In addition to however OpenSSL does it, you can see how it’s done here:
https://metacpan.org/release/Crypt-Perl/source/lib/Crypt/Perl/X509/Extension/ct_precert_scts.pm
https://metacpan.org/release/Crypt-Perl/source/lib/Crypt/Perl/X509/Extension/ct_precert_poison.pm
-F
> On Jan 10, 2021, at
You can check IETF RFC 4523 for the schema.
On Wed, Nov 23, 2011 at 4:51 PM, prabhu kalyan rout pkr...@gmail.comwrote:
Thanks for the document. This document tells me about the ldif file
but its not saying anything about
the schema. I need step by step procedure.
please help
On Mon, Nov
Thanks for the document. This document tells me about the ldif file
but its not saying anything about
the schema. I need step by step procedure.
please help
On Mon, Nov 21, 2011 at 9:51 PM, Erwin Himawan ehima...@gmail.com wrote:
Although, this doc is outdated, I find that this doc is
Although, this doc is outdated, I find that this doc is helpful:
http://vandervlies.xs4all.nl/~andre/Docs/pkildap.html
On Mon, Nov 21, 2011 at 7:53 AM, prabhu kalyan rout pkr...@gmail.comwrote:
Hi,
I am trying to store user certificates to ldap. But i dont know how to do
it.
Can anybody
You could do this to read in a certificate:
X509* loadCert(const char* inputBuffer)
{
BIO *cert = NULL;
X509* x509Cert = NULL;
cert = BIO_new_mem_buf(inputBuffer, -1);
if (cert)
{
X509Cert = PEM_read_bio_X509(cert, NULL, 0, NULL);
}
Hi All
I have certificate and private key in a buffer (not in a file). How do
I pass on these to OpenSSL with out storing in a temp file? In other
words are there any APIs that take certificate from a buffer instead
of a file?
I could only find APIs that expect a file argument or X509* or
Thank you.
--satish
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Brad Mitchell
Sent: Tuesday, June 09, 2009 12:55 AM
To: openssl-users@openssl.org
Subject: RE: Certificates in a buffer
You could do this to read
Hi Renato,
On Wed, Jul 2, 2008 at 6:27 PM, Renato Araújo Ferreira
[EMAIL PROTECTED] wrote:
Hello,
I have a program that is installed in some desktops to listen for
connections from a client that connect to this desktop to gathe some
information about the system. The problem is that these
I see these in ssl.h
int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
and I've used the SSL_CTX_use_certificate_ASN1(), with 'd'
being a DER encoded cert in a buffer
Bhagvan
David Schwartz [EMAIL PROTECTED] wrote:
i mean is there any equivalent function for
SSL_CTX_use_certificate_chain_file which takes certificate buffer
instead of certificate file name.
Just look at the source code to SSL_CTX_use_certificate_chain_file. As I
recall (it has been awhile) you will find code in there that address the
Still no response :-(
Could someone please help me clarify my doubts?
thanks,
~ Urjit
- Original Message -
From: Urjit Gokhale [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Thursday, May 24, 2007 4:28 PM
Subject: Re: Certificates, users and machines
Thanks for your reply.
I
Hello,
I would like to have your opinion on one scenario, and my approach to
provide needed functionality:
1) I have a server that listens to connection requests from the clients over
the internet (meaning anyone and everyone who knows my ip/port can send me
connection request. I am not
Urjit Gokhale wrote:
It seems that you are making the common mistake of conflating authentication
with authorization. Certs are useful in binding pubkeys to identities and
subsequently in verifying possession of the private key by being able to
perform decryption.
The SSL protocol has
... is it necessary to
issue ONE certificate to EACH individual.
Yes. The problem of granting access based on membership in a
group is an authorization problem.
Correct.
This doesn't have
anything to do with certificates -- permissions and roles
change independently of binding
Mouse wrote:
I.e. for the sake of the argument identity
Michael may have an attribute employee of Tenebras, and another
attribute permitted access to dev repository A12.
Well, the Subject Distinguished Name should have the Organization,
but I strongly disagree with you if you think access
Thank you very much for the response.
For both the responses I got, it looks like the server need to access the
information (whether identity or attribute or whatever) present in the
certificate
and use that to decide the permissions for the peer that represented this
certificate.
Is my
On 2007.05.25 at 08:16:19 -0400, Mouse wrote:
I'm driving at Attribute Certificates. They are supposed to have shorter
life than identity certs, but still long enough to be usable.
I've seen project to add attribute certificates to OpenSSL.
http://openpmi.sourceforge.net/
You can try to
Well, the Subject Distinguished Name should have the
Organization...
Can you envision long-lived certs issued by gov't - like passports? In that
case, Organization would not have the same semantics. But this is less
relevant for our discussion.
...but I strongly disagree with you if you
For both the responses I got, it looks like the server need
to access the information (whether identity or attribute or
whatever) present in the certificate and use that to decide
the permissions for the peer that represented this certificate.
Is my understanding correct?
Partially so. An
and you've just multiplied your public key computation
load by a factor of three of four.
No, you merely double it. One - check that the identity cert is
valid, two
- that the attribute cert that *you* are interested in (out of a
dozen that
may be attached to this identity cert) is OK.
]
To: openssl-users@openssl.org
Sent: Wednesday, May 16, 2007 4:45 PM
Subject: Re: Certificates, users and machines
A certificate binds the public key of a public/private (asymmetric)
key pair with additional information.
A certificate is trusted by some trusting authority. In most cases
A certificate binds the public key of a public/private (asymmetric)
key pair with additional information.
A certificate is trusted by some trusting authority. In most cases,
this is a certifying authority (CA) -- and the asymmetric signature
by the CA is an assertion that the CA believes
On 2007.05.16 at 16:03:38 +0530, Urjit Gokhale wrote:
Hello everyone,
I have some doubts about certificates, which I wish to get clarification
on.
Here is my understanding about certificates:
* Certificates bind the public key with some other information like the
name
I hope this information helps.
-Kyle H
Thank you for your response and information about the proxies.
I now have a feeling that to write a verification callback function, I will
need to
retrieve the information stored in the certificate that the peer has sent
to me.
If you want
Hi VKG
The problem statement confuses me but we had a problem to infinite
host on a single secure server between our client and server and we
chose N Contexts that are loaded with SSL certificate of the server
requested (we know that from our helper program) generated on runtime
and clients
I'm not entirely certain what you're asking here. Usually, clients
have a list of CAs that they trust, and a list of personal
certificates to which they have the private keys. If a server
requests a certificate and gives a certain CA, the client can
automatically send the certificate they have
Hi Goetz,
At least my c_rehash expects CA certs to have the suffix .pem.
And since the -CApath param needs hashes generated by c_rehash
to find the certificates, it will fail...
Fix the extension to .pem, run c_rehash and verify should
succeed...
Thanks. That does it :-)
Cheers,
Mark
Hi Goetz,
cat ca_directory/*.pem ca.pem
openssl verify -CAfile ca.pem cert_to_check
works, there is something really strange with your system ...
Same error:
error 20 at 0 depth lookup:unable to get local issuer certificate
This indicates that your CA certificate is not in any
Mark wrote:
cat ca_directory/*.pem ca.pem
openssl verify -CAfile ca.pem cert_to_check
works, there is something really strange with your system ...
Same error:
error 20 at 0 depth lookup:unable to get local issuer certificate
This indicates that your CA certificate is not in any of the *.pem
Hi Goetz,
But since you are using an own program, this doesn't matter.
Could you do an
c_rehash ca_directory
openssl verify -CApath ca_directory cert_to_check
error 20 at 0 depth lookup:unable to get local issuer certificate
If this doesn't work, but a
cat ca_directory/*.pem ca.pem
Mark wrote:
Hi Goetz,
But since you are using an own program, this doesn't matter.
Could you do an
c_rehash ca_directory
openssl verify -CApath ca_directory cert_to_check
error 20 at 0 depth lookup:unable to get local issuer certificate
If this doesn't work, but a
cat ca_directory/*.pem
Hi Goetz,
You point at it in the context before the handshake. You can either
point at a dir full of digest named ones or a specific
root cert file.
Strangely I tried the former which did not work. The latter method
appears to work fine (it connected and exchanged data anyway).
Mark wrote:
Hi Goetz,
Hello Mark,
You point at it in the context before the handshake. You can either
point at a dir full of digest named ones or a specific
root cert file.
Strangely I tried the former which did not work. The latter method
appears to work fine (it connected and exchanged
Mark wrote:
in OPENSSL_DIR/ssl/misc is a demo script that does something like
a very small and dump CA...
I don't seem to have this directory.
Replace OPENSSL_DIR with the installation path of your openssl
version...
Bye
Goetz
--
DMCA: The greed of the few outweighs the freedom of the
Mark wrote:
You point at it in the context before the handshake. You can either
point at a dir full of digest named ones or a specific root cert file.
Strangely I tried the former which did not work. The latter method
appears to work fine (it connected and exchanged data anyway).
did you a
On Thu, Nov 24, 2005 at 03:06:05PM -, Mark wrote:
Hi,
You load the server cert with SSL_CTX_use_certificate_file()
and the CA... certs with SSL_CTX_use_certificate_chain_file()
Normally you don't have to load the root because the
client has to have the root cert to verify the
Hi Katie,
Thanks again for your help.
How does the client get the root certificate? Is it
automatically sent
to the client during the handshake or does the client need
to load it from some file?
You point at it in the context before the handshake. You can either
point at a dir full
On Wed, Nov 23, 2005 at 02:41:17PM -, Mark wrote:
Thanks Katie,
I tried your makefile but it did not work for me (I did change the paths
and fix the missing TABs) but it failed with the error. The rule for
%.cert
looks ok to me:
gmake: *** No rule to make target `sv.cert', needed by
Hi,
You load the server cert with SSL_CTX_use_certificate_file()
and the CA... certs with SSL_CTX_use_certificate_chain_file()
Normally you don't have to load the root because the
client has to have the root cert to verify the chain...
How does the client get the root certificate? Is it
On Tue, Nov 22, 2005 at 01:35:22PM -, Mark wrote:
Hi,
Thanks for all the help everyone.
We're signing the certificates for users. They call up the servers and
present a certificate which authorises them. The root certificate is
stored on the servers, and the fingerprint of it is
Hi,
# openssl req -newkey rsa:1024 -keyout nuckey.pem
-keyform PEM -out nucreq.pem -nodes -outform PEM
What are these key files for?
I'm still not sure what these files are for. I guess that the
nuckey.pem is a private key (does this need loading with
Thanks Katie,
And then we say make certs and it makes the certificates up to date.
I tried your makefile but it did not work for me (I did change the paths
and fix the missing TABs) but it failed with the error. The rule for
%.cert
looks ok to me:
gmake: *** No rule to make target `sv.cert',
Mark wrote:
Hi,
Hello,
# openssl req -newkey rsa:1024 -keyout nuckey.pem
-keyform PEM -out nucreq.pem -nodes -outform PEM
What are these key files for?
I'm still not sure what these files are for. I guess that the
nuckey.pem is a private key (does this need loading with
Hi,
Now a self signed certificate is something like someone saying I am
your Trusted Partner. You can trust me because I have a
passport which I
issued myself. You can believe in this if for example you
can check the
key's fingerprints with your partner over telephone. But if
you
On Tue, Nov 22, 2005 at 09:14:58AM -, Mark wrote:
I'm still not sure what these files are for. I guess that the
nuckey.pem
is a private key (does this need loading with
SSL_CTX_use_certificate_chain_file?).
I guess the nucreq.pem is the public key which requires signing. Do I
need to
Hi,
Thanks for all the help everyone.
We're signing the certificates for users. They call up the servers and
present a certificate which authorises them. The root certificate is
stored on the servers, and the fingerprint of it is stored in custom
silicon (so no-one can change the entire
Mark wrote:
Hi,
The following command seems to create a new public and private key:
# openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out
nucreq.pem -nodes -outform PEM
What are these key files for?
I'm still not sure what these files are for. I guess that the
nuckey.pem
is
Certificates are a lot like pgp keys with one difference the public key
has be wrapped with the Public Key infrastructure (PKI). So a public
cert will not only contain the public key but it will also contain
information about what the key can be used for (signing, encrypting,
server, client,
Mark,
I am assuming that you are aware of the need for certificates (need for
public key Cryptography).
Now reg ur query on creating those files to set up a CA, the need for a
CA (in u r client server arch and very simple terms) is to provide all
the clients with some credentials that will
Hi Dinesh All,
Now the different files u need to create for setting up the CA,
ok, I think understand the purpose of the files cacert.pem (public key),
private/cakey.pem (private key), index.txt and serial.
What I don't understand is what files require signing and what to do
with the
Mark,
I am not sure why you would want to sign the private key but I am sure
there might be a reason some where.
All you should need to sign is the certificate request (cert.req) after
signing the certificate request it is likely that you will want to put
your related certificates and keys
1) you create a private key ( this is the secret key ... )
2) you create a public key corresponding to the private key. This key
can not be reversed to get a private key, tat is the main advantage of
public key cryptography.
Ok. I understand this. Would the following command do these two
Mark wrote:
1) you create a private key ( this is the secret key ... )
2) you create a public key corresponding to the private key. This key
can not be reversed to get a private key, tat is the main advantage of
public key cryptography.
Ok. I understand this. Would the following
The problem is not from Apache or whatever the web server you use. The
point is that named virtual host is not possible with SSL.
The very first thing that comes with an HTTPS connection is the SSL
handshaking, and then the HTTP request. In the SSL handshaking, the server
sends the certificate
On Wed, 5 Dec 2001, Jason Hendriks wrote:
jason Even with Apache? Surely you can configure the web server to virtual-host
jason two separate domains both with SSL support?
You can have multiple SSL services (httpd, ipop, etc..) each one
setup on different domains. But you can't have
It is possible to use Apache to support multiple SSL protected
sites on one machine.
The trick is to add IP aliases. Each site needs its own IP address,
its own domain and its own certificate. Apache can handle this.
So basically everyone is mostly right ;-).
Erwann ABALEA wrote:
The problem
haikel wrote:
I need to develop an application that allows me to update, automaticaly,
netscape and IE with new certificates and private keys.
IMHO this is not possible in general since the user's certificate
and key database is hopefully protected with his/her passphrase.
If you want to
looking into the latest snapshot it seems that in apps/x509.c
there should be one line added (the last one), or at least
putting the test inside the following if (ok) 'then' branch.
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
{
int err;
X509 *err_cert;
Reiner Buehl wrote:
There is a (not recommended) possibility for this: If all of your hosts
belong to the same domain you could generate a so called "wildcard
certificate".
This is a certificate with a hostname like '*.mydomain.org'
AFAIK this does not work with M$ IE.
Ciao, Michael.
]
Subject: Re: Certificates with many Virtual host
Reiner Buehl wrote:
There is a (not recommended) possibility for this: If all
of your hosts
belong to the same domain you could generate a so called "wildcard
certificate".
This is a certificate with a hostname like '*.my
It appears that you are not using one IP address for each virtual host. Once
you've configured those correctly the error should go away.
-
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Reiner Buehl wrote:
Hi,
a) Can I make my on certificate valid for many host names ?
There is a (not recommended) possibility for this: If all of your hosts
belong to the same domain you could generate a so called "wildcard certificate".
This is a certificate with a hostname like
To: [EMAIL PROTECTED]
Subject: Re: Certificates with many Virtual host
Reiner Buehl wrote:
Hi,
a) Can I make my on certificate valid for many host names ?
There is a (not recommended) possibility for this: If all of your hosts
belong to the same domain you could generate a so called
Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848
[EMAIL PROTECTED]
-Original Message-
From: Michael Strder [mailto:[EMAIL PROTECTED]]
Sent: 25 January 2001 14:34
To: [EMAIL PROTECTED]
Subject: Re: Certificates
On Tue, Dec 05, 2000 at 02:22:50AM -0500, Jean-Francois Malouin wrote:
I can now use mutt/uw-imap-2000/openssl with cram-md5 authentication!
So far I have mutt-1.3.9i on Linux and irix working. Mutt-1.2.5i does
not seem to like cram-md5 authentication and pine-4.30 (compiled with
Hello Lutz,
* Lutz Jaenicke ([EMAIL PROTECTED]) [20001129 14:36] thus spake:
[much elition]
Please do a openssl rsa -in privkey.pem -text
If the data is listed without password, you'r done. If not, the PEM pass
phrase wanted is the old one needed to decrypt the private key...
woah! That
Hi Sergio,
thanks for your response. I have some more questions and
would greatly appreciate it if you, or somebody else could
help me some more.
Sergio Rabellino wrote:
Jacobus van der Merwe wrote:
...
[Netscape says certs are accepted for 'People' but there is
nothing there]
...
From: Sasa Vucenovic [EMAIL PROTECTED]
svucenovic I used demo demos/selfsign.c to create X.509v3 certificate
svucenovic ( a bit modified ). Now, I would like to verify that
svucenovic certificate with apps/verify.c application but it expects
svucenovic certificate to be in PEM format.
And
1. Are there free certificates somewhere?
You can get a trial one (e.g. at Verisign) or build your own CA
If building your own, your customers will need to download your homemade
CA-cert and verify its fingerprint offband somehow. This could be a
solution when having few customers coming
On Mon, 24 Jul 2000, Michael Beaucourt wrote:
Hi,
I'm working on a Redhat Linux 6.1 system (soon 6.2) and I am relatively
new to SSL. But I will need the technology in the near future for an
e-commerce solution. Now, after reading some stuff I understand you need
to buy a server
At 07:11 AM 7/24/00, you wrote:
1. Are there free certificates somewhere?
Yes. You can build your own (see the OpenSSL docs for creating a CSRT), .. the only
difference is that you will not have traceability to a root cert, and any users will
get the dialog boxe(s)'do you really trust this
FYI for list users, we to have searched long and hard
for the steps to be a "bundled root CA"
No one seems to be able to give us an answer at Microsoft,
nor locate an accurate URL, guess that is no suprise.
The best we got from Netscape was this URL
At 04:06 AM 7/24/00, you wrote:
You can get a trial one (e.g. at Verisign), or build your own CA
You don't need to build your own CA for a single cert, .. a CA is only required (IIUC)
to manage *client certs*.
I think a good certificate is made of two things, trust (in the CA), and
on being a bundled Root CA-
I suspect that a root CA will some local laws and policies
to adhere to and declare that they adhere to law/policy numbers number
such and such...
Then I suspect the web browsers writers will want a nominal setup fee
$1K + ? to review an application and a couple
On Mon, 24 Jul 2000, ppruett wrote:
FYI for list users, we to have searched long and hard
for the steps to be a "bundled root CA"
...
I think that it would be a good to have a section on "bundled root CA"
for Simos' bookon openpki http://ospkibook.sourceforge.net
If anyone else
On Wed, 26 Apr 2000, David Oppenheim wrote:
Is there a standard way, or has anyone come up with a way, of reasonably
easily building a certificate into compiled code ? I guess I can think
of several, but if there's a (semi)standard, I'd rather follow it, and not
reinvent the wheel.
one
winterlion wrote:
Okay, I'm trying to get a test WWW-server setup.
And am not ready yet to pick up official cert...
Is it possible to run a test-cert for a short period (and how to limit
period) that at least netscape 4 will accept (though maybe with a
warning)?
You could simple use a
suvvia ... strings e' uno stupidissimo comando (sotto unix) che estrae
le "stringhe" (null terminate)da un eseguibile
Quindi con "strings netscape program>" si intende dai il comando
strings passandogli come argomento il nome con cui hai chiamato il netscape
(eseguibile) sul tuo
Michael Ströder wrote:
HI!
I'm currently having a hard time integrating support for MS Internet
Explorer 4+ into my poor man's CA package pyCA.
I managed to generate a certificate request and get the issued
certificate installed into IE with some small VBScript code.
But I have
Olga Antropova wrote:
Hi,
I am in US and have to deal with export regulations on the encryption level.
Does anyone know how the private/public key length is affected by those?
Should the keys be 512 bits?
Disclaimer: I'm no expert on this (not being in the US) but...
I believe (?)
On Mon, 28 Jun 1999, Martin Kuba wrote:
...
Thanks you all for help. I have found this link:
http://www.columbia.edu/~ariel/good-certs/ns45/
on www.openssl.org which leads to a page
with certificates extracted from Netscape4.5
you can also try the attached perl script for exporting
PROTECTED]]On Behalf Of Massimo Capodicasa
Sent: Friday, June 25, 1999 5:27 PM
To: [EMAIL PROTECTED]
Subject: Re: certificates of major CAs
Goetz Babin-Ebell wrote:
At 10:01 24.06.99 +0200, you wrote:
Hi,
Hallo,
I know that major WWW browsers have a set of compiled-in
certifi
At 17:27 25.06.99 +0200, you wrote:
Hallo,
Goetz Babin-Ebell wrote:
At 10:01 24.06.99 +0200, you wrote:
I know that major WWW browsers have a set of compiled-in
certificates like Verisign, Thawte etc. I need the same
for my application. Where can I find certificates
for Verisign, Thawte
Or you can just grab them here:
http://www.e-softinc.com/cacerts.txt
These are the certs we've grabbed as part of an SSL
survey that we are compiling. (Compiled from a variety of
sources, including Netscape 4.0, I believe)
Note the URL must be visited directly, it is not visible
by following
At 10:01 24.06.99 +0200, you wrote:
Hi,
Hallo,
I know that major WWW browsers have a set of compiled-in
certificates like Verisign, Thawte etc. I need the same
for my application. Where can I find certificates
for Verisign, Thawte etc. ?
You can extract the certificates from Netscape.
They are
David A. Lee wrote:
For example, IIS Server and IE and Netscape clients never ask me for
pass phrases when using certificates. Does this mean as I suspect
that those products are not really secure ? Or have they found another
method to protect certificates from copying without requiring
"David A. Lee" wrote:
I'm adding in SSL into a closed-system/product. I'm concerned about the
protection of the client-side certificates. My (limited) understanding of
crypto
says that its critical to protect the client certificate otherwise
authentication
is compromised (anyone who
87 matches
Mail list logo