> Reply-to: openssl-users@openssl.org
> X-Sender: Victor Duchovni
> <[EMAIL PROTECTED]>
> X-List-Manager: OpenSSL Majordomo [version 1.94.5]
> X-List-Name: openssl-users
> Content-Length: 4899
>
> On Tue, Apr 08, 2008 at 08:43:51PM -0400, Big BDI
> wrote:
>
> > Is something wrong with my certificates(Pasted
> below)?
> > I generated them with ECCcertgen.sh bundled with
> > openssl... Apache does not generate any errors.
> One
> > of my test keypairs is pasted below (I used a
> > secp521r1 curve, but I didn't change the comments.
>
> > They still indicate secp160r1 or something like
> that).
>
> The cert does not have basicConstraints or keyUsage
> bits. It is
> an X509 cert, not an X509v3 cert. Otherwise it looks
> fine.
>
> Try this pair of CA cert/key and Server cert/key.
> Don't worry (for
> me), they are fresh random keys not used anywhere.
> Identically built
> certs work with TLS in pre-release Postfix 2.6. If
> these work better,
> perhaps the extentions are relevant. If so, you just
> need to craft
> a suitable extension section in the "conf" file.
> These use secp256r1
> (aka prime256v1).
Thank you for your suggestion, I was successful in
getting Firefox to connect with the addition of v3
extensions. In order to get it working, ECCcertgen.sh
and openssl.cnf was modified. In openssl.cnf, the
[v3_ca] section of the file was copied and renamed to
[v3_server] and modified slightly. Some of the fields
may not belong, adjust them to your liking:
Added to openssl.cnf:
[ v3_server ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:false
keyUsage = critical, nonRepudiation, digitalSignature,
keyEncipherment, dataEncipherment
nsCertType = server
issuerAltName=issuer:copy
Added to ECCcertgen.sh:
-Make sure it points to your preferred openssl.cnf,
openssl locations, and output dir locations.
-Edit the curve type, files names, O, OU, CN,
settings to your liking.
Add "-extensions v3_server \" to the server signing
section -->
$OPENSSL_CMD x509 -req -days $DAYS \
-extfile $OPENSSL_DIR/apps/openssl.cnf \
-extensions v3_server \
-in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
-out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem
-CAcreateserial
Add it to the client signing section as well -->
$OPENSSL_CMD x509 -req -days $DAYS \
-extfile $OPENSSL_DIR/apps/openssl.cnf \
-extensions v3_server \
-in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
-out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem
-CAcreateserial
After generating the new certs, Apache was running,
finally! Thank you very much for your help.
I had one last question; Will ECC support be added to
mod_ssl in the future?
Thanks again
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
