such treatment. As far as I remember, they are either
theoretical, difficult to trigger or out of scope.
Pauli
On 23/11/22 12:12, Thomas Dwyer III wrote:
The OpenSSL project has obtained certificate #4282
<https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282>
The OpenSSL project has obtained certificate #4282
<https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282>
from NIST for the FIPS provider. Nice. However, the certificate and
accompanying security policy specifically list version 3.0.0 while the
current r
Subject: I have successfully installed Godaddy Wildcard SSL certificate in
9 units of Hikvision DS-K1TA70MI-T / DS-K1T341AMF Face Recognition Terminal
Door Access Systems on 27 Oct 2022 Thursday
Good day from Singapore,
Author: Mr. Turritopsis Dohrnii Teo En Ming
Country: Singapore
Date: 27 Oct
and continue to use unexpired certificate/key pairs signed by the expired CA
certificate. I did some research and found "openssl x509 -in ca.crt -days 3650
-out new-ca.crt -signkey ca.key" which seems to work but want to make sure
there aren't any less-than-obvious issue
Subject: I have finally figured out how to export Private Key from
Fortigate firewall and successfully install Godaddy Wildcard SSL
certificate in UniFi Cloud Key Gen 2 Plus Network Controller
Good day from Singapore,
Author: Mr. Turritopsis Dohrnii Teo En Ming
Country: Singapore
Date: 26 Oct
Subject: I have achieved PARTIAL SUCCESS in installing Godaddy SSL
Certificate in UniFi Cloud Key Gen 2 Plus
Good day from Singapore,
I am posting here because UniFi Cloud Key Gen 2 Plus is powered by Debian
GNU/Linux 9.
I have found many reference guides on installing SSL certificate in UniFi
Subject: Resources and reading materials for installing Godaddy Wildcard
SSL certificate in Fortigate firewall
Good day from Singapore,
The following is a list of reference guides which I have read.
[1] Fortigate firewall: Purchase and import a signed SSL certificate
Link:
https
penssl smime -decrypt -in encrypted.dat -binary -inform DEM -inkey
> private.key -out decrypted.txt
>
> How can I complete step A#), so that step B#) will work, without
> involving a Certificate Request, which requires a non-blank two digit
> nation code,
>
> 'You can set an empty i
How can I complete step A#), so that step B#) will work, without involving a
Certificate Request, which requires
a non-blank two digit nation code,
'You can set an empty issuer/subject DN, or use "-keyid" to avoid copying
these into the CMS message.'
Can someone please update my inclu
encryption step to work by means of the public key,
> I have found the following approach with relies on the generation of a
> Certificate Request. The problem is however, that by doing things like this,
>
> A#) openssl req -x509 -nodes -newkey rsa:16384 -keyout private.key -out
> publi
by means of the public key,
I have found the following approach with relies on the generation of a
Certificate Request. The problem is however, that by doing things like this,
A#) openssl req -x509 -nodes -newkey rsa:16384 -keyout private.key -out
public.key
B#) openssl smime -encrypt -binary -aes-256
by means of the public key,
I have found the following approach with relies on the generation of a
Certificate Request. The problem is however, that by doing things like this,
A#) openssl req -x509 -nodes -newkey rsa:16384 -keyout private.key -out
public.key
B#) openssl smime -encrypt -binary -aes-256
ge algorithm. Is that not right?
Other than with TLS 1.0--1.2 anon-DHE and anon-ECDHE ciphersuites, the
server key exchange message parameters are signed with the server's
public key. If a client certificate is solicited, the client's
ClientVerify message is signed with the client's public key.
I'll give it a try.
>
> The Certification Authority (CA) that released the certificate has an RSA
> key. That was used to generate the signature in the cert, that tells users
> that the CA verified the Certificate Subject identity and that they hold the
> secret key associa
I'll give it a try.
The Certification Authority (CA) that released the certificate has an RSA
key. That was used to generate the signature in the cert, that tells users
that the CA verified the Certificate Subject identity and that they hold
the secret key associated with the Subject's Public Key
I am a bit confused when an RSA signed ECDSA certificate is being used in TLS.
For example, if you run the test for facebook.com, you will see that
the certificate has ECDSA key but signed with Signature Algorithm:
sha256WithRSAEncryption.
$ openssl s_client -connect www.facebook.com:443
Please read the blog post about this here:
https://www.openssl.org/blog/blog/2022/08/24/FIPS-validation-certificate-issued/
Matt
Actually the error is:
533:error:02001002:system library:fopen:No such file or
directory:bss_file.c:175:fopen('/opt/ssl-v1.02u/ssl/cert.pem','r')
533:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:182: 533:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system
great till I was on openssl 1.0.2k.
We have shifted to openssl 1.0.2u and now the call
X509_LOOKUP_load_file(..) for self-siged cert is not working. Somehow
it seems to be looking for a default CA certificate. This is the error
I get:
533:error:02001002:system library:fopen:No such file
Usually only at the end of the chain you have a trusted cert that
> represents the trust anchor for the chain.
The certificate in question appears to be issued by a private CA, so the
immediate issuer may well be the trust-anchor. That said, yes, there is
not enough information in t
The below warning message looks a bit like it was produced by OpenSSL,
but pretty sure it actually comes from the freeradius server code, which
appears to use one of the OpenSSL certificate checking callback
mechanisms. So you should ask there what the exact intention for this
warning is and how
I have freeradius server configured to use EAP-TLS
(certificate baset authn)
Since some time I have warning in logs:
--8<---cut here---start->8---
Fri Jul 15 22:29:04 2022 : Warning: (TLS) untrusted certificate with depth [1]
subject name /C
lows a user to log
>> in by
>> >> providing a certificate. In order to do custom checks, I have
>> added a
>> >> verify callback to my code to check the certificate on top of its
>> >> cryptographic features (CA Valid, etc).
>
On 07/06/2022 13:46, Michael Richardson wrote:
Matt Caswell wrote:
> On 06/06/2022 18:08, Christian Schmidt wrote:
>> Hi,
>> I am building a server application that allows a user to log in by
>> providing a certificate. In order to do custom
Matt Caswell wrote:
> On 06/06/2022 18:08, Christian Schmidt wrote:
>> Hi,
>> I am building a server application that allows a user to log in by
>> providing a certificate. In order to do custom checks, I have added a
>> verify callback to my co
On 06/06/2022 18:08, Christian Schmidt wrote:
Hi,
I am building a server application that allows a user to log in by
providing a certificate. In order to do custom checks, I have added a
verify callback to my code to check the certificate on top of its
cryptographic features (CA Valid, etc
Hi,
I am building a server application that allows a user to log in by
providing a certificate. In order to do custom checks, I have added a
verify callback to my code to check the certificate on top of its
cryptographic features (CA Valid, etc).
If the certificate does not pass my extended
mmand does not have an -
outform option.
And for those having it such as openssl x509, it is not needed because
PEM is the default.
Regards,
David
>
> From: openssl-users On Behalf Of
> Beilharz, Michael
> Sent: Wednesday, May 25, 2022 3:10 AM
> To: 'openssl-users@openssl.
Try adding the following command line arguments: -outform pem
From: openssl-users On Behalf Of Beilharz,
Michael
Sent: Wednesday, May 25, 2022 3:10 AM
To: 'openssl-users@openssl.org'
Subject: How to convert .P12 Certificate (ECC crypted) to .PEMs
CAUTION: Email originated externally. Do
Hi OpenSSL Community,
actual I have to convert a .P12 certificate (RSA crypted/created) into .PEM
certificates,
I use the following commands:
openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" -passin
pass:
openssl pkcs12 -in "outCert.pem" -nocert
On 25 May 2022, at 09:16,
wrote:
> I’ve a server application and need to support RSA and ECC clients at the same
> time.
> I don’t know which certificate from my local keystore I have to send to the
> client, btw I have a rsa and a ecc certificate in my keystore already.
&g
Dear Tobias,
Does code in s_server application help?
On Wed, May 25, 2022 at 9:17 AM wrote:
> I’ve a server application and need to support RSA and ECC clients at the
> same time.
>
> I don’t know which certificate from my local keystore I have to send to
> the client, b
I've a server application and need to support RSA and ECC clients at the same
time.
I don't know which certificate from my local keystore I have to send to the
client, btw I have a rsa and a ecc certificate in my keystore already.
I don't know with which certificate (rsa or ecc) a client comes
On Tue, May 24, 2022 at 04:10:00PM +0100, Angus Robertson - Magenta Systems Ltd
wrote:
> I do see a lot of SSL connection errors in my logs, but assume these
> are mostly hackers or trackers with software not able to support
> TLS/1.2, usually with a blank SNI and ALPN and often no extensions in
>> I_ve a server application and need to support RSA and ECC
>> clients at the same time.
>
> Configure the server's SSL_CTX with both certificate chains and
> the private keys for the two entity certificates, and for older
> TLS versions the server will select the
> From: openssl-users On Behalf Of Matt
> Caswell
> Sent: Tuesday, 24 May, 2022 07:43
> To: openssl-users@openssl.org
> Subject: Re: using TLS (>1.2) with more than one certificate
>
> On 24/05/2022 13:52, tobias.w...@t-systems.com wrote:
> > I’ve a server appli
On 24/05/2022 13:52, tobias.w...@t-systems.com wrote:
I’ve a server application and need to support RSA and ECC clients at the
same time.
I don’t know which certificate from my local keystore I have to send to
the client, btw I have a rsa and a ecc certificate in my keystore already.
I
I've a server application and need to support RSA and ECC clients at the same
time.
I don't know which certificate from my local keystore I have to send to the
client, btw I have a rsa and a ecc certificate in my keystore already.
I don't know with which certificate (rsa or ecc) a client comes
ey -subj "/CN=test" -addext
"subjectAltName = IP:1.2.3.4, DNS:test.com" -out ee.crt
HTH,
David
On Sat, 2022-05-21 at 06:45 -0400, Michael Richardson wrote:
>
> Henning Svane wrote:
> > I am using OpenSSL 1.1.1f Is there a way to make a SAN
> certificate
>
Henning Svane wrote:
> I am using OpenSSL 1.1.1f Is there a way to make a SAN certificate
> based on the CSR I have created in Exchange. I need a self-signed
> certificate for testing.
I'm not exactly sure what you think a SAN certificate is.
I guess one with a Subje
Hi
I am using OpenSSL 1.1.1f
Is there a way to make a SAN certificate based on the CSR I have created in
Exchange.
I need a self-signed certificate for testing.
Regards
Henning
Thank you for the clarification.
On Mon, Mar 28, 2022 at 12:41 PM Tomas Mraz wrote:
> On Mon, 2022-03-28 at 09:24 +0300, Mib wrote:
> > Hi, I am trying to create a ECC certificate with ecdsa_with_SHA3-512
> > signature algorithm.
> >
> > But I am having the below
On Mon, 2022-03-28 at 09:24 +0300, Mib wrote:
> Hi, I am trying to create a ECC certificate with ecdsa_with_SHA3-512
> signature algorithm.
>
> But I am having the below issue When I try to verify it with the
> X509_Verify api.
> "error:068000C7:asn1 encoding rout
Hi, I am trying to create a ECC certificate with ecdsa_with_SHA3-512
signature algorithm.
But I am having the below issue When I try to verify it with the
X509_Verify api.
"error:068000C7:asn1 encoding routines::unknown signature algorithm"
As I understand, "ecdsa_with_SHA3-512
Thanks.
I did some more analysis and now I understand it completely.
ECC curve equation:
y^2 = x^3 + ax + b (mod p), where p is prime
Elliptic Curve parameters are:
p, a, b, G, n, h
G = Generator Point used to generate other points
Private Key = Random Number
Public Key = Point on Curve =
On Sat, Mar 26, 2022 at 12:32:03PM +0530, Vipul Mehta wrote:
> If we consider ECDHE_ECDSA cipher based TLS handshake, then it is possible
> that the client can send invalid public session key to the server causing
> the vulnerability. Is this assumption correct ?
The CVE only affects situations
Hello,
Our server does not consume any certificate from the client.
Client authentication or client certificate verification is disabled.
Server always has a valid ECC certificate.
BN_mod_sqrt() is not used anywhere in the server except by openssl.
If we consider ECDHE_ECDSA cipher based TLS
ate a whole CA with 2048 bit public and private
> keys (I used in req section of openssl.conf, the default_bits to 2048)
> to a Signature algorithm that don't bother the SECLEVEL 2?.
SHA2-256 is sufficient.
> I mean to have two versions of the same certificate. One for SECLEVEL1
> an
algorithm that don't bother the SECLEVEL 2?. I mean to have two versions of
> the
> same certificate. One for SECLEVEL1 and one for SECLEVEL2?. I preserve all
> csr and
> so
It's not clear to me exactly what you're thinking of doing here. Usually what
I'd do is create a new
Good morning,
We are running our own home ca, for generating certificates for our
backup system. The new operating systems being recently backed up, have
started saying :
_OPENSSL.C:67-0 JCR=0 ERROR LOADING CERTIFICATE FILE:
ERR=ERROR:140AB18E:SSL ROUTINES:SSL_CTX_USE_CERTIFICATE:CA MD TOO
ints to the one
shipped with openssl. Thanks for bringing my attention to it.
Regards,
Glen
> On Jan 27, 2022, at 8:25 PM, Matt Caswell wrote:
>
>
>
> On 27/01/2022 06:00, Glen Huang wrote:
>> Hi,
>> I’m trying to create a signed certificate from a CA certificate without
On 27/01/2022 06:00, Glen Huang wrote:
Hi,
I’m trying to create a signed certificate from a CA certificate without
creating a CSR first. From the doc, I came up with this command:
```
openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out
leaf.crt
```
However
Hi,
I’m trying to create a signed certificate from a CA certificate without
creating a CSR first. From the doc, I came up with this command:
```
openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out
leaf.crt
```
However,
```
openssl x509 -in leaf.crt -text -noout
Subject: How to renew and install SSL certificate for
Virtualmin/Webmin, Apache web server, Dovecot and Postfix for a
company in Singapore on 6 Dec 2021 Mon
Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL)
Country: Singapore
Date: 6 Dec 2021 Monday Singapore Time
Type
Hello
I get my log spammed with this alert:
sslize error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
As far as I can read from the net, it is because the CA certificates on my
server is not up to date.
Actually there is none, as this is an embedded target
- Forwarded Message - From: Zlatko Vrastic To:
"openssl-users@openssl.org" Sent: Friday, October
22, 2021, 03:25:10 PM GMT+2Subject: openssl s_client privatekey engine pkcs11 -
no SSL_connect:SSLv3/TLS write certificate verify
When using
openssl s_client .. -keyf
, Alex Robuchon wrote:
>
> > > Not quite, a candidate chain is constructed from whatever certificates
> the
> > > peer (server in your case) provided, and then passed to the callback
> with
> > > "preverify_ok" set to false (for the top ce
On Sun, Oct 03, 2021 at 09:33:29PM +0200, Alex Robuchon wrote:
> > Not quite, a candidate chain is constructed from whatever certificates the
> > peer (server in your case) provided, and then passed to the callback with
> > "preverify_ok" set to false (for the top cer
>
> Not quite, a candidate chain is constructed from whatever certificates the
> peer (server in your case) provided, and then passed to the callback with
> "preverify_ok" set to false (for the top certificate), because the chain is
> not trusted.
>
This confuses me a
and then passed to the callback
with "preverify_ok" set to false (for the top certificate), because the
chain is not trusted.
But the evenmachine callback ignores "preverify_ok" and goes through the
motions of doing some sort of verification of each certificate.
Ultimately, i
stem which seems to be the case here
> because it can find /usr/lib/ssl/certs/2e5ac55d.0 .
>
Actually the part responsible for this lookup is not part of the openssl
library but from the ruby callback function registered through
SSL_set_verify which as you said tries to verify each ce
and just attempts to "verify" each certificate in
*isolation*.
https://github.com/eventmachine/eventmachine/blob/5cac87805f26b5cdc29eca713871c3374131d786/ext/ssl.cpp#L693-L697
This means:
* No verification of chain signatures
* No verification of path constraints
237.0", 0x7fff1b4b0f90) = -1 ENOENT (No such
file or directory)
stat("/usr/lib/ssl/certs/4042bcee.0", {st_mode=S_IFREG|0644, st_size=1939,
...}) = 0
openat(AT_FDCWD, "/usr/lib/ssl/certs/4042bcee.0", O_RDONLY) = 8
In the second case I can see it tries to load the R3 certif
Fingerprint=73:0C:1B:DC:D8:5F:57:CE:5D:C0:BB:A7:33:E5:F1:BA:5A:92:5B:2A:77:1D:64:0A:26:F7:A4:54:22:4D:AD:3B
-BEGIN CERTIFICATE-
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb2
> Yes. To make things even more complex, a few sites also have an
> older version of R3 that is directly signed by the DST root:
>
> - leaf <- R3 <- DST Root CA X3 (self-signed)
>
> but that's far from common at this point.
That old R3 root was issued last winter and got installed in
trust store) does not contain the ISRG root CA certificate
* The version of OpenSSL used (perhaps indirectly via some
library that is linked with an older OpenSSL) is 1.0.x
rather than 1.1.0 or later.
> From what I understood about the let's encrypt certificate chain, R3 i
Hello Openssl community,
I've encountered an issue with em-http-request (
https://github.com/igrigorik/em-http-request) based on top of eventmachine (
https://github.com/eventmachine/eventmachine) since let's encrypt Root
certificate expired the 30th of September. The project has a callback
I've written a blog post to explain the situation with the old Let's
Encrypt root certificate expiration which will happen on 2021-09-30 and
the behavior of OpenSSL 1.0.2 with that root certificate.
Please read, if interested:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire
> From: openssl-users On Behalf Of Jakob
> Bohm via openssl-users
> Sent: Monday, 23 August, 2021 04:40
>
> On 21/08/2021 19:42, Michael Wojcik wrote:
> >> From: rgor...@centerprism.com
> >> Sent: Saturday, 21 August, 2021 11:26
> >>
> >> My openssl.cnf (I have tried `\` and `\\` and `/`
On 21/08/2021 19:42, Michael Wojcik wrote:
From: rgor...@centerprism.com
Sent: Saturday, 21 August, 2021 11:26
My openssl.cnf (I have tried `\` and `\\` and `/` directory separators):
Use forward slashes. Backslashes should work on Windows, but forward slashes work
everywhere. I don't know
Am 21.08.21 um 19:53 schrieb rgor...@centerprism.com:
I am fine on the command line. I just need a little help with openssl. Do you
have any ideas on setting the hostname with openssl.cnf?
If it would be bash on Linux, scripting this not a challenge. About Windows: No
idea, sorry.
Subject: Re: Need some help signing a certificate request
Hi rgor...@centerprism.com,
the substitution for your CA did not work: 'Subject: CN = $(hostname), O =
server'.
My recommendation, if you are not familiar with openssl and the command line
would be, use XCA, there is a Windows version
some help signing a certificate request
Hi rgor...@centerprism.com,
the substitution for your CA did not work: 'Subject: CN = $(hostname), O =
server'.
My recommendation, if you are not familiar with openssl and the command line
would be, use XCA, there is a Windows version available.
-> ht
It was the index.txt like you said. Thank you.
-Original Message-
From: openssl-users On Behalf Of Michael
Wojcik
Sent: Saturday, August 21, 2021 1:43 PM
To: openssl-users@openssl.org
Subject: RE: Need some help signing a certificate request
> From: rgor...@centerprism.com
>
um 19:28 schrieb rgor...@centerprism.com:
The req.pem contents:
-BEGIN CERTIFICATE REQUEST-
MIICbDCCAVQCAQAwJzEUMBIGA1UEAwwLJChob3N0bmFtZSkxDzANBgNVBAoMBnNl
cnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXeMnFZM4+aAtyb
YJwau1WLdAFxtlNiLKPZ6WdX0cGyEFeMa9DG+f6R6ZBn6ifwiae8KJmK+maeN
ork anywhere.
> [ ca ]
> default_ca = testca
>
> [ testca ]
> dir = .
> certificate = $dir\\ca_certificate.pem
> database = $dir\\index.txt
What's in index.txt? Is it a valid OpenSSL CA index file, or completely empty
(zero length)?
If it's not either of those, replace it
The req.pem contents:
-BEGIN CERTIFICATE REQUEST-
MIICbDCCAVQCAQAwJzEUMBIGA1UEAwwLJChob3N0bmFtZSkxDzANBgNVBAoMBnNl
cnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXeMnFZM4+aAtyb
YJwau1WLdAFxtlNiLKPZ6WdX0cGyEFeMa9DG+f6R6ZBn6ifwiae8KJmK+maeN5Th
+NKKYRvJQaNo5h/62lqJMjuLDZqS9B
My openssl.cnf (I have tried `\` and `\\` and `/` directory separators):
[ ca ]
default_ca = testca
[ testca ]
dir = .
certificate = $dir\\ca_certificate.pem
database = $dir\\index.txt
new_certs_dir = $dir\\certs
private_key = $dir\\private\\ca_private_key.pem
serial = $dir\\serial
> From: openssl-users On Behalf Of
> rgor...@centerprism.com
> Sent: Saturday, 21 August, 2021 09:48
> Thanks for the comment. I have tried both `/` and `\` with no change.
Most or all Windows APIs, and most programs, support the forward slash as a
directory separator. The exceptions are
Thanks for the comment. I have tried both `/` and `\` with no change.
From: openssl-users On Behalf Of Tom Browder
Sent: Saturday, August 21, 2021 11:41 AM
Cc: openssl-users@openssl.org
Subject: Re: Need some help signing a certificate request
On Sat, Aug 21, 2021 at 09:21 mailto:rgor
On Sat, Aug 21, 2021 at 09:21 wrote
...
> When I type ‘openssl ca -config .\openssl.cnf -in ../server/req.pem -out
>
I don't do wndows, but your directory separators are not consistent--not
sure of the effect.
-Tom
Hello all,
I am using OpenSSL 1.1.1k 25 Mar 2021 on Windows 10
c:\OpenSSL\x64\bin is part of my path.
When I type 'openssl ca -config .\openssl.cnf -in ../server/req.pem -out
server_certificate.pem -notext -batch -extensions server_ca_extensions' I
get nothing out. No
elow error
>
> error:0B080074:x509 certificate routines:X509_check_private_key:key values
> mismatch
>
> We have confirmed that there are no issues with certificate and private key
> by checking the certificate key hashes.
>
> Have any one encountered this issue when certific
Hi All,
We are trying to integrate OpenSSL 1.1.1i on our device that runs on the
ARM platform. Device boots to ready
state with OpenSSL 1.1.1i. However when we try to access the device EWS, we
are getting below error
error:0B080074:x509 certificate routines:X509_check_private_key:key values
An EE certificate is an "end entity" certificate, which identifies an
entity that isn't a certifier.
On Wed, Jul 21, 2021, 18:23 Thejus Prabhu wrote:
> Thanks for your reply Viktor. I would like to add that this is a self
> signed certificate created on the server. What i
Thanks for your reply Viktor. I would like to add that this is a self
signed certificate created on the server. What is EE certificate?
On Wed, Jul 21, 2021 at 6:55 PM Viktor Dukhovni
wrote:
> On Wed, Jul 21, 2021 at 06:34:03PM -0400, Thejus Prabhu wrote:
>
> > verify error:num=26
On Wed, Jul 21, 2021 at 06:34:03PM -0400, Thejus Prabhu wrote:
> verify error:num=26:unsupported certificate purpose
The certificate in question is CA certificate, not an EE certificate.
Specifically, the key usage and Netscape Cert Type signal that its
purpose is exclusively to be a
Hi,
I am new to openssl and learning how to use it.
I am trying to read the self-signed SSL certificate created on a webserver.
I am using OpenSSL 1.1.1k on the client machine when I make a request
using:
openssl s_client -showcerts -connect 192.168.1.200:443
I end up with the following error
for using a
certificate with localhost alias - I would not recommend doing that. It
is better to use a FDQN and then add that FQDN to the /etc/hosts file using
127.0.0.1
HTH,
JJK
1.1.1f 31 Mar 2020
Ubuntu 20.04
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-06-17T18:27:53
My problem:
connecting to a secure server requiring client certificate, i get the
following error when presenting my certificate:
ERR_BAD_SSL_CLIENT_AUTH_CERT
It started to
Hi,
On 30/06/21 00:23, Paulo Wollny wrote:
Dear @ll
My environment:
OpenSSL 1.1.1f 31 Mar 2020
Ubuntu 20.04
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-06-17T18:27:53
My problem:
connecting to a secure server requiring client certificate, i get the
following error when
Dear @ll
My environment:
OpenSSL 1.1.1f 31 Mar 2020
Ubuntu 20.04
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-06-17T18:27:53
My problem:
connecting to a secure server requiring client certificate, i get the
following error when presenting my certificate
Hi,
Which header file I need to include for X509 OCSP Certificate Verification. I
am getting compilation error for different structures and macros. Although, I
am including following files-
// #include
#include
#include
#include
#include
// #include
#include
Hi,
Using OpenSSL 1.1.1i.
I suppose OpenSSL already supports SM algorithms, including SM2 and SM3.
However, I used the following command on a SM2 certificate,
openssl x509 -text -in test-sm2.crt
and got the below line,
Signature Algorithm: 1.2.156.10197.1.501
This OID is actually SM2 signing
You will need to be a lot more specific - this works fine
openssl s_client -connect localhost:443 | openssl x509 -noout -text
Can't use SSL_get_servername
depth=0 C = US, ST = TX, L = Somewhere, O = MarkHack, OU = Test, CN =
fakeserver.com
verify error:num=18:self signed certificate
verify return
Hi All,
Looking for the same support of SHA512. Do we have sha512 support in any
open source ? Please let me know.
Regards,
Vadivel
On Mon, Apr 19, 2021, 13:15 preethi teekaraman
wrote:
> Hi Openssl,
>
> I'm creating sha512 self signed certificate for establishing connection
> be
Hi Openssl,
I'm creating sha512 self signed certificate for establishing connection
between client and server(nginx server).
creating separate key, cert for server and root cert for client.
below is the link i followed for cert creation:
https://gist.github.com/fntlnz
31 March, 2021 10:31
>
> Most likely you haven't configured a suitable CAfile and/or CApath,
> which contains the root CA that ultimately issued Google's certificate.
>
> Yeah, that is the usual reason.
>
> It looks like Google includes a self-signed root CA in the wire
> cer
Hi Openssl Users,
I'm using different versions of openssl from 2014 to 2020 to create a self
signed certificate.
reference link for cert generation :
https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
I could see "unknown CA " from client side while exchanging key betw
ately issued Google's certificate.
Yeah, that is the usual reason.
> It looks like Google includes a self-signed root CA in the wire
> certificate chain,
>
Not really. @Viktor, see the diagnostic output of the alternative call
openssl s_client -connect google.com:443
that Nan prov
1 - 100 of 5725 matches
Mail list logo