Re: openssl 1.0.1e Signature verification problems
The output of command openssl asn1parse -i -in cacert.pem is 0:d=0 hl=4 l= 872 cons: SEQUENCE 4:d=1 hl=4 l= 729 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 9 prim: INTEGER :D46F3D4EDCA8F780 24:d=2 hl=2 l= 5 cons: SEQUENCE 26:d=3 hl=2 l= 1 prim: OBJECT :itu-t 29:d=3 hl=2 l= 0 prim: NULL 31:d=2 hl=3 l= 133 cons: SEQUENCE 34:d=3 hl=2 l= 11 cons: SET 36:d=4 hl=2 l= 9 cons: SEQUENCE 38:d=5 hl=2 l= 3 prim: OBJECT :countryName 43:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US 47:d=3 hl=2 l= 11 cons: SET 49:d=4 hl=2 l= 9 cons: SEQUENCE 51:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 56:d=5 hl=2 l= 2 prim: PRINTABLESTRING :LA 60:d=3 hl=2 l= 11 cons: SET 62:d=4 hl=2 l= 9 cons: SEQUENCE 64:d=5 hl=2 l= 3 prim: OBJECT :localityName 69:d=5 hl=2 l= 2 prim: PRINTABLESTRING :CA 73:d=3 hl=2 l= 33 cons: SET 75:d=4 hl=2 l= 31 cons: SEQUENCE 77:d=5 hl=2 l= 3 prim: OBJECT :organizationName 82:d=5 hl=2 l= 24 prim: PRINTABLESTRING :Internet Widgits Pty Ltd 108:d=3 hl=2 l= 13 cons: SET 110:d=4 hl=2 l= 11 cons: SEQUENCE 112:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 117:d=5 hl=2 l= 4 prim: PRINTABLESTRING :Corp 123:d=3 hl=2 l= 13 cons: SET 125:d=4 hl=2 l= 11 cons: SEQUENCE 127:d=5 hl=2 l= 3 prim: OBJECT :commonName 132:d=5 hl=2 l= 4 prim: PRINTABLESTRING :GWCA 138:d=3 hl=2 l= 27 cons: SET 140:d=4 hl=2 l= 25 cons: SEQUENCE 142:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name 147:d=5 hl=2 l= 18 prim: PRINTABLESTRING :DNS:www.evmweb.com 167:d=2 hl=2 l= 30 cons: SEQUENCE 169:d=3 hl=2 l= 13 prim: UTCTIME :130620063616Z 184:d=3 hl=2 l= 13 prim: UTCTIME :230618063616Z 199:d=2 hl=3 l= 133 cons: SEQUENCE 202:d=3 hl=2 l= 11 cons: SET 204:d=4 hl=2 l= 9 cons: SEQUENCE 206:d=5 hl=2 l= 3 prim: OBJECT :countryName 211:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US 215:d=3 hl=2 l= 11 cons: SET 217:d=4 hl=2 l= 9 cons: SEQUENCE 219:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 224:d=5 hl=2 l= 2 prim: PRINTABLESTRING :LA 228:d=3 hl=2 l= 11 cons: SET 230:d=4 hl=2 l= 9 cons: SEQUENCE 232:d=5 hl=2 l= 3 prim: OBJECT :localityName 237:d=5 hl=2 l= 2 prim: PRINTABLESTRING :CA 241:d=3 hl=2 l= 33 cons: SET 243:d=4 hl=2 l= 31 cons: SEQUENCE 245:d=5 hl=2 l= 3 prim: OBJECT :organizationName 250:d=5 hl=2 l= 24 prim: PRINTABLESTRING :Internet Widgits Pty Ltd 276:d=3 hl=2 l= 13 cons: SET 278:d=4 hl=2 l= 11 cons: SEQUENCE 280:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 285:d=5 hl=2 l= 4 prim: PRINTABLESTRING :Corp 291:d=3 hl=2 l= 13 cons: SET 293:d=4 hl=2 l= 11 cons: SEQUENCE 295:d=5 hl=2 l= 3 prim: OBJECT :commonName 300:d=5 hl=2 l= 4 prim: PRINTABLESTRING :GWCA 306:d=3 hl=2 l= 27 cons: SET 308:d=4 hl=2 l= 25 cons: SEQUENCE 310:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name 315:d=5 hl=2 l= 18 prim: PRINTABLESTRING :DNS:www.evmweb.com 335:d=2 hl=3 l= 159 cons: SEQUENCE 338:d=3 hl=2 l= 13 cons: SEQUENCE 340:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 351:d=4 hl=2 l= 0 prim: NULL 353:d=3 hl=3 l= 141 prim: BIT STRING 497:d=2 hl=3 l= 237 cons: cont [ 3 ] 500:d=3 hl=3 l= 234 cons: SEQUENCE 503:d=4 hl=2 l= 29 cons: SEQUENCE 505:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier 510:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04144B91C1ECC4A73A3C73565E9F4CEC0C38EC018A66 534:d=4 hl=3 l= 186 cons: SEQUENCE 537:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier 542:d=5 hl=3 l= 178 prim: OCTET STRING [HEX DUMP]:3081AF80144B91C1ECC4A73A3C73565E9F4CEC0C38EC018A66A1818BA48188308185310B3009060355040613025553310B3009060355040813024C41310B30090603550407130243413121301F060355040A1318496E7465726E6574205769646769747320507479204C7464310D300B060355040B1304436F7270310D300B0603550403130447574341311B30190603551D111312444E533A772E65766D7765622E636F6D820900D46F3D4EDCA8F780 723:d=4 hl=2 l= 12 cons: SEQUENCE 725:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 730:d=5 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF 737:d=1 hl=2 l= 5 cons: SEQUENCE 739:d=2 hl=2 l= 1
Re: Diffie Hellman problem
Hi Dave, I've tried my code again and I get the following error: 330098688:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/asn1/a_mbstr.c:154:maxsize=64 4330098688:error:0B07806F:x509 certificate routines:X509_PUBKEY_set:unsupported algorithm:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/asn1/x_pubkey.c:219: 4330098688:error:0B07806F:x509 certificate routines:X509_PUBKEY_set:unsupported algorithm:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/asn1/x_pubkey.c:219: This is why my call PEM_write fails. My DH is generating a key of 2048 bits. Is this a problem? Any clue how can I fix it. About other questions on the Java side, what we're doing is re-write a client that's currently written in Java to C++ to improve performance and reduce memory footprint because this will be embedded in a small device. So what we should do is send the same data as the Java client, because is the data that the server understands. Aleix Ventayol | Mobile Jazz C. Nàpols, 187, 9º, 08013 Barcelona http://mobilejazz.cathttp://www.google.com/url?q=http%3A%2F%2Fmobilejazz.cat%2Fsa=Dsntz=1usg=AFrqEzfgZdKlXETCdfdRKpZ-ieYGYbSPXA On Wed, Jun 19, 2013 at 4:28 AM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Aleix Ventayol Sent: Tuesday, 18 June, 2013 17:33 I've tried it using the following code: EVP_PKEY * pp = EVP_PKEY_new(); EVP_PKEY_set1_DH(pp, dh); char *buff; BUF_MEM *bptr; int write_rc = 0; BIO *bmem = BIO_new(BIO_s_mem()); write_rc = PEM_write_bio_PUBKEY(bmem, pp); But I'm not getting anything in pp and write_rc is 0. Works for me, using file-BIO instead (easier to test). Are you sure dh contains a valid key? What's in the error queue? Easiest way is ERR_print_errors_fp(stderr) . snip __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl 1.0.1e Signature verification problems
On Thu, Jun 20, 2013, anand rao wrote: The output of command openssl asn1parse -i -in cacert.pem is 0:d=0 hl=4 l= 872 cons: SEQUENCE 4:d=1 hl=4 l= 729 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 9 prim: INTEGER :D46F3D4EDCA8F780 24:d=2 hl=2 l= 5 cons: SEQUENCE 26:d=3 hl=2 l= 1 prim: OBJECT :itu-t 29:d=3 hl=2 l= 0 prim: NULL That looks rather broken. Is this an unmodified version of OpenSSL? What happens if you do: openssl asn1parse -genstr OID:sha1WithRSAEncryption Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Installing openssl-devel-1.0.1e
Hi , I have installed openssl 1.0.1e, using rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm yum --enablerepo=axivo update openssl Now i need to install devel package too. when i do yum install openssl-devel. i see warnings and log such as: Protected multilib versions: openssl-1.0.0-27.el6_4.2.i686 != openssl-1.0.1e-1.el6.x86_64. My repo trying to insyall openssl-1.0.0, but it is in conflict with 1.0.1e version. what is the clean way to sort this issue. -- View this message in context: http://openssl.6102.n7.nabble.com/Installing-openssl-devel-1-0-1e-tp45647.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Creating certificates
Read my comments please. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson Sent: Wednesday, June 19, 2013 7:50 PM To: openssl-users@openssl.org Subject: Re: Creating certificates Hi Rodney, First of all, this isn't a CA certificate - the Basic Constraints CA:FALSE quite plainly points to this. This is a wildcard certificate for use by authorised representatives of securesites.com to be able to use for their own servers. [[Rod's comment]] Precisely, I want to use this CA for blahblah.securesites.com. (ldap server). Therefore, you will never be able to create any further certificates, you'll just be able to use this certificate and keypair to enable secure communications with your clients with your servers. [[Rod's comment]] Keypair? Do you mean I can use this CA and the key file it was accompanied with to configure LDAP/TLS/SSL so that my LDAP server will be a authentication provider for services such as shell and ftp? You MAY need to obtain the GeoTrust CA Certificate to assist people to resolve the trust to your Server. [[Rod's comment]] Ah, ok, I'm starting to understand this processCorrect me if I am wrong, my admin basically sent me a cert/key pair and if LDAP requires the CA certificate, I'll need to get that from GeoTrust... From your previous message, I think that your instance of OpenLDAP is configured to use the Mozilla LibNSS Security Library, and not OpenSSL - the reference to certdb / pkcs#11 sounds a lot like a LibNSS error to me. Therefore, questions regarding the configuration of your server may be more appropriately directed at the OpenLDAP mailing list, and any Certificate issues at the Mozilla LibNSS mailing list. [[Rod's comment]] Thanks! Best Regards, Patrick. On 2013-06-19, at 5:58 PM, Rodney Simioni wrote: Hi, There was an email earlier yesterday about LDAP/SSL/TLS but I'm going to revise my question. Please disregard the email because instead of creating certificates, I'm going to use certs provided by my linux admin to configure SSL/TLS with LDAP. My sysadmin gave me 3 wildcard openssl files; with an ext of .cert, .csr, and .key. This wildcard.xxx.cert is suppose to be a CA, below are the important contents: [root@fl1-lsh99apa007 ~]# openssl x509 -in wildcard.securesites.com.cert -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 69277 (0x10e9d) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA Validity Not Before: Dec 1 05:59:42 2011 GMT Not After : Dec 2 01:04:06 2016 GMT Subject: serialNumber=NwnaG0OQxm/2fIiyWh6NThC40ROOk/KH, C=US, ST=Colorado, L=Englewood, O=MYNAMESERVER, LLC, OU=Secure Services Division, CN=*.securesites.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) X509v3 extensions: X509v3 Authority Key Identifier: keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:*.securesites.com, DNS:securesites.com X509v3 CRL Distribution Points: Full Name: URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl X509v3 Subject Key Identifier: D9:88:62:C6:90:FE:5D:78:9B:AE:5A:78:AF:DF:30:49:7E:54:D3:83 X509v3 Basic Constraints: critical CA:FALSE Authority Information Access: CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt How do I create signed certificates with the CA above and those wildcard file so that it will be used with LDAP? Please excuse my ignorance with openssl, I've been working with this for a few days and there are so many ways to configure LDAP/SSL searching google but they haven't worked for me probably because I lack experience with SSL, thanks in advance. Rod This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. --- Patrick Patterson Chief PKI Architect Carillon
Re: Diffie Hellman problem
Amazing, it was a version problem. I've only wasted two days trying to understand what's wrong with my code and doing tests. Thanks everyone for you help!! Aleix Ventayol | Mobile Jazz C. Nàpols, 187, 9º, 08013 Barcelona http://mobilejazz.cathttp://www.google.com/url?q=http%3A%2F%2Fmobilejazz.cat%2Fsa=Dsntz=1usg=AFrqEzfgZdKlXETCdfdRKpZ-ieYGYbSPXA On Thu, Jun 20, 2013 at 1:17 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Thu, Jun 20, 2013, Aleix Ventayol wrote: Hi Dave, I've tried my code again and I get the following error: 330098688:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/asn1/a_mbstr.c:154:maxsize=64 4330098688:error:0B07806F:x509 certificate routines:X509_PUBKEY_set:unsupported algorithm:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/asn1/x_pubkey.c:219: 4330098688:error:0B07806F:x509 certificate routines:X509_PUBKEY_set:unsupported algorithm:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/asn1/x_pubkey.c:219: This is why my call PEM_write fails. My DH is generating a key of 2048 bits. Is this a problem? Any clue how can I fix it. You need OpenSSL 1.0.0 at least to support writing DH public keys. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Help
Hi; I am using openssl for CI Plus implementation. There are some key computations required. These keys are refered as Authentication Key (AKH) and Secured Channel Key (SAK, SEK). Please let me know which APIs from openssl code / library will help me for it. If you have any reference code / link, please share with me. I am using openssl code / library version OpenSSL 0.9.8o 01 Jun 2010. I want to use this version only. Please help me ASAP. Thanks in advance. Regards Shailendra __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Is my process correct.
Hi, A key/pair was sent to me from my admin and it looked like it came from GeoTrust. It's a wildcard cert. I downloaded the Root CA from GeoTrust 's web site because LDAP requires the CA file. What command do I use to make sure the key/pair that was sent to me is compatible with GeoTrust's CA? Rod This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
OpenSSL 1.0.1E and FIPS 2.0.x?
I've searched archives for an answer, but found nothing obvious - if we move from OpenSSL 1.0.1c (with FIPS OM 2.0) to OpenSSL 1.0.1e, do we also have to move ahead to latest version of FIPS OM which appears to be 2.0.4? Thanks +-+-+-+-+-+-+ Dave McLellan, Symmetrix Software Engineering EMC Corporation, 176 South St, Hopkinton MA Mail Stop 176-B1 1/P-36 office 508-249-1257, fax 508-497-8027 cell 978-500-2546 +-+-+-+-+-+-+
RE: Is my process correct.: openldap using GeoTrust
From: owner-openssl-us...@openssl.org On Behalf Of Rodney Simioni Sent: Thursday, 20 June, 2013 12:04 A key/pair was sent to me from my admin and it looked like it came from GeoTrust. It's a wildcard cert. A privatekey (which in most formats including openssl's is really a keypair) and a matching certificate. You need both. I downloaded the Root CA from GeoTrust 's web site because LDAP requires the CA file. The wildcard.securesites.com.cert you posted 6/19 has Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA and AKI 42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A GeoTrust doesn't publish that anywhere I can find but http://www.tbs-certificats.com/FAQ/en/603.html has it as -BEGIN CERTIFICATE- MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0 IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR 8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50 96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5 VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4 ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES 0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk 2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V 4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ= -END CERTIFICATE- which is an intermediate (not root) cert (verifiably) under Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA AKI C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E and THAT is Root 2 (one of several) on http://www.geotrust.com/resources/root-certificates/index.html (also in the standard Windows, Firefox, and Java truststores) What command do I use to make sure the key/pair that was sent to me is compatible with GeoTrust's CA? Either concatenate the intermediate above and the correct root (also in PEM) into one file say geotrustCAs.pem and do: openssl verify -CAfile geotrustCAs.pem yourcertfile Or put them as separate files in some directory say mycadir, create hashnames using c_rehash or by hand, and do: openssl verify -CApath mycadir yourcertfile (The first is usually easier.) Assuming (as asked before) your opendlap is using openssl not MozillaNSS, to use a keycert with an intermediate cert openssl requires either configuring a certchain file or putting the chain cert(s) in the truststore (even if the cert(s) or truststore aren't needed for verification). The manpage on http://linux.die.net/man/5/slapd-config does not indicate any option to configure a chain file; if that is true for the version you are using, use one of the above approaches with olcTLSCACertificateFile or Path . __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: cannot open certdb
From: owner-openssl-us...@openssl.org On Behalf Of Rodney Simioni Sent: Wednesday, 19 June, 2013 10:15 Comments inline. From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson Sent: Tuesday, June 18, 2013 10:29 PM Here's the command that I used to create the CA. snip Here's the command that created the certificates. openssl req -newkey rsa:1024 -nodes -sha1 \ -keyout cert.key -keyform PEM -out cert.req -outform PEM Here's the command that signed the certificate. OPENSSL_CONF=ca.cnf openssl ca -batch -notext -in cert.req -out cert.pem Nit: that created a Certficate Signing Request aka CSR, and then created and signed a cert from the CSR. A CSR is NOT a cert, or even a cert-TBS (cert_info), although it is related. [[Rod's comment]] Oh, I thought that created the actual CA file, my bad. So, what should I do? It does create a *certificate*, under your own private CA. If that's what you want (from later posts apparently not), what you did is right, you just described it wrong. That's why I said Nit. snip What actually is, or is in, /etc/openldap/cacerts ? [[Rod's comment]] The contents of the directory is the ca.pem file I created above, I copied it over there from the directory where I created the file. Is it a directory and is ca.pem a file you put there? [[Rod's comment]] As I said above, it's a file. openssl will ignore 'extra' files in a CApath, but maybe openldap doesn't. If so, the error message is slightly off; the hashname openssl wants is a hash of the *subject* plus a numeric suffix, not a hash of the cert. But that could just be a typo. If that file belongs there try naming it with the value from commandline x509 -subject_hash (or -hash) followed by dot zero. [[Rod's comment]] Could you kindly post the actual command here? openssl x509 -in name_of_cert_file -hash - displays an 8-hex-char value e.g. 1234abcd . For that value name your file 1234abcd.0 . On Unix you normally use cp or mv or ln -s . snip __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is my process correct.
openssl verify does the trick. http://www.openssl.org/docs/apps/verify.html# And to test if the key and the cert belong together: openssl x509 -in $cert -noout -modulus | openssl md5 openssl rsa -in $key -noout -modulus | openssl md5 If the md5 sums don't match, the key or the cert is invalid. Cu Am 20.06.2013 um 18:04 schrieb Rodney Simioni rodney.simi...@verio.net: Hi, A key/pair was sent to me from my admin and it looked like it came from GeoTrust. It’s a wildcard cert. I downloaded the Root CA from GeoTrust ‘s web site because LDAP requires the CA file. What command do I use to make sure the key/pair that was sent to me is compatible with GeoTrust’s CA? Rod This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. smime.p7s Description: S/MIME cryptographic signature
Country Name field in CA generated by openssl is encoded as PRINTABLESTRING
Country Name field in CA generated by openssl is encoded as PRINTABLESTRING while other fields are UTF8STRING I am generating a CA certificate with openssl version 1.0.1e with the following commands: openssl ecparam -out ec_key.pem -name secp384r1 -genkey openssl req -new -key ec_key.pem -x509 -nodes -days 1460 -out ec_ca_cert.pem At the end of this process I enter DN fields as follow: Country Name (2 letter code) [AU]:US State or Province Name (Full Name) [Some-State]:Florida Locality Name (eg, city)[]:Miami Organization Name (eg, company) [Internet Widgits Pty Ltd]:Coca Cola Organization Unit Name (eg, section) []:Drinks Common Name (e.g. server FQDN or YOUR name) []:Miki Email Address []: I convert the ec_ca_cert.pem certificate to DER format: openssl x509 -in ec_ca_cert.pem -inform PEM -out ec_ca_cert.der -outform DER When I edit the ec_ca_cert.der file with an HEX editor, I can clearly see that the Country field is encoded as PRINTABLESTRING (Type=0x13) while all the other fields (Locality Name, Organization Name, Organization Unit Name, Common Name) are encoded as UTF8STRING (Type=0x0c). Is there a reason for this, or is there something wrong with my process, or an openssl issue? -- View this message in context: http://openssl.6102.n7.nabble.com/Country-Name-field-in-CA-generated-by-openssl-is-encoded-as-PRINTABLESTRING-tp45657.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org