Just because the PKCS12 is going to be YOUR cert (to sign), it requires this
password . It can not be optional because when you are about to install
this file in an email client, the email client needs to make sure it's
yours; so the password is then asked. No password is requested for OTHER's
tushar ganguli wrote:
Hi,
I have been using the PKCS12 command and it seems that the command
compulsorily asks for the password.
Shouldn't that be optional. Does it compulsorily encrypt all
certificates and keys with the export password?
Regards,
Tushar.
Use the command line option
hi all,
Does anyone know how do i combine the loading of engine and decryption
command all in the same line?
i did this and this works
OpenSSL engine -t dynamic -pre SO_engine_pkcs11 -pre ID:pkcs11 -pre
LIST_ADD:1 -pre Load -pre MODULE_PATH:OCSCryptolib_P11.dll
dynamic Dynamic engine loading
Hi,
It there a way to verify certificate with out root ca? I have 4
certificate: rootca.pem is the root ca (self signed). subca.pem was
signed by rootca.pem. cert1.pem cert2.pem was signed by subca.pem. I
was supposed to configure the client and server using subca.pem as ca,
and cert1.pem
Hi,
Hmm...
I've had the same issue.
Basically it came down to how do you know if the sub is reliable if
you do not know whether to trust the root?
If you do not wish to have the root as part of the chain, create a new
chain where the sub is the root
What is the reason you do not want to use the
Hi,
I was wondering, is it possible to specify all settings that are in
openssl.cnf on the commandline as well?
This would make generating certificates a lot easier.
Thanks in advance
Regards,
Serge Fonville
__
OpenSSL Project
hi,
I am using bn_rand function which is taking more than 10 seconds to execute.
OS: Windows XP SP3
OS Locale: Swidish
I am not able to reproduce issue on other machine. Can you please guide me
on what can reason behind BN_Rand taking so long? Any help is appreciated.
Thank you
Have a nice
Hi Serge,
My intention is to keep my root ca out of compromise. We want to use sub
ca to splite the domain in the our whole network. Then, we can easy to
re-sign a new sub ca and publish it if we find one domain sub ca was
compromised. And if we expose the the root ca to public ,it hard to
I only want to verfiy the signature (I mean the procedure when sub ca
sign the certiticate). So I guess sub ca and certification should has
enough info to do it because we needn't root ca when we use sub ca to
sign the certificate. Is there a way for this requirement? Thanks.
Br
Ben
Based on what you state.
There is no purpose for the root CA.
What do you mean by compromised.
If you publish a CA certificate to clients, it does not include the
key. (normally)
So the only thing a client can do is use it in the session at best.
There is NO way a client can use a CA certificate
Hi,
It there a way to verify certificate with out root ca? I have 4
certificate: rootca.pem is the root ca (self signed). subca.pem was
signed by rootca.pem. cert1.pem cert2.pem was signed by subca.pem. I
was supposed to configure the client and server using subca.pem as ca,
and cert1.pem
Hi All,
I want to write a SSL client which will not ack for all the data on TCP layer
and then close a connection i.e I want to test the tcp close when there is
unacknowledged data on socket.
I tried using s_client and tried to modify the code where there is:
k=SSL_read(con,sbuf,1024 /*
No. In our enviroment. The root CA private key is isolated and absolutly safe.
Regarding the compromised, I means CA can't be trusted any more, Such as the
private key was stolen some how or someone find a way to figure out private key
for one CA. it easy to set up new sub ca in one domain if
I don't see your problem honestly. Figuring out a private key is close
to impossible.
And stealing it, well, that is more related to security itself than to
the actual key being secure or not.
From what I understand, a chain works somewhat like this
you
--peter
john
--carl
You talk to
Being unable to using a PKCS#12 file created by openSSL with 3 different
applications - Java jarsigner, Firefox/Thunderbird and KeyStoreBuilder
of the package not-yet-commons-ssl
http://juliusdavies.ca/commons-ssl/ - I think that the problem may
well be attributed to an error in the PKCS#12 file.
jehan procaccia a écrit :
I finally found it !
[proca...@anaconda ~]
$ openssl s_client -host svnext.it-sudparis.eu -port 443 -CAfile
/etc/pki/tls/certs/new_it_root_ca10.crt -verify 3
verify depth is 3
CONNECTED(0003)
depth=3 /CN=Institut TELECOM Root class1 Certificate
I should have included a log file for what the messages generated by the
script... See attached.
I also note that the signature portion of the smime formatted message
matches the detached signature contents.
Any advice is appreciated,
--
Keith Hellman #include
On Mon August 31 2009, Ritesh Rekhi wrote:
Hi All,
I want to write a SSL client which will not ack for all the data on TCP layer
and then close a connection i.e I want to test the tcp close when there is
unacknowledged data on socket.
I tried using s_client and tried to modify the code
Never, ever, ever, ever, ever under any circumstances issue the same
serial number twice. You tried to issue the same serial to both roots
-- badbadbadbadbadDONOT.
-Kyle H
On Tue, Sep 1, 2009 at 8:56 AM, jehan
procacciajehan.procac...@it-sudparis.eu wrote:
jehan procaccia a écrit :
I finally
well, if one takes the standard configuration of openssl,
it sets the authoritykey_identifier both the hash and
issuer serial, no exception for the root. comment says
that pkix recommends that.
I do not see this recommandation in the rfcs.
at least there is a length paragraph for roots
to have
Hi:
2009/8/31 Dave Thompson dave.thomp...@princetonpayments.com:
From: owner-openssl-us...@openssl.org On Behalf Of loody
Sent: Friday, 28 August, 2009 04:15
the above mean aes-128 cbc will use 55113.2k bytes/second while
encrypting/decrypting 16btytes plain text?
This build running on
21 matches
Mail list logo