -batch Any hint? I'm using OpenSSL 0.9.8 05 Jul 2005, is this to old? Gerd -- ------ -- Gerd Schering, Email: [

what's the difference between copy and move?

Hi, in the template config file that came with 0.9.8, I found that subjectAltName=email:copy subjectAltName=email:move are both possible, but what is the difference? Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED

how to look for utf8 in CSRs?

Hallo, could someone tell me how can I se if a CSR contains utf8 strings in the DN ? openssl req -in csr -noout -text -nameopt show_type has not the desired effect. Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED

Re: strange error when trying to sign CSR

Richard Levitte wrote: Gerd Schering writes: Sorry for this question, of course we have rfc2459. *ahem* 3280 Cheers, Richard Yes, yes you're so right! -- -- -- Gerd Schering, Email: [EMAIL PROT

Re: strange error when trying to sign CSR

leString. Gerd -- ------ -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- TU Berlin, Zentraleinrichtung Rechenzentrum -- -- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin -- -- phone: +49 30 314 24383, fax: +

Re: strange error when trying to sign CSR

Gerd Schering wrote: B.t.w. is there an rfc or something else where the allowed string types are defined? Sorry for this question, of course we have rfc2459. Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- TU Berlin

Re: strange error when trying to sign CSR

else where the allowed string types are defined? Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- TU Berlin, Zentraleinrichtung Rechenzentrum -- -- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin -- -- phone: +49 30 314 24383

Re: strange error when trying to sign CSR

-- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- smime.p7s Description: S/MIME Cryptographic Signature

strange error when trying to sign CSR

tely the same. I'm using OpenSSL 0.9.8-dev XX xxx . Is this a version issue? Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- TU Berlin, Zentraleinrichtung Rechenzentrum -- -- Sekr. E-N 50, Einsteinufer 17,

cryptlib vs openssl

Hi, does anyone know about Peter Gutmann's cryptlib and how it compares to openssl? Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- smime.p7s Description: S/MIME Cryptogr

smime question

. But when the included cert is expired I get an error and nothing is output. How can I retrieve the message content and the expired cert? Thanks, Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED

Re: domain components in certificate dn?

Richard Levitte - VMS Whacker wrote: In message <[EMAIL PROTECTED]> on Fri, 24 Sep 2004 11:29:23 +0200, Gerd Schering <[EMAIL PROTECTED]> said: Schering> is it possible to use domain name components - as in ldap - Schering> for the certificate dn, i.e. something like Schering>

domain components in certificate dn?

Hi, is it possible to use domain name components - as in ldap - for the certificate dn, i.e. something like dc=mycompany,dc=com instead of the C=US,... staff? Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED

difference between openssl and ssh rsa-public-keys

es part of the base64-encoded data, or get the data encoded first? Thanks, Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- smime.p7s Description: S/MIME Cryptographic Signature

Re: revoking expired certificates

Rich Salz wrote: Gerd Schering wrote: Hi, It is possible (via the ca utility) to revoke certificates that already have expired. Hard to say. The ITU X.509 standard says that if a certificate is revoked, it stays on the CRL for one CRL past its expiration date. In other words, if the order

Re: once more: what is the exact meaning of this error message?

Richard Levitte - VMS Whacker wrote: In message <[EMAIL PROTECTED]> on Fri, 28 Nov 2003 11:02:56 +0100, Gerd Schering <[EMAIL PROTECTED]> said: Schering> when I try to update the database via Schering> Schering> openssl ca -config $Config -updatedb Schering> Schering>

Re: once more: what is the exact meaning of this error message?

Hi, sorry for the signature of the prceeding post. I thaught, I told my email client explicitly not to do so, but maybe it ignored the directive or it was my fault. Sorry, Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED

once more: what is the exact meaning of this error message?

name index:(2,223,364) It is clear, there is some sort of index clash, but what is the meaning of "(2,223,364)", especially of the last two numbers? Thanks, Gerd -- ------ -- Gerd Schering, Email: [

what does this error message mean?

-- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- smime.p7s Description: S/MIME Cryptographic Signature

attribute certificates

Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[

Max values in config file

its or where to look for? Thanks, Gerd -- ------ -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- __

smime verification problem

-- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: Problem mit Extension bei Cross Zertifizierung?

s auch beantwortet und ich hab es übersehen? Gruß, Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- TU Berlin, Zentraleinrichtung Rechenzentrum -- -- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin

Re: Wrong values copied to authorityKeyIdentifier?

Thanks! Erwann ABALEA wrote: On Wed, 20 Nov 2002, Gerd Schering wrote: I have the following CA/cert hierachy: rootca -> serverca -> servercert when I look at the authorityKeyIdentifier in the servercert I see: keyid: O.K. serial: O.K. but DirName is NOT the DirName of the serverca b

Wrong values copied to authorityKeyIdentifier?

g on? Gerd -- ------ -- Gerd Schering, Email: [EMAIL PROTECTED] - -- __ OpenSSL Project http://www.openssl.org User Support M

Re: Questions about seeding of the PRNG

Lutz Jaenicke wrote: On Fri, Oct 18, 2002 at 02:23:29PM +0200, Gerd Schering wrote: [..] 2. When RANDFILE is pointing to a plain file, I notice that after each use, data is written back and the file gets larger and larger. I understand, that it is necessary to save a new seed for the PRNG

Questions about seeding of the PRNG

for seeding, when generating for instance a 2048 bit RSA key? Best regards, Gerd Schering -- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- smime.p7s Description: S/MIME Cryptographic

Problem with string type for CN when trying to sign csr

? Thanks, Gerd -- ------ -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- smime.p7s Description: S/MIME Cryptographic Signature

Re: libcrypto.so.2

anyone know where I can get the > libcrypto.so.2. ??? > > I am using Linux Mandrake 8.1 > libcrypto.so.x is included in the libopenssl0-0.9.6c-2mdk rpm-package. Gerd -- -- -- Gerd Sch

Re: Problem with cryptoswift card

aphic operations are really always performed by the board? (sounds somewhat silly, I know) Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- TU Berlin, Zentraleinrichtung Rechenzentrum -- -- Sekr. E-N 50, Einst

Problem with cryptoswift card

_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM [...] -- ------ -

How to get extension from the request into the cert?

-- -- Gerd Schering -- Email: [EMAIL PROTECTED] -- __ OpenSSL Project http://www.openssl.org User Support Mailing List

How to get extensions from request to cert?

address below. The address in the header might be misleading or not available! -- -- Gerd Schering -- Email: [EMAIL PROTECTED

Re: RAW DER hex encoding

, which is not present in its DER encoding, for instance: .. 1.0.8571.2: .^[EMAIL PROTECTED] The encoding in the config file was: 1.0.8571.2=DER:16:0D:74:65:73:74:31:40:72:73:61:2E:63:6F:6D Maybe caused by emacs? Any hint, or simply ignore? Thanks, Gerd Gerd Schering wrote: > >

Re: List of suppported extension?

Sorry for that email. I think I found the list in openssl.txt. Gerd Gerd Schering wrote: > > Hi, > > does a list of currently supported X.509v3 extension > by OpenSSL exist? > It seems to me, that the information is scattered about > various

List of suppported extension?

Hi, does a list of currently supported X.509v3 extension by OpenSSL exist? It seems to me, that the information is scattered about various documents. Gerd -- -- Gerd Schering -- Email: [EMAIL PROTECTED

Re: openssl-0.9.5a questions

On Tue, 08 Aug 2000, you wrote: I dont know about 0.9.4 but under 0.9.5a you can do a make linux-shared to get the shared library stuff. But you still have to put the *so* files somewhere in your library path and do a ldconfig or whateverver is appropriate for your system. Gerd > Hi, > A

How to use openssl for key and cert management?

Hi, are there tools that come with OpenSSL, suitable to achieve a rudimentary form of key and certificate management? What I mean is this: -how can I ensure that a special key does not get certified twice or for another purpose? -how/where have certs and eventually keys t

How to import keys + certs into Netscape certificate server.

Hi, we use netscape certificate server (ncs) for S/Mime certs. Unfortunately our ncs restricts the length of the root key to 1024 bits. Is is possible to import an openssl-generated key + cert into ncs? Gerd -- -- Gerd Schering -- Email

Re: getting shared dynamic libraries

On Mon, 17 Jul 2000, you wrote: > How can I get shared dynamic libraries (e.g. .so files) of libssl and > libcrypto? I've tried "./Configure linux-elf" and that does not give > me any more than the 2 .a files. > do a "make linux-shared". This builds the libs in the source tree. You have to copy

What is libRSAglue.a for?

When compiling opensll on a linux-redhat-6.0 system I get a library "libRSAglue.a". I cant figure out what it does. BTW when compiling openssl under mandrake-7.0 (=redhat-6.1) I do not get this lib. Even more strange: under redhat-6.0 - when generating a rsa key for instance - openssl never stops

Re: whats wrong with /dev/urandom ??? !!!!!

On Wed, 12 Jul 2000, you wrote: EVRANDOM" that is set in e_os.h. > > Did you specify RANDFILE /dev/urandom? > > Best regards, As environment variable or in openssl.cnf you mean? No I didnt. Ciao Gerd __ OpenSSL Project

Re: whats wrong with /dev/urandom ??? !!!!!

On Wed, 12 Jul 2000, you wrote: > > Did you specify "-rand /dev/urandom" on the command line? > You MUST NOT do that. If you have /dev/urandom, the OpenSSL library and > applications will silently query it for you. > If you specify it on the command line, the "-rand" option tries to use > the who

make test hangs while reading from /dev/urandom

Excuse me, for mailing this question once again, but now I know a little bit more: I´ve compiled openssl-0.9.5a with shared libs under linux (make linux-shared). After installing the shared libs I ran "make test". Most of the tests just seem to be o.k., but when it comes to the generation of a sel

"make test" hangs, when converting cert req into a self signed cert

Hi, I´ve compiled openssl-0.9.5a with shared libs under linux (make linux-shared). After installing the shared libs I ran "make test". Most of the tests just seem to be o.k., but when it comes to the generation of a self signed cert from a certificate request generated by the test suite, i.e.: "