PKCS7_TEXT with PKCS7_NOVERIFY | PKCS7_NOSIGS
Hello, I am trying to obtain a MIME version of an S/MIME message...I can sign and verify e-mail messages with the libraries provided. However when I don't want to verify and I just want to receive the text with MIME headers, it fails. It works fine when there is a valid certificate, but if I don't have a valid certificate/or don't use a certificate, it returns 0. I just want to view it in NON-S/MIME I am not concerned about the signature, because that works... Here is the function I am trying to use: cout PKCS7_verify(pkcs7, NULL, NULL, pkcs7BIO, outBIO, PKCS7_NOVERIFY|PKCS7_NOSIGS|PKCS7_TEXT) endl; I get the following errors from ERR: SMIME_text:invalid mime type: pk7_mime.c:348:type: multipart/mixed PKCS7_verify:smime text error:pk7_smime.c:250 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: PKCS7_TEXT with PKCS7_NOVERIFY | PKCS7_NOSIGS
The headers are text...and it works when there is a certificate present and I do a normal verify, but when I just want to spit it out, no go...any ideas? Victor -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Tuesday, January 31, 2006 2:02 PM To: openssl-users@openssl.org Subject: Re: PKCS7_TEXT with PKCS7_NOVERIFY | PKCS7_NOSIGS On Tue, Jan 31, 2006, Chevalier, Victor T. wrote: Hello, I am trying to obtain a MIME version of an S/MIME message...I can sign and verify e-mail messages with the libraries provided. However when I don't want to verify and I just want to receive the text with MIME headers, it fails. It works fine when there is a valid certificate, but if I don't have a valid certificate/or don't use a certificate, it returns 0. I just want to view it in NON-S/MIME I am not concerned about the signature, because that works... Here is the function I am trying to use: cout PKCS7_verify(pkcs7, NULL, NULL, pkcs7BIO, outBIO, PKCS7_NOVERIFY|PKCS7_NOSIGS|PKCS7_TEXT) endl; I get the following errors from ERR: SMIME_text:invalid mime type: pk7_mime.c:348:type: multipart/mixed PKCS7_verify:smime text error:pk7_smime.c:250 As the docs say PKCS7_TEXT expects text headers. If you that isn't true don't use that flag. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Specifiy Public Key Size?
Game over, the above demonstrates sufficiently deep confusion about RSA, that you must not proceed any further until you see why it is absurd. I do understand the rules for RSA encryption; I was merely testing a reverse method for educational purposes. I stated I want to decrypt with the public key. Because that is something I wanted to do. However if openssl won't let me specify an appropriate key size for the public key then I can't do that? It complains of size constraints. This was not going to be implemented, merely education and testing. Sorry if I seemed confused. I wasn't. If openssl is incapable of doing this, that is fine by me. Just curious about the error message I am getting on return. 3500:error:0406506C:rsa routines:RSA_EAY_PRIVATE_DECRYPT:data greater than modlen:rsa_eay.c:308 And if there is a way to make the public key size larger? Or what! Victor C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Friday, December 09, 2005 12:55 AM To: openssl-users@openssl.org Subject: Re: Specifiy Public Key Size? On Fri, Dec 09, 2005 at 07:25:12AM +0100, [EMAIL PROTECTED] wrote: RSA Public and private keys are not used to encrypt arbitrary data, there are many complex traps to avoid because RSA is a commutative group. You use RSA private keys to sign carefully constructed message digests that avoid the various chosen plain-text attacks on RSA. You use RSA public keys to encrypt randomly generated session keys that in turn encrypt the message contents. All this specificed in carefully designed PKCS#N standards that describe correct standard use-cases of RSA cryptography. The public key is not suitable for decryption, it is only suitable for signature verification. Decryption is only possible with the private key and only if chosen-plaintext/chose-ciphertext attacks are carefully avoided. Hummm Victor ? You can cipher and decipher what you want as well as with a RSA public and private keys ;-) If you cipher with the public key you have to use the private associate key of course and vice versa. Yes the bit patterns of the two keys are mathematical inverses, but that is not significant. Decryption (rather than signature verification) with a *public* key makes no sense. Also RSA is never used as a bulk cipher, the chosen-plaintext and chosen-ciphertext attacks are not mere theoretical musings. Yes, the bignum value of the public key can be recast as a private key whose public key has the bits of the original private key. Mathematically these may be the same, but they are rather different as typed data structures, one is a public key and the other is a private key. You use public keys to encrypt and verify and private keys to decrypt and sign. In all cases appropriate care is required to avoid falling prey to chosen-mumbletext attacks. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: TLSv1 - Certificate Chain
You may have created the certificates improperly. I had the same problem last year. You may want to post this on openldap and not openssl though. Good Luck, Victor From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 08, 2005 6:55 PM To: openssl-users@openssl.org Subject: TLSv1 - Certificate Chain Hi, I am using to OpenSSL as TLS client and server. I am using certificate chain of size 3 on both sides. On Server Side RootCA (root.pem) ServiceProviderCA ( spca.pem) ServerCert (server.pem) On Client Side RootCA (root.pem) ServiceProviderCA (spca.pem) ClientCert (client.pem) I have placed the certs and the hash files ($hash.0) of all certs in c:\certs I am running server as C:\OpenSSL\binopenssl s_server -Verify yes -cert \certs\server.pem -key \certs\server.key -CApath \certs -CAfile \certs\root.pem -tls1 [also tried without -CAfile option i.e. just with -CApath] and client as C:\OpenSSL\binopenssl s_client -cipher AES128-SHA -cert \certs\client.pem -key \certs\client.key -CApath \certs -CAfile \certs\root.pem -tls1 [also tried without -CAfile option i.e. just with -CApath] When above commands are executed, TLS connections gets established, however. I get some certificate verification errors (both on server and client sides) on server side (opensslClient is CN in ClientCert) depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=21:unable to verify the first certificate verify return:1 on client side (opensslServer is CN in ServerCert) depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=21:unable to verify the first certificate verify return:1 However, everying works fine if I have my ServerCert, and ClientCert signed directly by RootCA. i.e. on server side: RootCA and ServerCert and on client side RootCA and ClientCert. Shouldn't it work with an intermediate certificate (ServericeProviderCA) or am I missing any configuration. Any input is greatly appreciated -- thanks in advance chinmaya
RE: TLSv1 - Certificate Chain
40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp 22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3vR1Y BEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABNA1u/S Cg/LJZWb7GliiKJsvuhxlE4E5JxQF2zMub/CSNbF97//tYSyj96sxeFQxZXbcjm9 xt6mr/xNLA4szNQMJ4P+L7b5e/jC5DSqlwS+CUYJgaFs/SP+qJoCSu1bR3IM9XWO cRBpDmcBbYLkSyB92WURvsZ1LtjEcn+cdQVI -END CERTIFICATE- server.pem - thanks chinmaya On 12/9/05, Chevalier, Victor T. [EMAIL PROTECTED] wrote: You may have created the certificates improperly. I had the same problem last year. You may want to post this on openldap and not openssl though. Good Luck, Victor From: owner- openssl-users@openssl.org [mailto:owner- openssl-users@openssl.org] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 08, 2005 6:55 PM To: openssl-users@openssl.org Subject: TLSv1 - Certificate Chain Hi, I am using to OpenSSL as TLS client and server. I am using certificate chain of size 3 on both sides. On Server Side RootCA (root.pem) ServiceProviderCA ( spca.pem) ServerCert (server.pem) On Client Side RootCA (root.pem) ServiceProviderCA (spca.pem) ClientCert (client.pem) I have placed the certs and the hash files ($hash.0) of all certs in c:\certs I am running server as C:\OpenSSL\binopenssl s_server -Verify yes -cert \certs\server.pem -key \certs\server.key -CApath \certs -CAfile \certs\root.pem -tls1 [also tried without -CAfile option i.e. just with -CApath] and client as C:\OpenSSL\binopenssl s_client -cipher AES128-SHA -cert \certs\client.pem -key \certs\client.key -CApath \certs -CAfile \certs\root.pem -tls1 [also tried without -CAfile option i.e. just with -CApath] When above commands are executed, TLS connections gets established, however. I get some certificate verification errors (both on server and client sides) on server side (opensslClient is CN in ClientCert) depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=21:unable to verify the first certificate verify return:1 on client side (opensslServer is CN in ServerCert) depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=21:unable to verify the first certificate verify return:1 However, everying works fine if I have my ServerCert, and ClientCert signed directly by RootCA. i.e. on server side: RootCA and ServerCert and on client side RootCA and ClientCert. Shouldn't it work with an intermediate certificate (ServericeProviderCA) or am I missing any configuration. Any input is greatly appreciated -- thanks in advance chinmaya
Specifiy Public Key Size?
I want to create a public key that is the same strength as the private key. These are the openssl commands I am using: PrivateKey: openssl genrsa -out mykey.pem 2048 PublicKey: openssl rsa -in mykey.pem -out mycert.pem -outform PEM -pubout I need the public key to match the size constraints, as I am using then to encrypt and decrypt and when I try to use the public key the bioerr spits out When I run my code using openssl I am trying to decrypt using my public key, I get: 3500:error:0406506C:rsa routines:RSA_EAY_PRIVATE_DECRYPT:data greater than modlen:rsa_eay.c:308 I want to decrypt with the public key. Any suggestions? Thank you! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl on Solaris8 with Openldap
Did you ever find a solution to your question? I know the newer patches to solaris 8 add ssl capability. If you posted your slapd.conf and ldap.conf files I could prolly figure it out unless its how your making your certs? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 20, 2005 2:56 AM To: openssl-users@openssl.org Subject: openssl on Solaris8 with Openldap Hello list, I'm using Solaris8 with Openldap2.2.26 and Openssl-0.9.8. What I want is an encrypted authentification via ldap. On Solaris you have to use the native ldapclient as client and I'm using Openldap as the server. The encryption between Apache2.0 and Openldap works fine. But Apache2.0 brings the contraint that I have to use SSL, not TLS. So created SSL certificates openssl ... -nodes and it works fine with Apache. So I want to use these SSL certificates. If I start the ldap.client on port 636 I get the output TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:585 I think the certificates are also good for TLS. So I've got no problem to use TLS. But there is just no reaction on the flag NS_LDAP_AUTH_TLS by the ldapclient. The error I got is an ssl error. Maybe somebody knows a workaround or a real solution to get an encryption between openldap and the ldapclient. Thx, Sebastian Lorkowski -- Highspeed-Freiheit. Bei GMX supergünstig, z.B. GMX DSL_Cityflat, DSL-Flatrate für nur 4,99 Euro/Monat* http://www.gmx.net/de/go/dsl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Determining certificate type
Areg, I havent seen it looking though the 0.9.7 apibut you could try to load the files into the object containers and see if it holds itWARNING: THIS MAY CAUSE YOUR APPLICATION TO NOT FUNCTION PROERLY! Hope this helps. Victor From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] On Behalf Of Areg Alimian Sent: Wednesday, September 21, 2005 2:53 PM To: openssl-users@openssl.org Subject: Determining certificate type Hello all, Is there an API call within OpenSSL libraries which will return the type (e.g. PKCS#12 cert, PKCS#7 cert chain, etc) of a given certificate file? Your response would be much appreciated. -Areg Alimian P.S. This might appear as a redundant message, but I dont think the original one got posted on this mailing list.
RE: Determining certificate type
Steve, I should have included with the warning, to check for loading errors/no loads after the attempted loading... I have not noticed anything negative from doing it, unless I don't properly error check! Sorry for being confusing. Victor -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Thursday, September 22, 2005 11:33 AM To: openssl-users@openssl.org Subject: Re: Determining certificate type On Thu, Sep 22, 2005, Chevalier, Victor T. wrote: Areg, I haven't seen it looking though the 0.9.7 api...but you could try to load the files into the object containers and see if it holds it...WARNING: THIS MAY CAUSE YOUR APPLICATION TO NOT FUNCTION PROERLY! That's what I suggested in an original response which doesn't seem to have made it to the list. The only way is to try various function on the data such as d2i_XXX(), PEM_XXX() and so on. In fact if the first byte of the data isn't 0x30 (SEQUENCE tag) there's no point calling the d2i_XXX() functions. I wouldn't have included that warning though. Have you any example where doing this causes an application to misbehave? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Verifying a signed message...pkcs7 question.
When I use the function: PKCS7_verify(pkcs7, chain, store, pkcs7BIO, outBIO); I get ^M in my output file (using unix). Is there a reason for this? If so is there perhaps a flag to disable it? Thanks, Victor __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl 0.9.7a problem with EVP_PKEY loading.
I am having trouble with openssl 0.9.7a. I can't use a newer version cause I am using standard redhat. I am trying to load a private key into an EVP_PKEY using either a fp or a BIO. So far neither have worked. Heres a quick example of what I'm testing. EVP_PKEY *pkey = NULL; BIO *in = NULL; in = BIO_new(BIO_s_file()); BIO_read_filename(in, mykey.pem); pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL); if (!pkey) { cout error pkey not loading. endl; } EVP_PKEY_free(pkey); BIO_free(in); Can someone explain why it keeps telling me error pkey not loading!!! I have tried this with the FILE *fp method as well. Is there something else I need to do, cause this is confounding me. Thanks. Victor __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Openldap userCertificate;binary: file question
Hello All, I was wondering what you all thought about this problem I have encountered. All the googling and open information suggests that loading a certificate into openldap in an ldif file should be in PEM format. However my ldif looks like this: userCertificate;binary: file:///home/vchevalier/myCA/vchevalier.crt But the only way I can get this certificate to load into the ldap server is to do the following. openssl x509 -inform PEM -in vchevalier.crt -outform DER -out vchevalier.der Then I change my ldif section to userCertificate;binary: file:///home/vchevalier/myCA/vchevalier.der And it magically works. Now forgive my ignorance as I am new to ldap, but this is DER format, NO? So when polling an LDAP server should I be load certificates from LDAP into a DER or PEM structure as it appears that openldap loads only DER and all the google information is wrong! What gives! Thanks, -Victor __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl smime ability to create a multi-attachment message?
Hey Steve, When I create a mime message with mutt then pass it to openssl, the mime message created in mutt contains date, to, from, and subject...but isn't s/mime supposed to contain that? If I create a mime message with all the header information then sign that mime message with S/MIME with all the header information will this cause a problem on some systems? Or should it be ok?! Maybe there is an easier way to generate S/MIME messages with attachments?! Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 30, 2005 5:26 AM To: openssl-users@openssl.org Subject: Re: openssl smime ability to create a multi-attachment message? On Tue, Mar 29, 2005, Chevalier, Victor T. wrote: I am using mpack to create the mime message, it looks like openssl is putting S/MIME around the entire MIME message as if it were text...used this command: openssl smime -sign -inkey private/mykey.pem -signer mycert.pem -in mimemessage -out new.mail maybe the syntax is wrong? Or is it supposed to be like: MIME-Version: 1.0 Content-Type: ... This is an S/MIME signed message ---4DF5902840938 MIME MESSAGE HERE ---4DF5902840938 Content-Type: application/x-pkcs7-signature... The first part of a multipart/signed message is the data to be signed, the second the signature itself. So that's perfectly normal: if it appended text/plain content type in the first part that would be wrong. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl smime ability to create a multi-attachment message?
Does openssl support taking a mime message and doing this? Or is there something else I will need to convert a mime message to smime? Thank you, Victor -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 6:22 PM To: openssl-users@openssl.org Subject: Re: openssl smime ability to create a multi-attachment message? On Mon, Mar 28, 2005, Chevalier, Victor T. wrote: Is it possible to have the command line of openssl create an smime message containing file(s)? Example. Sample e-mail: Hey here are some files. -Attachments: doc1.doc doc2.doc Is there a command line way to create the SMIME format for this? If not is there code built into openssl to handle this? Or has someone already run into this and sample code? Thank you. You have to create the MIME message in the appropriate format and send that to the smime command. This is however an area where many S/MIME clients have difficulties. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl smime ability to create a multi-attachment message?
I am using mpack to create the mime message, it looks like openssl is putting S/MIME around the entire MIME message as if it were text...used this command: openssl smime -sign -inkey private/mykey.pem -signer mycert.pem -in mimemessage -out new.mail maybe the syntax is wrong? Or is it supposed to be like: MIME-Version: 1.0 Content-Type: ... This is an S/MIME signed message ---4DF5902840938 MIME MESSAGE HERE ---4DF5902840938 Content-Type: application/x-pkcs7-signature... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 11:04 AM To: openssl-users@openssl.org Subject: Re: openssl smime ability to create a multi-attachment message? On Tue, Mar 29, 2005, Chevalier, Victor T. wrote: Does openssl support taking a mime message and doing this? Or is there something else I will need to convert a mime message to smime? The input to the smime command is expected to be in MIME format unless you specify -text in which case it adds text/plain headers. However OpenSSL only does EOL=CRLF translation on the whole MIME document by default. If that is inappropriate you have to supply a canonical MIME document and turn off translation with the -binary option. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl smime ability to create a multi-attachment message?
Is it possible to have the command line of openssl create an smime message containing file(s)? Example. Sample e-mail: Hey here are some files. -Attachments: doc1.doc doc2.doc Is there a command line way to create the SMIME format for this? If not is there code built into openssl to handle this? Or has someone already run into this and sample code? Thank you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
1 Main CA and a subordinate CA 1-Many...how can I sign one ca with another ca...
I am trying to create a hirearchy for my CA's...however when I have two separate CA's created similarly: On box 1 Main CA: openssl req -newkey rsa:2048 -days 4380 \ -out cacert.pem -outform PEM -config openssl.cnf On box 2 Subordinate CA: openssl req -newkey rsa:2048 -days 2190 \ -out cacert.pem -outform PEM -config openssl.cnf The configuration files are almost identical. openssl.cnf: [ ca ] default_ca = CA_PROFILE [ CA_PROFILE ] dir = . certificate = $dir/cacert.pem database= $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days= 7 default_days= 4380 default_md = sha1 policy = CA_PROFILE_Policy x509_extensions = certificate_extensions [ CA_PROFILE_Policy ] commonName = supplied stateOrProvinceName = optional countryName = match emailAddress= optional organizationName= match organizationalUnitName = supplied [ certificate_extensions ] basicConstraints= CA:false subjectKeyIdentifier= hash [ req ] default_bits= 2048 default_keyfile = ./private/cakey.pem default_md = sha1 default_days= 4380 prompt = no distinguished_name = root_ca_DN x509_extensions = root_ca_ext [ root_ca_DN ] commonName = MainCA organizationName= Software organizationalUnitName = Branch countryName = US [ root_ca_ext ] basicConstraints= CA:true subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always,issuer:always I try to sign the subordinate CA with the main ca like this: On box1 in the main CA directory: openssl ca -in box2/SubCA/cacert.pem -config openssl.cnf I get an error something along the lines of Expecting: CERTIFICATE REQUEST Any clues? Thanx! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Possible to have multiple organizational units in openssl.cnf?
Is it possible to have multiple organizational units in openssl.cnf? I am trying to define more than one OU, not sure how. Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
I have an x509 certificate, how can I sign email with it? What is the command?
I have an x509 certificate, how can I sign email with it? What is the command? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
x509.h and x509v3.h
Can someone please tell me how x509.h and x509v3.h or point me to the right page...google is not giving very good results...Thank you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]