Re: [openssl-users] Generating CSR based on an x25519 public key

[Jeffrey Walton]

On Mon, Oct 23, 2017 at 6:47 PM, Kyle Hamilton  wrote:
> Out of curiosity, what are the algorithm identifiers for X25519 and Ed25519?
>

The ones I am aware of are available in
http://tools.ietf.org/html/draft-josefsson-pkix-newcurves.

Jeff
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generating CSR based on an x25519 public key

[Kyle Hamilton]

Out of curiosity, what are the algorithm identifiers for X25519 and Ed25519?

-Kyle H

On Mon, Oct 23, 2017 at 3:24 PM, Jakob Bohm  wrote:
> On 21/10/2017 15:38, Codarren Velvindron wrote:
>>
>> https://tls13.crypto.mozilla.org is using : The connection to this site is
>> encrypted and authenticated using a strong protocol (TLS 1.3), a strong key
>> exchange (X25519), and a strong cipher (AES_128_GCM).
>>
>> Using openssl standard tools is it possible to generate a CSR through
>> Ed25519 ?
>>
>
>
> If you look further into this test page, at least with my
> browser, it uses x25519 with a regular RSA certificate from
> Let's encrypt.  I don't know if they use a different
> certificate with other browsers based on checking some TLS
> extensions etc.
>
> The x25519 public key has no certificate, it is randomly
> generated for each connection and signed with the RSA key
> from the certificate.
>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generating CSR based on an x25519 public key

[Jakob Bohm]

On 21/10/2017 15:38, Codarren Velvindron wrote:
https://tls13.crypto.mozilla.org is using : The connection to this 
site is encrypted and authenticated using a strong protocol (TLS 1.3), 
a strong key exchange (X25519), and a strong cipher (AES_128_GCM).


Using openssl standard tools is it possible to generate a CSR through 
Ed25519 ?





If you look further into this test page, at least with my
browser, it uses x25519 with a regular RSA certificate from
Let's encrypt.  I don't know if they use a different
certificate with other browsers based on checking some TLS
extensions etc.

The x25519 public key has no certificate, it is randomly
generated for each connection and signed with the RSA key
from the certificate.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generating CSR based on an x25519 public key

[Salz, Rich via openssl-users]

They are NOT using a 25519 certificate; it says “key exchange”

From: Codarren Velvindron <devild...@gmail.com>
Date: Saturday, October 21, 2017 at 9:38 AM
To: Rich Salz <rs...@akamai.com>, openssl-users <openssl-users@openssl.org>
Subject: Re: [openssl-users] Generating CSR based on an x25519 public key

https://tls13.crypto.mozilla.org<https://urldefense.proofpoint.com/v2/url?u=https-3A__tls13.crypto.mozilla.org=DwMFaQ=96ZbZZcaMF4w0F4jpN6LZg=4LM0GbR0h9Fvx86FtsKI-w=smy260VnfmCFlG_DnkJ0YfWVERE0ei6zjVy5iMXgsMQ=xcUamwHxUz2FtIf000rtQ7Z_ESzfGv_WMjFTfNNgcN0=>
 is using : The connection to this site is encrypted and authenticated using a 
strong protocol (TLS 1.3), a strong key exchange (X25519), and a strong cipher 
(AES_128_GCM).

Using openssl standard tools is it possible to generate a CSR through Ed25519 ?


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generating CSR based on an x25519 public key

[Jeffrey Walton]

On Sat, Oct 21, 2017 at 9:38 AM, Codarren Velvindron
 wrote:
> https://tls13.crypto.mozilla.org is using : The connection to this site is
> encrypted and authenticated using a strong protocol (TLS 1.3), a strong key
> exchange (X25519), and a strong cipher (AES_128_GCM).

That's what Rich said: "X25519 is a key-exchange-only algorithm". The
shared secret that drops out of the x25519 key exchange is used to key
AES128/GCM (some hand waiving).

> Using openssl standard tools is it possible to generate a CSR through
> Ed25519 ?

This is a different application. ed25519 is signing, not key exchange.

I'm not sure how to do it because I've never needed it. But keep in
mind Rich said: "OpenSSL doesn’t fully support Ed25519".

Jeff
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generating CSR based on an x25519 public key

[Codarren Velvindron]

https://tls13.crypto.mozilla.org is using : The connection to this site is
encrypted and authenticated using a strong protocol (TLS 1.3), a strong key
exchange (X25519), and a strong cipher (AES_128_GCM).

Using openssl standard tools is it possible to generate a CSR through
Ed25519 ?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generating CSR based on an x25519 public key

[Salz, Rich via openssl-users]

  *   How would we be able to achieve this? I have read somewhere on a 2016 
mail in the archives that it is an "encrypt-only" algorithm  and that is not 
possible.

X25519 is a key-exchange-only algorithm.  Ed25519 is a signing algorithm.  
Unlike classic RSA, the signing and the key exchange are two different 
operations (well, technically RSA doesn’t have key exchange).  Both are defined 
by IETF RFC’s.  OpenSSL doesn’t fully support Ed25519.



  *   But I have found many sites on let's encrypt already using this.

Are you sure?  Please post a key.  Ed25519 is quite different from EdDSA or 
ECDSA or DSA, which typically use a P-256 curve.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Generating CSR based on an x25519 public key

[Codarren Velvindron]

Errata: I meant private key
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Generating CSR based on an x25519 public key

[Codarren Velvindron]

Hello,

How would we be able to achieve this? I have read somewhere on a 2016 mail
in the archives that it is an "encrypt-only" algorithm  and that is not
possible.

But I have found many sites on let's encrypt already using this.

Does anyone know how to do this?

Thanks,
Codarren
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

OpenSSL crashes generating CSR -- help!

[Jesse Keller]

I need to generate a CSR, but OpenSSL always crashes. What am I doing wrong?

 

c:\GnuWin32\binopenssl genrsa -out switchvox.key 2048

 

c:\GnuWin32\binopenssl req -new -key switchvox.key -out switchvox.csr
-config ..\share\openssl.cnf

 

OpenSSL prompts me for the city, state, etc. 

 

I fill everything in, it runs for a few seconds, then crashes, every time.

 

Is there some other way to do this?

 

 

Thanks!

 

RE: OpenSSL crashes generating CSR -- help!

[Dave Thompson]

   From: owner-openssl-us...@openssl.org On Behalf Of Jesse Keller
   Sent: Tuesday, 03 May, 2011 09:17

   I need to generate a CSR, but OpenSSL always crashes. What am I
doing wrong?
   c:\GnuWin32\binopenssl genrsa -out switchvox.key 2048
   c:\GnuWin32\binopenssl req -new -key switchvox.key -out
switchvox.csr 
 -config ..\share\openssl.cnf

What you posted looks fine, and even if you did something wrong 
OpenSSL should never just crash, it should give an error message.

Do we assume this is the build at 
http://gnuwin32.sourceforge.net/packages/openssl.htm 
described as 0.9.8h (but perhaps patched because it adds -1)?

1. 0.9.8h is pretty old. Checking a few nearby things 
at random, this whole project appears pretty out of date.
(It should still work, but won't include recent features 
-- and recent security fixes.)

Current OpenSSL builds for Windows (but mainly using VC++, 
not mingw, if that matters to you) are available free at 
http://www.slproweb.com/products/Win32OpenSSL.html .
Or you can build from source given suitable tools.

2. Their -src package is 5 times larger than official source??

3. If I install just the -bin package on my scratch system 
(XP SP3) it runs, does not crash, and creates a valid CSR.

4. What Windows are you on, and what exactly do you see?
Do you get a fault code? address or EIP? registers? stack? 
Anything from Dr. Watson? In the event log?
Do you have a debugger available? If you run the problem 
command under a debugger what does it say?



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Problem generating csr

[Kenneth Goldman]

The rpm manager will only update if you install through rpm.

1.5 gb sounds absurd for a csr.  Perhaps dump the beginning of
it to see if a particular field is incorrect.

[EMAIL PROTECTED] wrote on 09/11/2008 02:34:04 PM:

 I am running Red Hat Enterprise 5.2 with OpenSSL 0.9.8h.  The
 version of OpenSSL available for download from Red Hat Network was
 out of date so I downloaded OpenSSL 0.9.8h from openssl.org and did
 a ./configure, make, make install.  Now, if I do a openssl version,
 it displays the correct version, 0.9.8h.  However, the rpm manager
 still shows the old version.

 My problem is when I generate a csr, the csr file is over 1.5 GB.
 Needless to say I think my OpenSSL configuration is screwed up.  By
 the way I am a noobie if you haven’t already guessed.

 Help is greatly appreciated.

 Dave

Problem generating csr

[Fink, David]

I am running Red Hat Enterprise 5.2 with OpenSSL 0.9.8h.  The version of
OpenSSL available for download from Red Hat Network was out of date so I
downloaded OpenSSL 0.9.8h from openssl.org and did a ./configure, make,
make install.  Now, if I do a openssl version, it displays the correct
version, 0.9.8h.  However, the rpm manager still shows the old version.


 

My problem is when I generate a csr, the csr file is over 1.5 GB.
Needless to say I think my OpenSSL configuration is screwed up.  By the
way I am a noobie if you haven't already guessed.

 

Help is greatly appreciated.

 

Dave

Re: Problem generating csr

[Dr. Stephen Henson]

On Thu, Sep 11, 2008, Fink, David wrote:

 
 My problem is when I generate a csr, the csr file is over 1.5 GB.
 Needless to say I think my OpenSSL configuration is screwed up.  By the
 way I am a noobie if you haven't already guessed.
 

There is a bug in 0.9.8h which affects certificate request generation.

This will be fixed in the next releae which will be real soon now...

Alternatively try a recent snapshot such as:

ftp://ftp.openssl.org/snapshot/openssl-0.9.8-stable-SNAP-20080911.tar.gz

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: generating CSR

[Rami Ahmad]

thanks it is working fine now.

cheers
Rami

On Thu, Feb 21, 2008 at 6:17 PM, [EMAIL PROTECTED] wrote:

 Hello,
   I want to get the CSR file to purchase an ssl certificate for securing
 SMTP on Sendmail,
  OS=Redhat ES5 I ran the following:
 
  1. to generate the private key: openssl genrsa -des3 -out server.key
 1024
  then i inserted my passphrase
 
  2. to generate CSR:  openssl req -key server.key -out server.csr
 
  after i enter my passphrase the system hangs on, i need to press CRT-c
 to back to the
  system and the CSR is not generated. an ideas:
   Important: i run this on Fedora 8/openssl 0.9.8b-17 and it works fine!
  my system is Redhat enterprise linux 5/openssl 0.9.8b-8
 Add -new option to openssl req ... command.

 Best regards,
 --
 Marek Marcola [EMAIL PROTECTED]

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]




-- 


Best Regards,
Eng. Rami Ahmad

generating CSR

[Rami Ahmad]

Hi,

I want to get the CSR file to purchase an ssl certificate for securing SMTP
on Sendmail, OS=Redhat ES5 I ran the following:

1. to generate the private key: *openssl genrsa -des3 -out server.key 1024*
then i inserted my passphrase

*2. *to generate CSR:  *openssl req -key server.key -out server.csr*

after i enter my passphrase the system hangs on, i need to press CRT-c to
back to the system and the CSR is not generated. an ideas:
 Important: i run this on Fedora 8/openssl 0.9.8b-17 and it works fine!
my system is Redhat enterprise linux 5/openssl 0.9.8b-8



-- 


Best Regards,
Eng. Rami Ahmad

Re: generating CSR

[Marek . Marcola]

Hello,
 I want to get the CSR file to purchase an ssl certificate for securing 
SMTP on Sendmail,
 OS=Redhat ES5 I ran the following:
 
 1. to generate the private key: openssl genrsa -des3 -out server.key 
1024
 then i inserted my passphrase
 
 2. to generate CSR:  openssl req -key server.key -out server.csr
 
 after i enter my passphrase the system hangs on, i need to press CRT-c 
to back to the 
 system and the CSR is not generated. an ideas:
  Important: i run this on Fedora 8/openssl 0.9.8b-17 and it works fine!
 my system is Redhat enterprise linux 5/openssl 0.9.8b-8
Add -new option to openssl req ... command.

Best regards,
--
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Re: generating CSR for smartcard certificate

Thanks for the concise answer, although I had hoped for something more 
reassuring... Unfortunately, implementing a PKCS#11 interface to our 
card/applet, as well as writing an ENGINE or a Windows CSP for it, are 
all tasks a little out of our time frame for the project. And the 
problem seems a typical one, it seems.

Regards,
Vladimir Slepnev
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Re: generating CSR for smartcard certificate

[Dr. Stephen Henson]

On Sun, Nov 16, 2003, Ñëåïíåâ Âëàäèìèð wrote:

 Thanks for the concise answer, although I had hoped for something more 
 reassuring... Unfortunately, implementing a PKCS#11 interface to our 
 card/applet, as well as writing an ENGINE or a Windows CSP for it, are 
 all tasks a little out of our time frame for the project. And the 
 problem seems a typical one, it seems.
 

Well CSP/PKCS#11 or an ENGINE would be the proper solution. Writing an
ENGINE is much easier than CSP/PKCS#11.

However there are other solutions which can be handled more quickly and come
under the heading of quick and dirty and I'll deny all knowledge of these

:-)

Some programming is needed to handle this, you can't handle it with the
command line utilities.

If you need a valid CSR then you could create one using the normal OpenSSL
utilities then edit it with a short C program to replace the public key and
resign it with the corrected digest. You'd work out the new digest with
ASN1_item_digest() sign it and place in in the signature field.

A dirtier technique is to not even bother with the signature and hack the
OpenSSL utilities so they don't check the signature any more on a CSR. Doing
things that way means you don't need any smart card operations and you just
set the public key to the correct value.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

generating csr using public key?

[Sabyasachi Gupta]

Can it be done?
thanks
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problem generating CSR.

[Julio Cesar de Melhado e Lima]

Hiya,

I'm using ssl0.9.5a on Solaris 8.
I want to create a RSA private key for my Apache server (will be Triple-DES encrypted
and PEM formatted):
But, when I ran the command  :

./openssl genrsa -rand -des3 -out server.key 1024

I have the following error :

0 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
363:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
seeded:md_rand.c:538:
363:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182:

What am I doing wrong ?

Thanks

___
Julio Cesar de Melhado e Lima
Software Engineer
CIT - software enabling the e-world
http://www.cit.com.br
Phone: +55 19 3737.4538
Fax: +55 19 3737.4501
Mobile: +55 19 9111.7282
Pager: www.tess.com.br/infotess


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Problem generating CSR.

[Travis Theune]

You need to have a source for the -rand flag.
My solution was to use egd and create a file of sufficent length full of
random data.

then the command line was:
openssl genrsa -rand file w/random data -des3 1024  server.key
or
openssl genrsa -rand file w/random data -des3 -out server.key 1024

Hope that helps.

Travis Theune

* Julio Cesar de Melhado e Lima ([EMAIL PROTECTED]) [000906 13:43]:
 
 Hiya,
 
 I'm using ssl0.9.5a on Solaris 8.
 I want to create a RSA private key for my Apache server (will be Triple-DES encrypted
 and PEM formatted):
 But, when I ran the command  :
 
 ./openssl genrsa -rand -des3 -out server.key 1024
 
 I have the following error :
 
 0 semi-random bytes loaded
 Generating RSA private key, 1024 bit long modulus
 363:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
 seeded:md_rand.c:538:
 363:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182:
 
 What am I doing wrong ?
 
 Thanks
 
 ___
 Julio Cesar de Melhado e Lima
 Software Engineer
 CIT - software enabling the e-world
 http://www.cit.com.br
 Phone: +55 19 3737.4538
 Fax: +55 19 3737.4501
 Mobile: +55 19 9111.7282
 Pager: www.tess.com.br/infotess
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Problem generating CSR.

[Alan E. Derhaag]

Julio Cesar de Melhado e Lima [EMAIL PROTECTED] writes:

 Hiya,
 
 I'm using ssl0.9.5a on Solaris 8.
 I want to create a RSA private key for my Apache server (will be Triple-DES encrypted
 and PEM formatted):
 But, when I ran the command  :
 
 ./openssl genrsa -rand -des3 -out server.key 1024
 
 I have the following error :
 
 0 semi-random bytes loaded
 Generating RSA private key, 1024 bit long modulus
 363:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
 seeded:md_rand.c:538:
 363:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182:
 

There may well be problems with the lack of /dev/random on a Solaris
box but doesn't the `-rand' option take a file name(s) parameter
something like: 

 ./openssl genrsa -rand /tmp/rand1:/tmp/rand2 -des3 -out server.key 1024

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Generating CSR for Netscape Certificate Server based CA (fwd)

[Nicolas Aragon]

Hello,

On 29 Jan 00, at 19:48, Merton Campbell Crockett wrote:

 To date, I have not been able to generate a CSR that is acceptable to the
 Netscape Certificate Server.  All requests are rejected with a "bad DER
 encoding" error.  

I had the same error message from Navigator with a certificate that
included an underscore in the CN.

greetings

  Nico

--
Nicolás Aragón
[EMAIL PROTECTED]
Departamento de Industria y Servicios
Software AG España
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Generating CSR for Netscape Certificate Server based CA (fwd)

[Dr Stephen Henson]

Nicolas Aragon wrote:
 
 Hello,
 
 On 29 Jan 00, at 19:48, Merton Campbell Crockett wrote:
 
  To date, I have not been able to generate a CSR that is acceptable to the
  Netscape Certificate Server.  All requests are rejected with a "bad DER
  encoding" error.
 
 I had the same error message from Navigator with a certificate that
 included an underscore in the CN.
 

Yes thats another potential problem. You should keep to the
PrintableString character set[1] (except in emailAddress) if at all
possible. Netscape has problems with some characters but this is hard to
track down: I've known '' give trouble.

Anything before the latest snapshot of OpenSSL also got the type of
string wrong in anything other then commonName if characters other than
the PrintableString set got used.

[1] PrintableString character set:

A, B, ..., Z
a, b, ..., z
0, 1, ..., 9
(space) ' ( ) + , - . / : = ?

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]