Re: [openssl-users] Generating CSR based on an x25519 public key
On Mon, Oct 23, 2017 at 6:47 PM, Kyle Hamiltonwrote: > Out of curiosity, what are the algorithm identifiers for X25519 and Ed25519? > The ones I am aware of are available in http://tools.ietf.org/html/draft-josefsson-pkix-newcurves. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Generating CSR based on an x25519 public key
Out of curiosity, what are the algorithm identifiers for X25519 and Ed25519? -Kyle H On Mon, Oct 23, 2017 at 3:24 PM, Jakob Bohmwrote: > On 21/10/2017 15:38, Codarren Velvindron wrote: >> >> https://tls13.crypto.mozilla.org is using : The connection to this site is >> encrypted and authenticated using a strong protocol (TLS 1.3), a strong key >> exchange (X25519), and a strong cipher (AES_128_GCM). >> >> Using openssl standard tools is it possible to generate a CSR through >> Ed25519 ? >> > > > If you look further into this test page, at least with my > browser, it uses x25519 with a regular RSA certificate from > Let's encrypt. I don't know if they use a different > certificate with other browsers based on checking some TLS > extensions etc. > > The x25519 public key has no certificate, it is randomly > generated for each connection and signed with the RSA key > from the certificate. > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Generating CSR based on an x25519 public key
On 21/10/2017 15:38, Codarren Velvindron wrote: https://tls13.crypto.mozilla.org is using : The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.3), a strong key exchange (X25519), and a strong cipher (AES_128_GCM). Using openssl standard tools is it possible to generate a CSR through Ed25519 ? If you look further into this test page, at least with my browser, it uses x25519 with a regular RSA certificate from Let's encrypt. I don't know if they use a different certificate with other browsers based on checking some TLS extensions etc. The x25519 public key has no certificate, it is randomly generated for each connection and signed with the RSA key from the certificate. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Generating CSR based on an x25519 public key
They are NOT using a 25519 certificate; it says “key exchange” From: Codarren Velvindron <devild...@gmail.com> Date: Saturday, October 21, 2017 at 9:38 AM To: Rich Salz <rs...@akamai.com>, openssl-users <openssl-users@openssl.org> Subject: Re: [openssl-users] Generating CSR based on an x25519 public key https://tls13.crypto.mozilla.org<https://urldefense.proofpoint.com/v2/url?u=https-3A__tls13.crypto.mozilla.org=DwMFaQ=96ZbZZcaMF4w0F4jpN6LZg=4LM0GbR0h9Fvx86FtsKI-w=smy260VnfmCFlG_DnkJ0YfWVERE0ei6zjVy5iMXgsMQ=xcUamwHxUz2FtIf000rtQ7Z_ESzfGv_WMjFTfNNgcN0=> is using : The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.3), a strong key exchange (X25519), and a strong cipher (AES_128_GCM). Using openssl standard tools is it possible to generate a CSR through Ed25519 ? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Generating CSR based on an x25519 public key
On Sat, Oct 21, 2017 at 9:38 AM, Codarren Velvindronwrote: > https://tls13.crypto.mozilla.org is using : The connection to this site is > encrypted and authenticated using a strong protocol (TLS 1.3), a strong key > exchange (X25519), and a strong cipher (AES_128_GCM). That's what Rich said: "X25519 is a key-exchange-only algorithm". The shared secret that drops out of the x25519 key exchange is used to key AES128/GCM (some hand waiving). > Using openssl standard tools is it possible to generate a CSR through > Ed25519 ? This is a different application. ed25519 is signing, not key exchange. I'm not sure how to do it because I've never needed it. But keep in mind Rich said: "OpenSSL doesn’t fully support Ed25519". Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Generating CSR based on an x25519 public key
https://tls13.crypto.mozilla.org is using : The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.3), a strong key exchange (X25519), and a strong cipher (AES_128_GCM). Using openssl standard tools is it possible to generate a CSR through Ed25519 ? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Generating CSR based on an x25519 public key
* How would we be able to achieve this? I have read somewhere on a 2016 mail in the archives that it is an "encrypt-only" algorithm and that is not possible. X25519 is a key-exchange-only algorithm. Ed25519 is a signing algorithm. Unlike classic RSA, the signing and the key exchange are two different operations (well, technically RSA doesn’t have key exchange). Both are defined by IETF RFC’s. OpenSSL doesn’t fully support Ed25519. * But I have found many sites on let's encrypt already using this. Are you sure? Please post a key. Ed25519 is quite different from EdDSA or ECDSA or DSA, which typically use a P-256 curve. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Generating CSR based on an x25519 public key
Errata: I meant private key -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Generating CSR based on an x25519 public key
Hello, How would we be able to achieve this? I have read somewhere on a 2016 mail in the archives that it is an "encrypt-only" algorithm and that is not possible. But I have found many sites on let's encrypt already using this. Does anyone know how to do this? Thanks, Codarren -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
OpenSSL crashes generating CSR -- help!
I need to generate a CSR, but OpenSSL always crashes. What am I doing wrong? c:\GnuWin32\binopenssl genrsa -out switchvox.key 2048 c:\GnuWin32\binopenssl req -new -key switchvox.key -out switchvox.csr -config ..\share\openssl.cnf OpenSSL prompts me for the city, state, etc. I fill everything in, it runs for a few seconds, then crashes, every time. Is there some other way to do this? Thanks!
RE: OpenSSL crashes generating CSR -- help!
From: owner-openssl-us...@openssl.org On Behalf Of Jesse Keller Sent: Tuesday, 03 May, 2011 09:17 I need to generate a CSR, but OpenSSL always crashes. What am I doing wrong? c:\GnuWin32\binopenssl genrsa -out switchvox.key 2048 c:\GnuWin32\binopenssl req -new -key switchvox.key -out switchvox.csr -config ..\share\openssl.cnf What you posted looks fine, and even if you did something wrong OpenSSL should never just crash, it should give an error message. Do we assume this is the build at http://gnuwin32.sourceforge.net/packages/openssl.htm described as 0.9.8h (but perhaps patched because it adds -1)? 1. 0.9.8h is pretty old. Checking a few nearby things at random, this whole project appears pretty out of date. (It should still work, but won't include recent features -- and recent security fixes.) Current OpenSSL builds for Windows (but mainly using VC++, not mingw, if that matters to you) are available free at http://www.slproweb.com/products/Win32OpenSSL.html . Or you can build from source given suitable tools. 2. Their -src package is 5 times larger than official source?? 3. If I install just the -bin package on my scratch system (XP SP3) it runs, does not crash, and creates a valid CSR. 4. What Windows are you on, and what exactly do you see? Do you get a fault code? address or EIP? registers? stack? Anything from Dr. Watson? In the event log? Do you have a debugger available? If you run the problem command under a debugger what does it say? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Problem generating csr
The rpm manager will only update if you install through rpm. 1.5 gb sounds absurd for a csr. Perhaps dump the beginning of it to see if a particular field is incorrect. [EMAIL PROTECTED] wrote on 09/11/2008 02:34:04 PM: I am running Red Hat Enterprise 5.2 with OpenSSL 0.9.8h. The version of OpenSSL available for download from Red Hat Network was out of date so I downloaded OpenSSL 0.9.8h from openssl.org and did a ./configure, make, make install. Now, if I do a openssl version, it displays the correct version, 0.9.8h. However, the rpm manager still shows the old version. My problem is when I generate a csr, the csr file is over 1.5 GB. Needless to say I think my OpenSSL configuration is screwed up. By the way I am a noobie if you haven’t already guessed. Help is greatly appreciated. Dave
Problem generating csr
I am running Red Hat Enterprise 5.2 with OpenSSL 0.9.8h. The version of OpenSSL available for download from Red Hat Network was out of date so I downloaded OpenSSL 0.9.8h from openssl.org and did a ./configure, make, make install. Now, if I do a openssl version, it displays the correct version, 0.9.8h. However, the rpm manager still shows the old version. My problem is when I generate a csr, the csr file is over 1.5 GB. Needless to say I think my OpenSSL configuration is screwed up. By the way I am a noobie if you haven't already guessed. Help is greatly appreciated. Dave
Re: Problem generating csr
On Thu, Sep 11, 2008, Fink, David wrote: My problem is when I generate a csr, the csr file is over 1.5 GB. Needless to say I think my OpenSSL configuration is screwed up. By the way I am a noobie if you haven't already guessed. There is a bug in 0.9.8h which affects certificate request generation. This will be fixed in the next releae which will be real soon now... Alternatively try a recent snapshot such as: ftp://ftp.openssl.org/snapshot/openssl-0.9.8-stable-SNAP-20080911.tar.gz Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: generating CSR
thanks it is working fine now. cheers Rami On Thu, Feb 21, 2008 at 6:17 PM, [EMAIL PROTECTED] wrote: Hello, I want to get the CSR file to purchase an ssl certificate for securing SMTP on Sendmail, OS=Redhat ES5 I ran the following: 1. to generate the private key: openssl genrsa -des3 -out server.key 1024 then i inserted my passphrase 2. to generate CSR: openssl req -key server.key -out server.csr after i enter my passphrase the system hangs on, i need to press CRT-c to back to the system and the CSR is not generated. an ideas: Important: i run this on Fedora 8/openssl 0.9.8b-17 and it works fine! my system is Redhat enterprise linux 5/openssl 0.9.8b-8 Add -new option to openssl req ... command. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Best Regards, Eng. Rami Ahmad
generating CSR
Hi, I want to get the CSR file to purchase an ssl certificate for securing SMTP on Sendmail, OS=Redhat ES5 I ran the following: 1. to generate the private key: *openssl genrsa -des3 -out server.key 1024* then i inserted my passphrase *2. *to generate CSR: *openssl req -key server.key -out server.csr* after i enter my passphrase the system hangs on, i need to press CRT-c to back to the system and the CSR is not generated. an ideas: Important: i run this on Fedora 8/openssl 0.9.8b-17 and it works fine! my system is Redhat enterprise linux 5/openssl 0.9.8b-8 -- Best Regards, Eng. Rami Ahmad
Re: generating CSR
Hello, I want to get the CSR file to purchase an ssl certificate for securing SMTP on Sendmail, OS=Redhat ES5 I ran the following: 1. to generate the private key: openssl genrsa -des3 -out server.key 1024 then i inserted my passphrase 2. to generate CSR: openssl req -key server.key -out server.csr after i enter my passphrase the system hangs on, i need to press CRT-c to back to the system and the CSR is not generated. an ideas: Important: i run this on Fedora 8/openssl 0.9.8b-17 and it works fine! my system is Redhat enterprise linux 5/openssl 0.9.8b-8 Add -new option to openssl req ... command. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Re: generating CSR for smartcard certificate
Thanks for the concise answer, although I had hoped for something more reassuring... Unfortunately, implementing a PKCS#11 interface to our card/applet, as well as writing an ENGINE or a Windows CSP for it, are all tasks a little out of our time frame for the project. And the problem seems a typical one, it seems. Regards, Vladimir Slepnev __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re: generating CSR for smartcard certificate
On Sun, Nov 16, 2003, Ñëåïíåâ Âëàäèìèð wrote: Thanks for the concise answer, although I had hoped for something more reassuring... Unfortunately, implementing a PKCS#11 interface to our card/applet, as well as writing an ENGINE or a Windows CSP for it, are all tasks a little out of our time frame for the project. And the problem seems a typical one, it seems. Well CSP/PKCS#11 or an ENGINE would be the proper solution. Writing an ENGINE is much easier than CSP/PKCS#11. However there are other solutions which can be handled more quickly and come under the heading of quick and dirty and I'll deny all knowledge of these :-) Some programming is needed to handle this, you can't handle it with the command line utilities. If you need a valid CSR then you could create one using the normal OpenSSL utilities then edit it with a short C program to replace the public key and resign it with the corrected digest. You'd work out the new digest with ASN1_item_digest() sign it and place in in the signature field. A dirtier technique is to not even bother with the signature and hack the OpenSSL utilities so they don't check the signature any more on a CSR. Doing things that way means you don't need any smart card operations and you just set the public key to the correct value. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
generating csr using public key?
Can it be done? thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem generating CSR.
Hiya, I'm using ssl0.9.5a on Solaris 8. I want to create a RSA private key for my Apache server (will be Triple-DES encrypted and PEM formatted): But, when I ran the command : ./openssl genrsa -rand -des3 -out server.key 1024 I have the following error : 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus 363:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:538: 363:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: What am I doing wrong ? Thanks ___ Julio Cesar de Melhado e Lima Software Engineer CIT - software enabling the e-world http://www.cit.com.br Phone: +55 19 3737.4538 Fax: +55 19 3737.4501 Mobile: +55 19 9111.7282 Pager: www.tess.com.br/infotess __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem generating CSR.
You need to have a source for the -rand flag. My solution was to use egd and create a file of sufficent length full of random data. then the command line was: openssl genrsa -rand file w/random data -des3 1024 server.key or openssl genrsa -rand file w/random data -des3 -out server.key 1024 Hope that helps. Travis Theune * Julio Cesar de Melhado e Lima ([EMAIL PROTECTED]) [000906 13:43]: Hiya, I'm using ssl0.9.5a on Solaris 8. I want to create a RSA private key for my Apache server (will be Triple-DES encrypted and PEM formatted): But, when I ran the command : ./openssl genrsa -rand -des3 -out server.key 1024 I have the following error : 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus 363:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:538: 363:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: What am I doing wrong ? Thanks ___ Julio Cesar de Melhado e Lima Software Engineer CIT - software enabling the e-world http://www.cit.com.br Phone: +55 19 3737.4538 Fax: +55 19 3737.4501 Mobile: +55 19 9111.7282 Pager: www.tess.com.br/infotess __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem generating CSR.
Julio Cesar de Melhado e Lima [EMAIL PROTECTED] writes: Hiya, I'm using ssl0.9.5a on Solaris 8. I want to create a RSA private key for my Apache server (will be Triple-DES encrypted and PEM formatted): But, when I ran the command : ./openssl genrsa -rand -des3 -out server.key 1024 I have the following error : 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus 363:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:538: 363:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: There may well be problems with the lack of /dev/random on a Solaris box but doesn't the `-rand' option take a file name(s) parameter something like: ./openssl genrsa -rand /tmp/rand1:/tmp/rand2 -des3 -out server.key 1024 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Generating CSR for Netscape Certificate Server based CA (fwd)
Hello, On 29 Jan 00, at 19:48, Merton Campbell Crockett wrote: To date, I have not been able to generate a CSR that is acceptable to the Netscape Certificate Server. All requests are rejected with a "bad DER encoding" error. I had the same error message from Navigator with a certificate that included an underscore in the CN. greetings Nico -- Nicolás Aragón [EMAIL PROTECTED] Departamento de Industria y Servicios Software AG España __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Generating CSR for Netscape Certificate Server based CA (fwd)
Nicolas Aragon wrote: Hello, On 29 Jan 00, at 19:48, Merton Campbell Crockett wrote: To date, I have not been able to generate a CSR that is acceptable to the Netscape Certificate Server. All requests are rejected with a "bad DER encoding" error. I had the same error message from Navigator with a certificate that included an underscore in the CN. Yes thats another potential problem. You should keep to the PrintableString character set[1] (except in emailAddress) if at all possible. Netscape has problems with some characters but this is hard to track down: I've known '' give trouble. Anything before the latest snapshot of OpenSSL also got the type of string wrong in anything other then commonName if characters other than the PrintableString set got used. [1] PrintableString character set: A, B, ..., Z a, b, ..., z 0, 1, ..., 9 (space) ' ( ) + , - . / : = ? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]