Re: SecureLink private key

2000-08-16 Thread Dr S N Henson
Charles Walker wrote: One of my colleagues is currently at a customer who has a product called SecureLink, by OpenMarket. I don't know too much about this product, except that it talks SSL. It has a database which contains a private key, a public key, and the certificate. We have been

Re: pkcs12 in ie

2000-08-16 Thread Dr S N Henson
Arnaud De Timmerman wrote: Dear all, Is there a way to automagically import a pkcs12 file in IE (4 5) ? There probably is because many bit of MS software do this. However MS wont document the API at this time so the best you can do is to convert a PKCS#12 file to a form MS CryptoAPI

Re: generating self-signed certificate for Netscape Enterprise Server

2000-08-24 Thread Dr S N Henson
[EMAIL PROTECTED] wrote: Sorry, this is long. I would like to generate a self-signed Certificate for internal testing purposes. I've downloaded OpenSSL 0.9.5a and have played a bit with the utilities. Netscape Enterprise (Suitespot) Server provides the means to generate key-pairs, and

Re: generating self-signed certificate for Netscape Enterprise Server

2000-08-24 Thread Dr S N Henson
[EMAIL PROTECTED] wrote: The problem is Netscape's alias-key.db and alias-cert.db file format. Using Netscape utilities, you generate the key pair. The admin server has a link that will generate the CSR. You can cut and paste the CSR and submit it to a CA. When I tried to run it through

Re: using rsa functions from libcrypto

2000-08-25 Thread Dr S N Henson
Martin Lohner wrote: Hi, I used CA.pl to generate a CA and signed a certificate for myself. (Default openssl.cnf; OpenSSL 0.9.5 28 Feb 2000) After importing the cert to netcape I send a signed message to myself using the mutt email client. First question - maybe this one is for the

Re: Generate a cert with certenr3.dll

2000-08-30 Thread Dr S N Henson
Rosario Riccio wrote: I use ActiveX certenr3.dll (version 4.70.0.1150): it seems that key generation procedure is OK, but when I try to sign the certificate request in my Perl script with Simple answer, don't use certenr3.dll. Its broken and has nasty security holes. Use Xenroll.dll

Re: Why IE can't use my certificate?

2000-08-30 Thread Dr S N Henson
xiaohudong wrote: Hello, Ahha,so many answers,thanks everyone. Now the problem seens more clear:the acceptable CA list send by IIS is empty. But I still don't know why this happens.My plateform is Win2000 Professional +IIS5.0,I think I have setup everything.I think that the CTL

Re: Generating PKCS7 files, but not PEM encoded.

2000-09-05 Thread Dr S N Henson
Kishore Gummadidala wrote: Dear all, I have a question which I hope someone can help me with. So here goes.. I am trying to sign code, and package it in a PKCS7 file. The sample program in crypto/pkcs7 namely sign.c and verify.c have served my purpose quite well. Many thanks. Now

Re: bad certificate request

2000-09-05 Thread Dr S N Henson
Martin Szotkowski wrote: SET OF should be sorted but the request is not sorted, or not sorted correctly. where is defined order? Each SET OF component should be in lexical order, it is in the DER encoding rules. If you check the SET OF stuff using dumpasn1 you get: 335 31

Re: How to use the private key password callback?

2000-09-06 Thread Dr S N Henson
Randall Ward wrote: Thanks for such a fast reply. I think that I'm still missing something about the parameters to PEM_read_PrivateKey and the callback. Based on what I learned from a posting from a few days ago, I am calling PEM_read_PrivateKey(fp, x, cb, u) where the parameters are:

Re: Bad certificate request.

2000-09-06 Thread Dr S N Henson
David Ahrens wrote: Hi, I'm using openssl to generate a certificate request. When I try to build the subject name from a given DN, there are problems with the DER encoding. I've attached a code fragment and the resulting PEM encoded certificate request. Not sure why you've

Re: looking for dgst command example for DSS signing

2000-09-06 Thread Dr S N Henson
Michael Sierchio wrote: The man page at www.openssl.org seems to imply that this supports signing, but this fails: openssl dgst -dss1 -sign privkey.pem test.txt unknown option '-sign' Is there an example of using the openssl app to create DSS1 signatures? Thanks.

Re: authorityInfoAccess

2000-09-08 Thread Dr S N Henson
Richard Browne wrote: Is it possible to use openssl to add authorityInfoAccess extensions when signing a certificate? If so... how? Yes, syntax is: authorityInfoAccess= OID1;type, OID2;type where 'type' has the same syntax as subjectAltName for example authorityInfoAccess =

Re: PKCS#12 private keys

2000-09-08 Thread Dr S N Henson
Marco Donati wrote: I wrote the following simple code to read a private key that's inside a PKCS12 object: [stuff deleted] the PKCS12_parse always fail reporting PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAILURE. Stepping inside it I've seen that PKCS12_verify_mac fails reporting

Re: Non-passphrased private keys

2000-09-08 Thread Dr S N Henson
Oleg Amiton wrote: Salam! Some time ago I've testing application, signing and verifying signature on files. It works OK when I used for signing the test certificate, including in the OpenSSL distribution (apps/server.pem). Private key was readed by

Re: Certificate Chains and purpose

2000-09-08 Thread Dr S N Henson
[EMAIL PROTECTED] wrote: All, I would like to get OpenSSL to trust a CA which doesn't have a root cert, basically an intermediate CA.. With a browser you can define a list of intermediate trusted CA so that you don't need the root cert which signed the intermediate cert.. I would like

Re: X509_verify_cert() wierdness

2000-09-08 Thread Dr S N Henson
Nicolas Roumiantzeff wrote: Hi all, I have a problem with an SSL server that uses a self-signed certificate. Using the standard callback function to check the certificate chain I get the X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error and if I simply ignore this specific error then any

Re: Using openssl to generate keys for IIS

2000-09-10 Thread Dr S N Henson
Some people have reported success by converting the key to NET format: openssl rsa -in prkey.pem -outform NET -out key.net The latest snapshot of OpenSSL also has an -sgckey flag which is needed on some version of IIS which use a modified algorithm. Steve. -- Dr Stephen N. Henson.

Re: X509_sign and X509_verify

2000-09-10 Thread Dr S N Henson
Julien Guisset wrote: Hi I am trying to use Certificates for a personnal application. I have some problems with X509_sign() and X509_verify(). I am trying to sign a client CA with : X509_sign(certif, SERVER_private_key, EVP_md5())); and then verify it with X509_verify(certif,

Re: invalid CA certificate error in server cert verification.

2000-09-13 Thread Dr S N Henson
"Kane, Brandon (NJAOST)" wrote: I'm trying to verify a server certificate, as part of a cert chain. One of the CA certs, a verisign intermediate cert, fails in the verify process. I'm getting a "invalid CA certificate" error in the callback function. What's strange is that if I call:

Re: problems installing new verisign certificate

2000-09-13 Thread Dr S N Henson
Martha Greenberg wrote: I was able to convert the certificate with openssl pkcs7, and I installed the first part of it. However, now when I view the page in netscape, I get the message: safetymarket.safetydirector.com is a site that uses encryption to protect transmitted information.

Re: Security Library...

2000-09-13 Thread Dr S N Henson
. What version of Netscape are you using BTW and does your certificate include BMPStrings? Dr S N Henson wrote: This is one of the symptoms of a corrupted key and certificate database. Back up any personal certificates, rename cert7.db and key3.db in your profile directory, reload personal

Re: content and data present

2000-09-14 Thread Dr S N Henson
Sean Walker wrote: I'm working with some data generated by a program that I have no control over. I am trying to verify a pkcs7 signature generated by it. Could someone take a look at the data I have and tell me what utilities I should use to accomplish this? I've never had to deal with

Re: Verify signature of a multipart message

2000-09-18 Thread Dr S N Henson
Angus Lee wrote: = Original Message From [EMAIL PROTECTED] = I could use OpenSSL to decrypt this signed and encrypted message. Then when I verify the digital signature, OpenSSL told me that 'content and data present'. Is there anything wrong with my code? Can you send me a

Re: Verify signature of a multipart message

2000-09-18 Thread Dr S N Henson
Angus Lee wrote: b4dec.txt is the original signed and encrypted message, while afterdec.txt is what I got after decryption. cityuca.pem is the CA certificate of the signer. OK. I've included a work around to the dev version of OpenSSL. It will be in OpenSSL 0.9.6. If you want to fix this

Re: Verify signature of a multipart message

2000-09-18 Thread Dr S N Henson
Angus Lee wrote: = Original Message From [EMAIL PROTECTED] = Ugh. I checked OpenSSL (Netscape?) 4.73 too and it does the same. The cause is that Netscape isn't properly excluding the content. It is including a zero length content. This is a recent addition to Netscape and is a bug.

Re: howto: set extensions for root certificate

2000-09-19 Thread Dr S N Henson
Markus Wagner wrote: Hi, when signing new certificates with openssl ca one can use the -config option to specify which CA and options to use. But when creating a self signed root certificate there is no such option. There is an equivalent option. The normal way to create a self signed

Re: converting raw signature to PKCS#7 format

2000-09-19 Thread Dr S N Henson
Marco Donati wrote: The usual way to do this kind of thing is to write your own RSA_METHOD to hand over the signing operation (which will probably be RSA_private_encrypt() ) to the smart card, then place the result in an EVP_PKEY structure. What this ultimately does it calls

Re: CryptoAPI and OpenSSL compatibility

2000-09-22 Thread Dr S N Henson
Dicky Liu wrote: Hi, all, Currently, we have an existing system running on Windows NT using Microsoft's cryptoAPI which has been working okay for us. We now want to be able to connect to this system from a UNIX platform to transfer, sign, and validate data. For the UNIX platform, we

Re: How can I create a x509v3 certificate signed by the root??

2000-09-24 Thread Dr S N Henson
Zhang Jianyu wrote: Then, I wanted to create the sub-keyscertificates signed by the root key and certificate. The commands I used are as follow: openssl req -new -nodes -keyout mykey.pem -out myrequest.csr -days 365 openssl x509 -in myrequest.csr -out mycert.crt -req -CA root.crt -CAkey

Re: How can I create a x509v3 certificate signed by the root??

2000-09-24 Thread Dr S N Henson
Zhang Jianyu wrote: Dr S N Henson wrote: Check out the -extfile and the -extensions options in the x509 manual page. You'll normally set those to point to the config file and either the end user extension section "usr_cert" for a normal end user certificate or "v3_ca&

Re: no shard cipher

2000-09-24 Thread Dr S N Henson
"Bill G." wrote: Hello List, I am trying to write a simple SSL server in C but keep getting a "no shared cipher" error. I'm fairly certain the key and certificates are OK because they work with openssl s_server. I have been playing with this code for several days and am at a loss to

Re: Private Keys and PKCS#12

2000-09-25 Thread Dr S N Henson
Marco Donati wrote: PKCS#12 files under OpenSSL are intended to have a key and a matching certificate. AFAIK the same is true of Windows and Netscape import/export routines. yes, but what if you stil have to request it to a CA... What do you want a private key alone in PKCS#12

Re: Private keys and PKCS#12

2000-09-26 Thread Dr S N Henson
Marco Donati wrote: I've solved my problem and I'd like to thank everybody who wrote me. I modified my low level sequence (the code I posted) to build a pkcs12 bundle with one bag, keeping "shrouded" private key, so i used PKCS12_MAKE_SHKEYBAG/PKCS12_pack_p7data INSTEAD of

Re: creating pkcs#8 certificates..

2000-09-26 Thread Dr S N Henson
Shashank wrote: Hi, I tried to create pkcs#8 certs, but on the very first step when I type Well you'll have a problem there. There's no such thing as a "pkcs#8 certificate". PKCS#8 is a private key format. D:\certsbash CA.sh -newca CA certificate filename (or enter to create)

Re: Example usage of RC2 and DESCBC Please?

2000-09-27 Thread Dr S N Henson
Matthew Cross wrote: I can't find enough documentation regarding the setup of RC2 and DES. RC4 seems straight forward enough. Could someone post the 15 lines of code that I need? If you are using the EVP interface then usage is identical except the IV isn't used with RC4. Use of the low

Re: How to use OpenSSL -- _simple_ code examples

2000-09-27 Thread Dr S N Henson
secret wrote: Are there any simple code examples for using OpenSSL? There is a examples directory, but I can't get those to compile, and the readme says to not expect them to compile. The documentation seems very confusing to me, a sample client server that establish a simple SSL

Re: Symmetric Cipher Usage Please Help

2000-09-27 Thread Dr S N Henson
Matthew Cross wrote: I've read the docs. I've seen the source. I still don't totally understand. I'm trying to be a good doobie and use the High-level EVP_ functions for my RC4, RC2, and DES calls. But what about setting up the key? If I'm doing password based stuff do I need to

Re: domainComponent in Distinguished Name?

2000-09-29 Thread Dr S N Henson
Aram Khalili wrote: Hello, I'm trying to include domain information into an X.509 cert Distinguished name. RFC2247 outlines Using Domains in LDAP/X.500 Distinguished Names. I've tried to include domainComponent, DC and dc in the configuration file under the [ req_distinguished_name ]

Re: more enc probs

2000-09-29 Thread Dr S N Henson
Lee Melville wrote: Hi, Here's my problem, the following code encrypts a file (i think it does anyhow), the test file that i use starts off as 22 bytes, the encrypted version is 24 ( i am not sure this is relevent). Anyhow the problem is when i come to decrypt the file using the openssl

Re: Browser's signature function

2000-10-05 Thread Dr S N Henson
tangquan wrote: you can verify your signature using openssl/crypto/pkcs7/verify.c . according to my experience, Netscape make a standand pkcs7 digital signature and encode it in base64 format. You can but that's not advisable. With OpenSSL 0.9.6 you should use the 'smime' application.

Re: Certificate usage (how IE determines)

2000-10-05 Thread Dr S N Henson
Paulius Bulotas wrote: Hello, when I create server certificate, install it into apache, when viewing certificate from IE, it shows every possible usage, but in my openssl.cnf is only keyUsage=nonRepudiation [for test purposes]. What am I doing wrong and how to do it correctly ;) The

Re: followup to problem I posted

2000-10-05 Thread Dr S N Henson
George Staikos wrote: The problem only seems to be reproducible on Redhat 7.0 so far, but I haven't had enough people test it yet. Basically, RSA/Verisign signed certificates all are determined to be expired by the X509 verification code. Thawte certificates work fine. Also if I print

Re: Key Usage Extension

2000-10-05 Thread Dr S N Henson
Frank Balluffi wrote: I am confused about how to check a key usage extension. I see that ca_check "calls" ku_reject, which uses the X509 ex_flags element. Is it necessary to use the ku_reject method or is it possible to call d2i_ASN1_BIT_STRING (to decode the KeyUsage BIT STRING) and then

Re: pkcs12 into IE5.5, stubborn priv keys

2000-10-05 Thread Dr S N Henson
admin wrote: Hi, I import my pkcs12 personal certificate (openssl generated) into IE5.5. It takes it without a problem and puts everything in its place: CA cert, personal cert, private key. The problem is that once I set up the initial security level on the private key (low, medium,

Re: Header size, again... Programmers nightmare

2000-10-09 Thread Dr S N Henson
Carsten Rhod Gregersen wrote: IBM still tell me that the connection is dropped because the header size don't match the packets. This of course could also be a IBM ssl-stack problem, but they deny that.. (off course) Can you get some more info on the precise cause? That is what header

Re: invalid CA certificate error in server cert verification on OpenSSL 0.95a

2000-10-11 Thread Dr S N Henson
Ramkumar Venketaramani wrote: Hi, I am trying to verify a server cert that is signed by a Intermediate CA (like Verisign International Server CA) but am getting a "Invalid Certificate" error. I understand from the mailing list that this is a known issue and there is a fix for

Re: Header size, again... Programmers nightmare

2000-10-15 Thread Dr S N Henson
Carsten Rhod Gregersen wrote: Hi, Formerly I posted a report concerning connection test with client authorisation against a IBM payment gateway. You requested that I tried with the openssl program again but with debug turned on. I've done that and now I'm experiencing every

Re: Move from Netscape to Openssl

2000-10-17 Thread Dr S N Henson
Ricardo Stella wrote: So with the CA's server's private key and cert (converted in pem format) I would be able to use them as the CA for openssl, therefore issue certs based on this ? Thanks... Yes that should be possible. Steve. -- Dr Stephen N. Henson.

Re: Having a problem with BIO_base64 in OpenSSL 0.9.6

2000-10-17 Thread Dr S N Henson
[EMAIL PROTECTED] wrote: Hello, Specifically, I create a new BIO_s_mem. Write to it with either BIO_puts or BIO_write. Then do a BIO_push(b64bio, mbio). Then BIO_read(b64bio, mybuf, len). It returns -1. When I ask if I should retry it says yes, but there is no output on the second call

Re: Test CA structure

2000-10-17 Thread Dr S N Henson
[EMAIL PROTECTED] wrote: Hi, I've created a CA cert/key for testing but I want to be able to test a longer cert chain. Does any one know what should be in the config file if I want to create a CA cert req which I would sign with the root CA cert. I have tried: basicConstraints=CA:TRUE

Re: Problem with configuring #rounds for RC5 in 0.9.6

2000-10-19 Thread Dr S N Henson
Iain Betson wrote: Hi, I think I've found a problem which prevents the number of rounds of the RC5 cipher being configured when using the EVP cipher wrapper functions with OpenSSL 0.9.6. The default number of rounds for the EVP_rc5_32_12_16_cbc cipher is 12. To change this to 16, one

Re: PKCS#7 signed text...how to get it

2000-10-19 Thread Dr S N Henson
moved to openssl-users "Hellan,Kim KHE" wrote: I have succeeded in loading a MIME file by using the following commands: snip BIO* bioIndata; PKCS7* p7 = SMIME_read_PKCS7(spBio, bioIndata); I am able to extract signers certificate, but how do I extract the signed text? I have

Re: Base64 encode.

2000-10-20 Thread Dr S N Henson
Carles Xavier Munyoz Baldó wrote: Hi, I have a C program that uses the openssl library. I need to encode a string in base64. Is there any function in the openssl library to do that ? What is its sintaxis ? Well one documented way is to use a base64 BIO. Check out the BIO_f_base64()

Re: SV: PKCS#7 signed text...how to get it

2000-10-20 Thread Dr S N Henson
"Hellan,Kim KHE" wrote: However, I had hoped that this functionality (verify/getText) could be separated. I am fully aware that in a "real" system it doesn't make sense to extract the text without doing a verify. But in a test environment, it would be nice to be able to extract the text

Re: why PKCS12_parse() returns 0?

2000-10-23 Thread Dr S N Henson
Pietro wrote: Hello everybody, I have a problem using PKCS12_parse that returns 0, meaning something goes wrong. I am using MS VisualC++ 6.0 on a Windows2000 (Intel) machine. I'm writing a simple application just to understand some the libeay library calls, but I can't figure out what's

Re: Blowfish with different compilers

2000-10-26 Thread Dr S N Henson
Bill Klein wrote: Hi all, I'm having what seems to be a strange problem. I have code to encrypt some text using blowfish, and corresponding code to decrypt it. This works on compiler A: I can encrypt some text, and then decrypt the encrypted data correctly. This also works on compiler B:

Re: certificate chaos...

2000-10-27 Thread Dr S N Henson
Michael Dingler wrote: You need to do... openssl pkcs12 -in xxx.p12 -clcerts -out xxx.pem to only extract client certificates and possibly openssl pkcs12 -in xxx.p12 -cacerts -nokeys -out cas.pem to extract CA certificates. Oh thanks, that did it. With just the client

Re: Making client certificates with SPKAC without using ca

2000-10-31 Thread Dr S N Henson
Robert Olson wrote: I'd like to create client certificates requested from Netscape without using 'openssl ca' (I have my own mechanisms for keeping track of stuff that ca does). I can't seem to create a cert request that doesn't have a new private/public key pair. This is what I've tried

Re: help needed with extended keyUsage v3 attrib.

2000-11-02 Thread Dr S N Henson
Corrado Derenale wrote: Hi, anyone know how to sign a X.509 cert with the attribute: extended keyUsage set to TLS Web server authentication with the CA command? Read the extension documentation in doc/openssl.txt and the ca manual page, then edit your config file

Re: SV: Signed text for PKCS7_sign()

2000-11-03 Thread Dr S N Henson
"Hellan,Kim KHE" wrote: Well. If I set "flags = PKCS7_BINARY" then SMIME_crlf_copy() in PKCS7_sign() will not add the "plain/text" text headers. This seems to work, but I'm not sure if that is the right way to do it? If you look at apps/smime.c the option -text is documented

Re: Multi signature order

2000-11-03 Thread Dr S N Henson
Marco Donati wrote: Something strange happens if I build a multi signature PKCS7. If I add a wrong signature (certificate and key not alligned), when i try to verify the wrong signature is the LAST. e.g.: sign with cert 1, key 1 sign with cert A, key B (wrong signature) sign with

Re: Get a private key from a pkcs12 file

2000-11-03 Thread Dr S N Henson
David VERGIN wrote: Hi, I'm trying to get a privatekey from a PKCS12 file. I found an interesting example with the sources of OpenSSL in DEMO\PKCS12\pkread.c I'm working under windows NT4 pack 5 with Visual C++, and I'm having some trouble having the example work. At the line p12

Re: Understanding Key Exchange

2000-11-03 Thread Dr S N Henson
Matt Walsh wrote: Hi All (esp SSL protocol experts). Please help me to understand something! In short What triggers the key exchange during an SSL transaction? [SKE example deleted] Well your example is probably related to US export versions of browsers. The old export

Re: Understanding Key Exchange

2000-11-03 Thread Dr S N Henson
Nagaraj Bagepalli wrote: Matt Walsh wrote: Hi All (esp SSL protocol experts). Please help me to understand something! In short What triggers the key exchange during an SSL transaction? [SKE example deleted] Well your example is probably related to

Re: Self Signed Company CA Root --signs-- Project CA --signs-Server and Client certs

2000-11-06 Thread Dr S N Henson
[EMAIL PROTECTED] wrote: I'm having a bitch of a time getting client verification to work to work. I've got the root CA cert, project CA cert, and server and client certs (keys with passphrase removed) all in pem encoded format. I've done the following. 1.Created a new mod_ssl instance

Re: Get a private key from a pkcs12 file

2000-11-07 Thread Dr S N Henson
David VERGIN wrote: unfortunatelly not. I just have to get it out from a PKCS12 file to load it into some hardware. I hven't been able to get the crypto library to work right. I didn't find how to do it with baltimore tools. Using the openssl tool: openssl pkcs12 -in file.p12 -out

Re: Get a private key from a pkcs12 file

2000-11-07 Thread Dr S N Henson
Peter Sylvester wrote: maybe you can get some inspiration from the following code. The code is not memory leak free. typedef struct TIAX_st { PKCS12 * p12 ; EVP_PKEY * pkey ; ... } TIAX ; int TIAX_login(TIAX * a,char * pass, int passlen) { STACK *asafes,

Re: accessing certificate from memory

2000-11-13 Thread Dr S N Henson
Stig Venaas wrote: Hi I've figured how to read certificates from a file using PEM_read_X509() but how can I access certificates already in memory? I guess I could borrow code from the internals of PEM_ASN1_read_bio(), but I'm hoping for a better way, not depending on too many low level

Re: IE 56k errors

2000-11-14 Thread Dr S N Henson
Eric Rescorla wrote: "Dave Stafford" [EMAIL PROTECTED] writes: IE. 56k browsers can not read our ssl (Global 128) websites (I wish we could get rid of these buggy IE browsers). Searching the web I found that versions of openssl 0.9.5a and higher have this problem. Has anyone

Re: how can I use PKCS#8 in open-ssl?

2000-11-19 Thread Dr S N Henson
I will use an private keys which encoding is PKCS#8. Used open-ssl version is 0.95a ... Is the usage below valid? if invalid, let me get the write usage please.. FILE* fp; EVP_PKEY* pkey; char keyfile[] = "user1.pem"; fp = fopen (keyfile, "r");

Re: SSL Certificate Installation Problem

2000-11-20 Thread Dr S N Henson
"Visionary Website Creations, Inc." wrote: At 09:50 PM 11/17/00 +, you wrote: "Visionary Website Creations, Inc." wrote: Hi, I chatted via IRC with a Thawte tech for about 3 hours. Unfortunately, we're stumped. Here's the problem: I generated a csr for probrasive.com

Re: SSL Certificate Installation Problem

2000-11-20 Thread Dr S N Henson
"Visionary Website Creations, Inc." wrote: What does this alleged certificate look like? Can you read it with openssl x509 -in cert.pem or does it give a similar error? Can you include the certificate file? It doesn't contain anything confidential and it may be packaged in an unusual

Re: SSL Certificate Installation Problem

2000-11-20 Thread Dr S N Henson
"Visionary Website Creations, Inc." wrote: At 07:54 PM 11/20/00 +, you wrote: Hmmm seems OK to me too. Is that the only certificate in the file? I suppose it is possible that some other certificate it attempts to read in somewhere is corrupt: check the trusted file or directory to see

Re: OpenSSL, IIS, and OFX Keys

2000-11-24 Thread Dr S N Henson
"Tipton, Michael" wrote: I am using OpenSLL to extract the private keys from my IIS Key Backup files. I am able to accomplish this fine except for certain servers we have. These servers keys/certs are marked as OFX (Financial Exchange). These are a special type of key/cert that you have to

Re: OpenSSL, IIS, and OFX Keys

2000-11-24 Thread Dr S N Henson
"Tipton, Michael" wrote: Thank you, I'll give it a try.. I'm using 0.9.5 right now.. when I tried to compile 0.9.6 I get.. The symlink function is unimplemented at ./util/mklink.pl line 53. make: *** [links] Error 255 I've banged my head on it some but if anyone knows the fix..

Re: S/MIME with MUA's.

2000-11-27 Thread Dr S N Henson
Bruce Stephens wrote: Dr S N Henson [EMAIL PROTECTED] writes: [...] There's a function X509_get1_email() which will retrieve a list of email addresses both from the subject name and subjectAltName extensions and arrange them in a STACK. From then its trivial to just compare each

Re: SSL Certificate Installation Problem

2000-11-29 Thread Dr S N Henson
"Visionary Website Creations, Inc." wrote: At 11:07 PM 11/20/00 +, you wrote: There should be either a load of trusted certificates in a single file or a directory containing them. If you are using client authentication then it may try to read the whole lot in. If one is corrupt then

Re: Does -des3 do RSA

2000-11-29 Thread Dr S N Henson
Osama Al-Dosary wrote: Hello, I'd like to encrypt a message. But I want the encryption to be Public-key. Does this do the trick? "openssl smime -encrypt -in signedFile.msg \ -out encryptedFile.msg \ -des3 recipientCert.pem" I was figuring

Re: Porblem installing PKCS#7 (user cert + CA cert) into Netscape 4.7

2000-11-30 Thread Dr S N Henson
Ma'rt Laak wrote: Hello! Preface: I can successfully create and install client certificate into netscape from SPKAC request: openssl ca -config X -spkac X -out client.crt -days X and sending it back to browaser with header: Content-Type: application/x-x509-user-cert Question:

Re: RSA read and write to and from file

2000-11-30 Thread Dr S N Henson
[EMAIL PROTECTED] wrote: Hi, I am having a problem with the RSA functions of the openssl package. I want to generate an RSA key pair. Write them to disk and use them later (this all in linux/AIX) I managed to generate a keypair. But then the problem starts. I cant find any functions

Re: how to add x509v3 extension

2000-12-01 Thread Dr S N Henson
Kikuyo Nagamatsu wrote: Hi all, I am a very beginner of OpenSSL. I want to add one of x509v3 extensions (AuthorityInfoAccess) to a certificate, but I can't. How can I know the way to add extensions? Is there some document? Or,if there is someone who did it, can you show me the way?

Re: how to add x509v3 extension

2000-12-02 Thread Dr S N Henson
Kikuyo Nagamatsu wrote: Thank you for your rapid reply, I'm going to read the openssl.txt very well. (really to say, I could not understand that meaning well..I'm sorry.) When I made a self-certificate using following command, openssl req -x509 -newkey rsa:1024 -keyout

Re: Error: ) expected when complie x509.h

2000-12-02 Thread Dr S N Henson
Zhang Jianyu wrote: I was meeting some error when I used openssl API to develop some application by C++ Builder 5 on Windows 2000. I wanted to call the PEM_write_RSAPrivateKey function in order to save a rsa private key of RSA strcture format as a PEM file -- it should include pem.h in my

Re: Extra : read and write RSA keys, help

2000-12-02 Thread Dr S N Henson
Geoff Thorpe wrote: Hi there, I think I follow your question. An RSA private key implicitly contains the public key already[1]. So if you have generated a key-pair and saved them to disk - you're already most of the way there. If you don't still have the private key in memory, load the

Re: Does -des3 do RSA

2000-12-04 Thread Dr S N Henson
Osama Al-Dosary wrote: Thank you for the reply. But can an attacker decrypt the output without the corresponding private key? Realistically, no. They need the private key to decrypt the 3DES key and they need the 3DES key to decrypt the encrypted content. Steve. -- Dr Stephen N.

Re: Java can't read an unmodified OpenSSL X.509 certificate?

2000-12-04 Thread Dr S N Henson
Mark Swanson wrote: Hello, I've generated DSA and RSA certificates with openssl-0.9.6 and JDK1.3 can't seem to read them. No matter what I do I get this: ./certTest Exception in thread "main" java.security.spec.InvalidKeySpecException: Inappropriate key specification: invalid key

Re: Still got problems initialising cert in DLL

2000-12-05 Thread Dr S N Henson
Colin Chalmers wrote: Hi, Since there was no response on the earlier posting here's a second chance perhaps explaining the problem better. The code at the bottom works for me when used within the same program however when I pass the (vtrCertStatus) structure to a DLL, although I can

Re: ARGH: Help me PLEASE :(

2000-12-07 Thread Dr S N Henson
[EMAIL PROTECTED] wrote: Hi, I hope somebody will help me. For the last two weeks i am trying to write RSA keys to disk. I want two files, one with the private Key and one with the Public key (this one is distributed). For some unknown reason nothing I have tried will work. I tried to

Re: error: bad get asn1 object call

2000-12-08 Thread Dr S N Henson
Frank Koenig wrote: hi I have to develope a clientprogramm over SSL. Yesterday I have downloaded the openSSL-engine-0.9.6. Build and install OpenSSL == okay. ./config == okay make == okay make test == okay make install== okay - Have a look to my (concentratet) source:

Re: keys generated by xenroll.dll...

2000-12-08 Thread Dr S N Henson
SCH wrote: Another question is, I can't import the keys and certifcates(they are packed into one p12 file) that were generated by outside program(based on openssl)into my IE as "mypersonalcertificate", what is the reason? Must I generate keys from IE if I want to use them for

Re: ADH + certs on same SSLCTX ??

2000-12-08 Thread Dr S N Henson
Gregory Nicholls wrote: Hiya, Quick one for those in the know. Can I use both verified certificates and anon-DH sessions with the same SSLCTX ???. I'm guessing that I have to check the cipher whilst in the callback function and give the green light if it's an anon-DH cipher.

Re: Two questions...

2000-12-08 Thread Dr S N Henson
Duncan Taylor wrote: My first question: HOW do I parse out a recipient's .pfx cert or .p12 cert to pem format? I have scoured the documentation High and Low and find NOTHING but examples of "since I have MY .pem we'll use that for the signer and reciep.." or how to parse one's pkcs12

Re: Creating a certificate request

2000-12-08 Thread Dr S N Henson
"Kalligonis, Tim" wrote: I am using Apache 1.3 on Windows2000 Advanced server. Trying to do: Create a certificate request. Problem: When I try to create the *.csr file OpenSSL can not find the OpenSSL.cnf file because it is looking in the /usr/local/SSL directory which does not exist

Re: Creating a certificate request

2000-12-08 Thread Dr S N Henson
"Kalligonis, Tim" wrote: I actually just found some information about the -config option. Using the -config option I was able to create the csr file but it was not accepted by the certificate authority Thawte. This is the error I am receiving: The actual error given was: We accept

Re: secure channel w/o authentication or certs

2000-12-08 Thread Dr S N Henson
Rachit Siamwalla wrote: Hi, i'm trying to set up an encrypted channel between client / server but without authentication or certificates. From searching through the mailing list archives, i've seen other people have done it successfully before. I tried working from the relatively simple

Re: keys generated by xenroll.dll...

2000-12-09 Thread Dr S N Henson
SCH wrote: I have use the "certmgr - s my" and found 3 certs of mine, but when I tried to connect a ssl URL which ask for client-cert, the pop-up dialog showed no certs for me to choose! where are those "my certs"? BTW, all "my certs" are imported from .p12 file. When a server asks for

Re: bad mac decode?

2000-12-13 Thread Dr S N Henson
Louis LeBlanc wrote: Dr S N Henson wrote: What command did you use to produce that message? Were you attempting to connect to a remote server, if its is on the internet its address would help. There are several possible causes of that message such as as connecting to a server

Re: string too long / problems making Certificate Request

2000-12-15 Thread Dr S N Henson
Andreas Schuldei wrote: I am not on this list, please cc: me. I try to generate several certivicates automatically. I avoid typing in the info for the Certificate Request by a trick i found in the archives. This is a part of my shell script:

Re: string too long / problems making Certificate Request

2000-12-16 Thread Dr S N Henson
Andreas Schuldei wrote: I am not on this list, please cc: me. * Dr S N Henson ([EMAIL PROTECTED]) [001216 05:11]: The problem is that the shell is attempting to expand $ENV with the result show that you end up with ::CERT_COUNTRY in the config file. This came to my mind just before I

  1   2   3   4   5   >