RE: How to include intermediate in pkcs12?

2014-04-24 Thread Dave Thompson
A lot of things on the Internet are wrong. The OpenSSL man page does not say multiple occurrences work and I'm pretty sure it never did, nor did the code. In general OpenSSL commandlines don't handle repeated options; the few exceptions are noted. pkcs12 -caname (NOT -cafile) IS one of the

RE: How to include intermediate in pkcs12?

2014-04-24 Thread Edward Ned Harvey (openssl)
From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Dave Thompson - the truststore if -CAfile and/or -CApath specified IF NEEDED Thank you very much for your awesome detailed answer. This answers a lot of questions, but I am left with a new one: I

RE: SSL Root CA and Intermediate CA Certs.

2014-04-24 Thread Michael Wojcik
From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Edward Ned Harvey (openssl) Sent: Wednesday, 23 April, 2014 21:05 Subject: RE: SSL Root CA and Intermediate CA Certs. I don't know how you learn about SSL/TLS, other than (a) reading the internet,

RE: SSL Root CA and Intermediate CA Certs.

2014-04-24 Thread Edward Ned Harvey (openssl)
From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Michael Wojcik For someone who does want more background in cryptography, I'd recommend Schneier's /Applied Cryptography/ over /Cryptography Engineering/. The latter is for people implementing

Re: SSL Root CA and Intermediate CA Certs.

2014-04-24 Thread Mark H. Wood
On Thu, Apr 24, 2014 at 12:57:36PM +, Michael Wojcik wrote: [snip] How and why do you trust any root certs? Generally they're built-in to your OS or your browser, so you're just blindly trusting that those guys know what they're doing. And they don't, and they don't care that they

patch available for CVE-2010-5298?

2014-04-24 Thread Bin Lu
Thanks!

Re: How to include intermediate in pkcs12?

2014-04-24 Thread Tom Francis
On Apr 24, 2014, at 8:21 AM, Edward Ned Harvey (openssl) open...@nedharvey.com wrote: From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Dave Thompson - the truststore if -CAfile and/or -CApath specified IF NEEDED Thank you very much for your

RE: How to include intermediate in pkcs12?

2014-04-24 Thread Edward Ned Harvey (openssl)
From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Tom Francis openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in mycert.crt -certfile intermediate.crt -CAfile ca.crt (Correct?) So ... I just tried this, and confirmed,

Re: patch available for CVE-2010-5298?

2014-04-24 Thread Jeffrey Walton
On Thu, Apr 24, 2014 at 1:49 PM, Bin Lu b...@juniper.net wrote: Thanks! Ben Laurire checked it in recently (within the last week or so). Until it makes it way into the the tar balls, I believe you should try: https://rt.openssl.org/Ticket/Display.html?id=2167user=guestpass=guest. Jeff