Tried to contact Jim Ramsay offline but ran into a very vicious spam
killer which seemed to be broken when I followed his directions for
bypassing it.
I am interested in hearing from people doing peer to peer communications
(like email) using certificates from a non-trivial certificate
heirarchy
[EMAIL PROTECTED] wrote:
Anyway, the proof of the pudding is in the eating. Can you point me to a
secure site that uses a key size 1024 bits? I can't find one for love nor
money.
This root certificate was found in the binary code for Netscape 7
Data:
Version: 3 (0x2)
Serial
Steve, the other reason I've been forced to move from x509 to ca
is that ca appears to be the ONLY binary program that can sign
SPKAC files. Is there another way to do this that I have missed?
Dr. Stephen Henson wrote:
On Fri, Jun 06, 2003, pablo neira wrote:
Dr. Stephen Henson wrote:
On Fri,
More on php/curl
That php curl man page points to a curl page, which says the ssl
document is online. When I go there it says:
=
http://curl.haxx.se/docs/sslcerts.html
...
If the remote server uses a self-signed certificate, or if you don't
install curl's CA cert bundle or if it uses a
Given the information in
http://us4.php.net/manual/en/function.curl-setopt.php
My best guess is:
CURLOPT_CAPATH for the root certificate
CURLOPT_SSLCERTfor the client certificate
CURLOPT_SSLCERTPASSWD for what? the private key?
Are both the certificate and private key
I don't know if this is directly relevant, but the ONLY way I could
make the Apache SSLCertificateChainFile capability work was to put
..^
the server certificate and both the intermediate certificates into
the file in this specific order:
Server Certificate
First
On Fri, May 30, 2003, I (Charles B Cranston) wrote:
I'm using 2048 bit certs with IE 5 and 6 and NS 4.72, 6.0,
and 7.2 -- there is a sort of compatability problem with
export-quality browsers, which can sometimes be addressed
at the SERVER (apache, give it more randomness). This
confused me also
Robinson, Richard L (Rick) wrote:
I checked the RSA web site and could not find the paper you
are referencing. Could you please forward me a link?
I really don't see how you could have missed it. It is only the
10th listing on their Technical Notes page:
It cannot be emphasized more clearly: TCP is a byte stream protocol.
It sends a stream of bytes. There is NO WAY in TCP to indicate in
an out-of-band way that there is a 'record break'. You MUST either
dedicate a byte value to end of record or have a more complicated
scheme of delimiting your
I (Charles B Cranston) wrote:
Michael Sierchio wrote:
It cannot be emphasized more clearly: TCP is a byte stream protocol.
This is quite true.
... There is NO WAY in TCP to indicate in
an out-of-band way that there is a 'record break'.
This is not quite true. You can certainly send OOB data
Sébastien Hernoux wrote:
I'm currently trying to have IBM 4758 cryptocard to work with openssl 0.9.7b.
I have the following error message :
/distrib/openssl/bin# openssl engine - -t -pre
SO_PATH:/usr/lib/libcsufsapi.a 4758cca
(4758cca) IBM 4758 CCA hardware engine support
[Success]:
There are several people already doing this, including myself
and the Papyrus people at Georgia Tech. What I do is just to
supply the non-secret information in a configuration file,
and add the secret information via Unix pipes.
There is some variance depending on if you're using the
openssl ca
I'm not sure that this is AT ALL relevant but I noticed that the
issuer CN has a wildcard and I wonder 1) what this means, and
2) if this could be confusing something?
Dean Gibson (System Administrator) wrote:
openssl x509 -req -in hplj4600dn1.csr -CA ultimeth.pem -days 3650 -set_serial 01 -out
What does certreq.9484 look like? Especially when decoded with
the openssl spkac tool?
David García Aristegui wrote:
I'm following the CA recipe examples to do a CA setup under an AIX 5
environment.
http://home.himolde.no/~kd/prosjekt/ca/ca.html
openssl version 0.9.7
Browsers to test the
Richard Levitte - VMS Whacker wrote:
I see a number of embedded charriage returns (^M). hos need to be
removed.
Yes. My current experimental code does this, I don't believe I
would have put it in if it were not necessary:
} elsif ( $req=$data-{'spkac'} ) {# Netscape SPKAC
# $$
David Mattes wrote:
actually, i want to have a program running on the client that generates
the CSR and signs the request with a smartcard. i don't want the
certificate tied to the private key on the smartcard, but the holder of
the smartcard is authorized to request certificates, and no one
Gee, I was typing in the exact same solution!
NOTE THERE SHOULD NOT BE A DOLLAR SIGN ON THE SHELL READ STATEMENT!
(this had me going for awhile!)
Christian Hohnstaedt wrote:
if openssl rsa -passin pass:$passwd oem2.pem /dev/null 21; then
echo Password OK
else
echo wrong password
exit
fi
Rohan Pinto wrote:
I wrote
What you need to do is:
1. create a root certificate
2. install that root certificate into all your web browsers
3. create a CSR on the server
4. use the root to sign that CSR into a server certificate
This is the part that i would need help on. I have created a root
Sometimes a picture is worth a thousand words:
The Standard Model of Certificate generation:
On the server machine: Generate CSR operation
+-+ +-+
| Private Key | | Certificate Signing Request |
+--+--+ |
I have a few prototypes that were back burnered during our current
crisis (expiration of our old root on Aug 23). Do you want me to
post them? Mail them to you privately?
David García Aristegui wrote:
I'm triying to do a CGI script to deal with the Microsoft Explorer
browser. In old
David García Aristegui wrote:
By the way, to distribute my certificate to a MSIE browser must be in
DER format, right?
After VERY much experimentation the only hypothesis that we
could substantiate is that MSIE completely ignores the mime
type under which the file is downloaded, and looks only
Message -
From: Charles B Cranston [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 19, 2003 12:21 PM
Subject: Re: Newbie question - Signing CSR's
Rohan Pinto wrote:
I wrote
What you need to do is:
1. create a root certificate
2. install that root certificate into all your web browsers
Dr. Stephen Henson wrote:
On Fri, Aug 22, 2003, Charles B Cranston wrote:
Well, the sad answer to this question is yes. It turns out that
in the design of SSL the client does the verification, so each
client has its own little set of peccadillos.
Indeed but if the OP means that you need
Continuation of a dialog between Dr. Stephen Henson
and Charles B Cranston:
B: These are some of the ones we found:
B: Netscape 4 will not tolerate an ExtendedKeyUsage extension.
S: Hmmm. What makes you think that? EKU is *required* to handle step up
S: (aka SGC, magic, 128 bit [yuck
Well, I took dumps of the two certificates (and CSR) that Rohan
provided, and the dates overlap, which might be the IE specific
problem.
At first it looked like the subject DNs were exactly the same
between the two certificates, but upon closer examination the
subject DN for the server certificate
I've seen several of these help me I need to construct a security
architecture and I don't understand the manuals and I'm too busy/
uneducated/blonde/whatever (:-) to take the time to LEARN enough
to understand the manuals, so please just give me the commands
that I can type in and satisfy my boss
Based on a dialog that said unknown critical extension
I've never seen that dialog on Netscape, though I've seen IE produce it.
What I'm saying is that stepup uses EKU (among other things) to identify its
certificates Netscape 4.[something] did support stepup so presumably it at
least partially
certificate verify failed that
would not tell us much. I would still use the s_client thing to
peek at the lower level, just to rule out non LDAP possibilities.
Charles B Cranston wrote:
My best guess, at maybe the 40% confidence level, is that you do
not have the root certificate that signed
But 443 is the HTTPS port -- are you telling me that you are
running the same certificate on your secure HTTP server?
If not, what is the relevance to LDAPS on port 636?
Sean McKay wrote:
I tried the following command:
openssl s_client -connect servername.domain.edu:443 -showcerts
And received
Sean McKay wrote:
I was not able to get the LDAPS server to respond to the query so out of
despiration, I thought I'd try HTTPS -- if I remember right, I think
Microsoft uses a non-standard for LDAPS that I can't remember right now.
I am aware of one incompatability in the LDAP world. This
, Charles B Cranston wrote:
Sean McKay wrote:
I was not able to get the LDAPS server to respond to the query so out of
despiration, I thought I'd try HTTPS -- if I remember right, I think
Microsoft uses a non-standard for LDAPS that I can't remember right now.
I am aware of one incompatability
For RSA the public key is a subset of the private key.
So any program that needs a public key can also take
just the fields it needs from a private key given to it.
The fields in a private key are:
modulus
private exponent
all the rest are precomputed intermediate results for
the Chiness
In my setup, I installed openssl to /usr/local/ssl. In that dir there is a
/certs directory which is empty. However, in my source dir
/usr/local/src/openssl-0.9.7b/certs/ there over 20 .pem files (and their
associated hashes) which look to be the trusted root certificates. Should
those be copied
Dann Daggett wrote:
However, I still don't know about the empty /certs directory. Am I supposed
to copy /usr/local/src/openssl-0.9.7b/certs/ to /usr/local/ssl/certs? It
seems strange that the install script wouldn't have done that as well if it
were needed.
Well, it depends on what you want to
Here are some diagrams in a document I wrote what seems like
a century ago (before I started actually writing PKI code):
http://www.oit.umd.edu/middleware/pki.html
Have been somewhat distracted the last few days by a hurricane.
Refugee house guests from the unempowered areas etc.
--
Charles B
R Ayres wrote:
I have 2 certificates: a self signed server certificate and
a purchased domain specific certificate. When I connect to the
domain with https://mydomain.com it works fine, but if I try to
connect to another port (https://mydomain.com:2020),
the self signed certificate is the one
Dr. Stephen Henson wrote:
These things are called multi-valued RDSs of AVAs and several less polite
names. Its been reported that some software doesn't handle them properly.
Think AVAs might be Attribute Value Assertions but am not finding RDSs
in much googleing -- is this X.509 stuff that
Sorry if I am way off base, haven't looked at the thread carefully,
but if you can get a self-signed certificate you might be able to
pass it into openssl req and convert it to a CSR, then sign that with
the higher level cert.
The idea is that all you really need is the public key, and that is
in
Best guess is that you are confusing a client cert, which is used
(optionally) to identify yourself to the server, and a root cert,
which you use to validate the cert that the server returns to you.
Your group may be telling you that you don't need a client cert
for them to accept a connection
Sreedhara M. Reddy wrote:
Hi,
Can someone guide me how to generate certificate and key
pairs for client authentification in SSL applications.
First, are you really sure that this is what you want to do?
The problem with client certificates is that they tie the
client down to a specific
Well, it might be easier to answer this question if we knew what
you were trying to install the certificate into. For the Apache
server the certificate and private key are placed into filesystem
files which are then named in the configuration files. The
installation instructions vary for other
Best I can tell from looking at the code, the failure is somewhere
in this block (which I have edited a bit for readability):
# Convert the signed cert to a pkcs12 certificate
# so Netscape and IE can import. (and clean up some files)
`rm -f ./temp/$input{'email'}.pem`;
`cat
Dr. Stephen Henson wrote:
You should where possible use the command line switches
rather than expect because the prompts of the various
commands may change.
You can generate requests via template configuration
files and there are various ways to supply passphrases.
While I agree 100% with
copious free time...
Charles B Cranston wrote:
I don't recall why this code uses a temp file for the serial
number instead of using another pipe.
# Make serial number as even-number-of-digits hex string and write file
my $hex = sprintf(%lX,$serial);# Convert serial to hex
if ( length
Sorry for my ignorance, could you post a reference to SCEP? What would
it take to manhandle a standard certificate into this format? Or is it
a lot more difficult than that?
Jon Barber wrote:
[EMAIL PROTECTED] wrote:
I'm assuming you mean a Pix Firewall version 6.3.x. I don't think
there is a
:-)
If somebody else is actively working on this, please warn me off...
Jon Barber wrote:
Charles B Cranston wrote:
Sorry for my ignorance, could you post a reference to SCEP? What would
it take to manhandle a standard certificate into this format? Or is it
a lot more difficult than that?
SCEP
I dunno, I'm only about halfway through the Vesperman CVS book,
but when I used google to find openca and tried to find the
openca/openscep stuff I found that the HEAD version had been
removed from the archive, and that the versions in .attic
(:-) were merely half-page stubs.
Maybe I was at the
prefab wrote:
I had the same question for
subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:(copy emailAddress)
In Windows the environment variable replacement only works if you set the
variable before calling openssl for signing the request:
set [EMAIL PROTECTED]
openssl x509 -req ...
Does
Dr. Stephen Henson wrote:
The [sic] look like the standard CRT components.
So:
a = iqmp
c = dmp1
f = dmq1
And, in fact, if you look at the PNG's in the posting,
iqmpInverse of Q mod P a = Q^-1 mod P
dmp1D mod prime 1 c = Ks mod (P-1)
dmp2D mod prime 2 f
I hadn't come across a hashed directory before and, having read the relevant
sections in the OpenSSL documentation (openssl -verify and x509 -hash), I
must admit it still doesn't make an awful lot of sense to me. I am working
on Windows so perhaps that is the cause of the problem (amongst many
With reference to Charles' comments, I still have the
luxury of time before having to issue certs in anger.
With us it was not time, per se, if you notice the postings
for our CA we had our first signing party in February of
the year that our 5-year 1998 previous root expired in August.
So
We cannot find explicit as a reserved word in a (fairly old)
ANSI C book. Is this the GNU compiler or a vendor compiler?
Could this be a vendor-specific extension? Is there a compiler
command line switch to remove vendor-specific extensions?
Would the GNU compiler work better anyway?
Just
OOPS, sorry, it is a C++ reserved word even though it is
not a C reserved word, and I guess it would be a Good Idea
for OpenSSL to be callable from C++ as it used to be...
Charles B Cranston wrote:
We cannot find explicit as a reserved word in a (fairly old)
ANSI C book. Is this the GNU compiler
What is the default encryption exponent used in RSA encryption by OpenSSL?
Is it e = 2^16 + 1 = 65537?
Anybody knows where can I find this default value in the source files?
It's actually the Public Exponent field in the certificate, so you would
find it in the code that makes new certificates.
Doing it via:
openssl rsa -in inca.key.pem -des3 -out outca.key.pem
would be preferable since the -des3 would trigger output
encryption, and you would be ASKED for the new pass phrase,
while using stdin it just gapes at you with no prompt.
I was (unsuccessfully) trying to remember the trigger
Ron Croonenberg wrote:
I tried to get a certificate to work on Windows200 with IIS too.
I don't know if this is off topic, but how can I sign a certificate request,
created on a windows2000 server. I want to sign the request and create a
certificate on a linux machine running openssl then take
Rich Salz wrote:
At the risk of being immodest, you might find this column useful:
http://webservices.xml.com/pub/a/ws/2003/12/09/salz.html
This is a verbatim quote from the text at that URL:
The root will sign the Level 1 CA and then be taken offline.
Anyone who wants to validate any
Follow up to previous posting: I did try to do some experimentation
in the context of trying to design a clean transition from the root
we made in 1998 to the root I made in 2003. I did not have a great
deal of success because the browsers I was working with at the time
(Netscape 4.7x and IE 4
Actually, it might be as easy as changing the name of the root
and issuing a new L1 certificate. The branch happens when an
unmodified client (which still has the local root installed)
needs to decide who has signed the L1 certificate. Its two
choices are
1. the local root
2. the missing link
Rich Salz wrote:
I was envisioning something much simpler.
Existing applications that know about the root CA work without
configuration changes. New applications that need to know about the new
larger PKI just add the new root to their list of trust anchors. I
suppose that's really a
Mark H. Wood wrote:
Um, feel free to point me elsewhere, but I'm having trouble visualizing
what's being discussed. I keep reading branched certificate chain, but
what I understood from the description is like this:
Before:OurRoot --- Level1 --- EndUsers
After:
The web does not use continuous connections. Typically for a
web app you do a POST request, passing in data items and getting
back the next form in the process, but the SSL connection is
closed at that point, and another, different, connection is
opened the next time you push a button or
You can generate your own certificates with OpenSSL, but you
need to either get your root certificate into every piece of
verifying software (browser), or else get all your users to
manually accept each certificate, which greatly reduces
security (because, with no way to know any better, they will
I think I understand how I was wrong, most of the stuff I
work with negotiates the secure connection immediately,
such as web on 443 (https) and ldaps (667?). I see that
if there was a reqired interaction before switching over
into secure mode (which is TLS rather than SSL?) that it
might not be
to base
its security on...
Michal Hlavac wrote:
Charles B Cranston wrote:
You could split into two 16-character pieces and then
XOR the two pieces against each other.
hmmm... but result of substr(hmac, 0, 16) ^ substr(hmac, 16, 16) is not
human readable code... Do you think, that xor is right way
Technically this is true, as DER requires the determinate length
encoding options and disallows the indeterminate length ones...
Alicia da Conceicao wrote:
Hi Steve:
Its not ASN1 because the OpenSSL ASN1 code isn't fully streaming and to do so
would be a massive undertaking which has so far not
One danger with casting a structure as a string is that zero bytes
(which can happen due to slack bits in the structure) might be
interpreted as an end-of-string that would prematurely terminate
the data.
If you're going to process binary data, look for an API where you
specify both a pointer and
The code to understand the notAfter output is fairly
simple. You can use either Date::Parse or a kluge using
Date::Calc like this:
use Date::Calc(
qwDecode_Month Add_Delta_YMDHMS Date_to_Time Date_to_Text Timezone
);
print ($ed=STDIN),\n; # This is the output from -enddate:
if (
Ralph wrote:
Hello list members,
I'm trying to set up an Apache 2 based web server for multiple name
based virtual hosts. As it is not possible with mod_ssl to have a
seperate SSL certificate file for each virtual host...
Actually, you can, but they have to have separate IP addresses.
(Requiring
If you're using Unix or another system that supports the
Environment variables, you can write a fixed openssl conf
file that references appropriate variables in appropriate
places. If you don't have Environment you can still write
a custom openssl conf file for each instance of signing.
Lule Chen
also send the passphase of the seckey of the CA??
The basic idea is great! Simply great and very useful.
But how to make and secure the passphrase?
thanks
Stephan
-Ursprungliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Auftrag von Charles B
Cranston
Gesendet: Freitag, 3
Perhaps one way to think of the IV is that it is part of the key.
That is, the IV and key are used to encrypt, and then the (same) IV
and the (same) key can decrypt. It's just that if the IV is sent
in clear text (included in the structure...) then it is not secret.
One popular algorithm is to
Why questions are particularly difficult to answer.
I guess the real answer is: because the programmer who wrote the
software in question decided to program it that way.
The critical bit was intended to be an aid to software upgrade:
Suppose you are trying to support a mix of old and new software,
Jon Bendtsen wrote:
i can verify a certificate against a root certificate, with
openssl verify -CAfile root.ca rsacert.pem
but how do i know that the certificate i try to verify has not been
revoked?
At the risk of seeming to oversimply a VERY complicated issue:
1. You have been downloading
Alok wrote:
David C. Partridge wrote:
Once generated, it is encrypted using the public key of the recipient and
included with the message.
but then if i do something like
DES(key=hispubkey(data=somerandom))
i can always decrypt if i know hispubkey.
NO! Look, Alok, it's painfully obvious that
At the risk of seeming even more confused than usual...
There's a lot of theory out there about cross certification and
bridges etc, but as far as I can tell it is really all theory, and
will REMAIN theory until the various relying parties, that is,
the standard web browsers, can properly process
Joppe Bos wrote:
Hello everyone,
I am fairly new with openssl and am trying to write a function which can
make a public / private key pair with GMP (an open source big number
library). I am doing this to compare the running time with openssl. I have
a few questions regarding the openssl genrsa
Gerd Schering wrote:
Richard Levitte - VMS Whacker wrote:
In message [EMAIL PROTECTED] on Fri, 24 Sep 2004
11:29:23 +0200, Gerd Schering [EMAIL PROTECTED] said:
Schering is it possible to use domain name components - as in ldap -
Schering for the certificate dn, i.e. something like
Schering
Well, since you didn't like my earlier bridge drawing,
there's a more orthodox one below. As for notation:
I tend to do a lot of diagrammatic reasoning myself,
so I tend to invent notation as I go along. If there
is a preferred notation [1] I'd be glad to redo these
diagrams in that form.
Since
Can people provide recomendations and other comments on
which books to buy on PKI and IPsec
Some books I thought cost-effective, from easiest to hardest:
Applied Cryptography: Protocols, Algorithms, and Souce Code
in C by Bruce Schneier 2nd ed (Wiley 1996)
758 pages of extremely readable
NO! They are NOT the same. Look at the first few bytes:
From the public key:
Modulus (1024 bit):
00:cb:aa:35:d5:df:19:39:84:81:36:10:02:84:c3:
^^ ^^ ^^
From the private key:
modulus:
00:a6:16:30:78:ca:2e:39:27:32:c9:36:c0:16:55:
^^ ^^ ^^
Nope, this key and cert do not match. Good
Just finished a cover-to-cover reading of Planning for PKI [1] and it
sure cleared up some things for me. Thanks to Richard Levitte for
recommending it.
It seems most of the cognitive dissonance I've been having with this
PKI stuff is due to the PKI theoretics being based upon a pair of
So, this is perhaps the most simple bridge PKI arrangement:
+-+---++-+---+
|T| ||T| |
+-+---++-+---+
| P Root++
The .0, .1 etc suffix is from the way the Apache web server
(I guess its SSL module) tries to find certificates in a
directory. It hashes the subject name then looks for the
certificate under hash.0 then hash.1 etc so the digit
is used for collisions. I've never seen a .1 and we have
a BIG
I don't think this is correct at all. I use OpenSSL to
generate certificates that are used on Microsoft IIS
servers and IBM HTTP servers and Novell eDirectory LDAP
servers and IBM Directory Server LDAP servers and all
sorts of servers. Now, the vendors may not make it EASY
to use non-proprietary
Peter O Sigurdson wrote:
This is great information,
Can you point me to a HOWTO or other resource
regarding importing SSL certs into IIS?
For the standard model, where you generate the CSR on
the server (so the private key stays in the server
the whole time) my standard reference is IIS Security
connection with OpenSSL or point me in the direction of some example code.
Thanks,
David
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charles B Cranston
Sent: Thursday, October 21, 2004 10:04 PM
To: [EMAIL PROTECTED]
Subject: Re: SSL without Key?
I don't
The Doctor wrote:
Does anyone here know of such package that uses open source?
- Forwarded message from Customer ---
1. Form Content Security. (FormmailEncoder/Decoder)
As I understand it, on a secure website the content of a submitted form is
protected by SSL from the submitter to the
The more randomness you put into the random number generator,
the better keys you will get. I've been know to use something
as simple as
(df; date) RANDFILE
the theory being that it is hard to predict the exact amount
of free file space on (random date in the past) and that the
output of date is
Actually you might be confused a little. A CSR is nothing more than
a public key bundled with an identity (name). If you already have
a CSR you should not also need a public key.
If you mean the key to be the private key to a signing CA and the
CSR to be for an end-user certificate to be SIGNED
Richard Levitte - VMS Whacker wrote:
In message [EMAIL PROTECTED] on Thu, 28 Oct 2004 18:10:35 +0800,
[EMAIL PROTECTED] said:
hzhijun i execute the test.html in internet explorer and it return a
hzhijun correct index1.html page. But if i change the method from
hzhijun 'get' to 'post', it
You should probably read chapter 4 of RFC 3280
http://www.ietf.org/rfc/rfc3280
particularly 4.2.1.3 Key Usage and 4.2.1.13 Extended Key Usage
Also the text file openssl.txt in the doc directory of the
openssl distribution.
I don't use CA (I use x509 instead) so maybe that has something
to do with
is more
appropriate for my task or case 2.
Please, do let me know of your comments and any way out of this situation.
Thanks,
Bilal
From: Charles B Cranston [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Some OpenSSL certificate and key questions
Date: Tue, 02 Nov
Ronan wrote:
is this list just not that active or do the people on it honestly not
know the answers??
Well, let's consider some OTHER hypotheses:
1. The question is so easy that everybody thinks someone else will
answer it. That is, the old hands say oh, not AGAIN!!! and are
just bone
You are seriously lost. Private keys and public keys (certificates) are
USED in performing RSA encryption, but they are not themselves encoded
and/or transmitted under RSA encryption. Yes, keys for private-key
encryption are sent under public key encryption, but
a key for private key encryption
I think the complication is that he's going to have to use
the virtual hosts stuff so that the correct certificate can
be returned to each connection, and that this means he's
going to have to have two different IP addresses, since there
will be no way to determine WHICH certificate to send.
This
AFTER enough information has been presented by the
initiator for the responder to know which certificate the
initiator is going to expect.
Charles B Cranston wrote:
I think the complication is that he's going to have to use
the virtual hosts stuff so that the correct certificate can
be returned
Could someone be so kind as to post examples of their
extfile or extensions section?
Here's an example of a shell script that generates an entire
PKI: root, two intermediates, and one SSL (server) end user.
This is one of about 35 of these I did trying to figure out
why the IBM HTTP Server and the
I'm afraid that this is just the way it works.
Starting from first principles, there's only a few ways a system
COULD be coded to work:
1. decrypt all messages as they are received, so the encryption
is only for when the message is actually being transmitted
2. decrypt all messages as they are
I agree -- a lot of the advanced architectures I'm studying have
a trust root that is NOT self-signed, instead it is signed by
another certificate somewhere else. In a different verification
paradigm the certificate in question is NOT in fact a trust point
but instead is signed by a chain that
1 - 100 of 142 matches
Mail list logo