lich wrote:
Charles B Cranston wrote:
[...]
but perhaps you could name some Windows log file or something.
We're way past this in Unix now because many Unix systems have
the /dev/random or /dev/urandom devices - and if these are present
OpenSSl doesn't need the RANDFILE.
Not that I'
doing this on a Win2K server (not by my own choice).
Jody Harvey
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charles B
Cranston
Sent: Wednesday, February 23, 2005 10:11 AM
To: openssl-users@openssl.org
Subject: Re: CONF_load_bio:missing equal sign
From man req (which is available at www.openssl.org)
RANDFILE
This specifies a filename in which random number seed information
is placed and read from, or an EGD socket (see RAND_egd(3)). It is used
for private key generation.
===
On Unix I've used something as simple as
(date; du) >randomf
AH, that's the problem. Those are not commands for OpenSSL,
those are commands for the Apache daemon and go in your
apache httpd.conf file.
Harvey, Jody wrote:
Here is line 28 thur 30 of my ssl.conf
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random
Sigh. The diagnostic is clearly pointing at line 28 of the ssl.conf
file - do you think you could post (some context around) line 28 of
your ssl.conf file?
Harvey, Jody wrote:
I am currently setting up Open SSL on a Windows 2k system. I have followed
instructions as closely as possible. My problem
Erik Norgaard wrote:
pair (n,e) and the private key can be respresented either as a pair
(n,d) or in its Chinese Remainder Theorem form (CRT). The latter should
be faster, but only applies for keys with more than two primefactors.
Oh, I see, you use CRT to designate the key with the added speedup
Erik Norgaard wrote:
Charles B Cranston wrote:
Doing it the hard way requires roughly 1.5 times key length
number of modular multiplies (assuming about half the bits are
ones and half zeroes) so if the shortcutted public key operation
takes 17 units of time the non-shortcutted private key
coding a session key for the real
data this increase is minimal, but for the kind of embedded
computation you're thinking of this can be a real gotcha.
Erik Norgaard wrote:
Charles B Cranston wrote:
You should factor in the RSA speedups in your space estimates.
Typically a public exponent of 2
Here's a crazy idea:
The computer talking to the Java card rolls a random session key.
In the first operation transfer a private key into the device,
encrypted by the session key.
In the second operation transfer the data to be encrypted and
the session key. The Java card can decrypt the private k
You should factor in the RSA speedups in your space estimates.
Typically a public exponent of 2^16+1 is used so you need not
pass this separately for a public key. However, the speedup
for the private key operation involves all those other fields
in a private key, which expands the space requireme
I've always used the -days option to set the end date,
and never really needed to set the start date - if the
start date is in the future you can sequester the
certificate until that date arrives (modulo distribution
issues). I think I use -days 400 for a one-year cert
(one year, one month grace,
There are very good reasons NOT to allow extraction of a private
key from a crypto device. Investigate the vendor's provisions for
either backing up or cloning a device. It is possible that the
device will export its private key under some kind of protection
(like encryption with some "master key
One could read in openssl.txt (in the doc directory of the OpenSSL
source distribution):
===
Extended Key Usage.
This extensions consists of a list of usages.
These can either be object short names of the dotted numerical form of OIDs.
While any OID can be used only certain values make sense. In pa
For example, the public key operation of RSA, which is done at the
client (encoding the session key in the server's public key) is very
highly optimized by using 0x10001 (1001) as the public
exponent; this requires only 16 multiplies and one add. But the
server must decrypt the session
If I understand you correctly the time at the server only starts
getting bigger proportional to the transfer size when the size
of the transfer exceeds some critical value? This is indicative
of a fixed portion and a variable portion of the observation,
with the fixed portion dominating when the v
David Schwartz wrote:
2) Streams of entangled particles can generate shared
secrets where none previously existed.
No, not really, since the scheme described on page 80 of the Jan 2005
Scientific American looks vulnerable to a man-in-the-middle attack.
In that case, it generates two shared secret
David Schwartz wrote:
Do you agree that:
1) If there exists a shared secret, quantum encryption can provide
protection, now and in the future, against MITM attacks or passive
interception.
I believe so, now that I've read your description.
2) Streams of entangled particles can gen
Sorry about all the confusion Dave, the scheme described on
page 80 of the January 2005 Scientific American is a key
distribution scheme that, at least as far as I can tell from
a quick re-read, IS vulnerable to a man-in-the-middle attack.
Perhaps there is some defense that was simplified out of th
David: have had another read of your message of 1/4 and realize
I was talking about something different than what you were
talking about, hence my confusion. Cannot put my hands on my
copy of that Scientific American article, but what you describe
at the end of your article seems much stronger tha
Strangely enough, there actually MIGHT be a good reason to use
Quantum Encryption. It's a very subtle point, which I will try
to explain succinctly below, but unless you're actually interested
you might want to hit the delete key now.
1. Perfect Forward Security
I hate to invoke "Perfect Forward S
David Schwartz wrote:
I can split the second case into two parts:
If there IS a key AND there are NO quantum computers then
the key provides adequate protection
No, it doesn't future advances in compution *will* make any given key
insecure eventually. Your communications today *will* be known
Well, I think I agree with everything David said, and given
his assumptions I believe he is correct. However, it appears
that he did NOT carefully read what I had posted. He is
assuming the existance of "the key" (see his first interjection)
while my argument was in two parts:
If there is NO key
Having much the same results on my googling -- there is some
mention of a PKIPath extension, but I did see a reference to
an X509_4thEditionDraftV7.pdf which contains dates roughly
simlar to the ones Richard quotes. There was a reference
to RFC3281 which talks about attribute certificates,
but the
DER is short for ASN.1 Distinguished Encoding Rules. The actual
format of certificates and things are standardized by X.500 but
these documents are expensive, so the Internet RFC people have
reprinted the information in a series of documents. Take a look
at ftp://www.ietf.org/rfc/rfc3280.txt pa
CRLs are signed by the CA certificate whose subsidiary certificates
are mentioned (or not) in the CRL. So a CRL is verified just like
any other signed document. You need any certificates in the chain,
which may or may not be supplied along with the CRL, see PKCS#7
format and/or the
openssl crl2pk
One suggestion is to use a signed email (S/MIME) message to
a known robot at the CA that would do whatever is needed.
Zerg wrote:
Hi all.
It is nedeed to send from client to server the request for revoking or
holding the client's certificate.
My chief want that this request for revocation was sig
Quantum Cryptography vs the "man-in-the-middle" attack
The recent availability of commercial products for quantum
cryptography has generated much press attention, however,
any putative value-add for these products escapes this
author. Given the traditional "man in the middle" attack
where Vladimir
What you may be missing is the "data padding" stuff, which makes
the encrypted payload somewhat longer than just what you pass off
to the encoding routine. IIRC it throws an 8-sided die and prepends
to the messate either
01
02 02
03 03 03
...
08 08 08 08 08 08 08 08
also there may be some length f
Suso Banderas wrote:
Can anyone respond to this? At least to let me know that I am
thinking along the right track? Is there any expectation that the CA
should be using the subject from the CSR that the customer sends?
I think the "standard model" is that the CA rejects requests until
the clien
Jesse Hammons wrote:
So to clarify: If I generate a 65-bit key, will I be able to use that
65-bit key to sign any 64-bit value?
Yes, but a 65 bit key won't be very secure AT ALL, it will be
very easy to factor a modulus that small. Bottom line: asymmetrical
(public-key) encryption has a fairly lar
different threads. Is the OpenSSL stuff thread-safe?
MacDermid, Kenny wrote:
From: Charles B Cranston
MacDermid, Kenny wrote:
I'm looking to locally reverse engineer a network protocol
that's encrypted using ssl.
Another method would be to use a man-in-the-middle attack on
a third machi
Seems to me I saw an option to set the serial number from the
command line appear in openssl req but it might be recently
added (e.g., check to see if the version you are using is too
old to have it implemented!). I've been doing the write-even-
number-of-hex-digits-to-file since I started, so I
It's possible from what you describe that it was a
hanging alias, that is, a symbolic link pointing to
a file that does not actually exist. This looks like
a file initially but gets a "file does not exist"
when you try to actually use it...
Dan O'Brien wrote:
On Nov 22, 2004, at 1:41 PM, Dr. Steph
MacDermid, Kenny wrote:
I'm looking to locally reverse engineer a network protocol
> that's encrypted using ssl. The program runs under windows and
> is using ssl dll's. I'm currently trying to work out the easiest
solution, and am looking for suggestions.
I'm considering either trying to wrap the
I agree -- a lot of the advanced architectures I'm studying have
a "trust root" that is NOT self-signed, instead it is signed by
another certificate somewhere else. In a different verification
paradigm the certificate in question is NOT in fact a trust point
but instead is signed by a chain that l
I'm afraid that this is "just the way it works".
Starting from first principles, there's only a few ways a system
COULD be coded to work:
1. decrypt all messages as they are received, so the encryption
is only for when the message is actually being transmitted
2. decrypt all messages as they are
Could someone be so kind as to post examples of their
extfile or extensions section?
Here's an example of a shell script that generates an entire
PKI: root, two intermediates, and one SSL (server) end user.
This is one of about 35 of these I did trying to figure out
why the IBM HTTP Server and the
AFTER enough information has been presented by the
initiator for the responder to know which certificate the
initiator is going to expect.
Charles B Cranston wrote:
I think the complication is that he's going to have to use
the virtual hosts stuff so that the correct certificate can
be return
I think the complication is that he's going to have to use
the virtual hosts stuff so that the correct certificate can
be returned to each connection, and that this means he's
going to have to have two different IP addresses, since there
will be no way to determine WHICH certificate to send.
This i
You are seriously lost. Private keys and public keys (certificates) are
USED in performing RSA encryption, but they are not themselves encoded
and/or transmitted under RSA encryption. Yes, keys for private-key
encryption are sent under public key encryption, but
a key for private key encryption i
Ronan wrote:
is this list just not that active or do the people on it honestly not
know the answers??
Well, let's consider some OTHER hypotheses:
1. The question is so easy that everybody thinks someone else will
answer it. That is, the old hands say "oh, not AGAIN!!!" and are
just bone tir
a way out of this.
What I am trying to do is mutual authentication between a 802.1X
Supplicant and the FreeRADIUS Server using EAP-TLS. Most of the HOW-TOs
that I have read on the internet for carrying out this task mention that
ClientAuth/ServerAuth "Extended Key Usage" MUST b
You should probably read chapter 4 of RFC 3280
http://www.ietf.org/rfc/rfc3280
particularly 4.2.1.3 Key Usage and 4.2.1.13 Extended Key Usage
Also the text file openssl.txt in the doc directory of the
openssl distribution.
I don't use CA (I use x509 instead) so maybe that has something
to do with t
Richard Levitte - VMS Whacker wrote:
> In message <[EMAIL PROTECTED]> on Thu, 28 Oct 2004 18:10:35 +0800,
> 黄志军 <[EMAIL PROTECTED]> said:
> hzhijun> i execute the test.html in internet explorer and it return a
> hzhijun> correct index1.html page. But if i change the method from
> hzhijun> 'get'
Actually you might be confused a little. A CSR is nothing more than
a public key bundled with an identity (name). If you already have
a CSR you should not also need a public key.
If you mean the key to be the private key to a signing CA and the
CSR to be for an end-user certificate to be SIGNED b
The more randomness you put into the random number generator,
the better keys you will get. I've been know to use something
as simple as
(df; date) >RANDFILE
the theory being that it is hard to predict the exact amount
of free file space on (random date in the past) and that the
output of date is
The Doctor wrote:
Does anyone here know of such package that uses open source?
- Forwarded message from Customer ---
1. Form Content Security. (FormmailEncoder/Decoder)
As I understand it, on a secure website the content of a submitted form is
protected by SSL from the submitter to the serv
to use to set up the anonymous SSL
connection with OpenSSL or point me in the direction of some example code.
Thanks,
David
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charles B Cranston
Sent: Thursday, October 21, 2004 10:04 PM
To: [EMAIL PROTECTED]
Su
Peter O Sigurdson wrote:
This is great information,
Can you point me to a HOWTO or other resource
> regarding importing SSL certs into IIS?
For the standard model, where you generate the CSR on
the server (so the private key stays in the server
the whole time) my standard reference is "IIS Securit
I don't think this is correct at all. I use OpenSSL to
generate certificates that are used on Microsoft IIS
servers and IBM HTTP servers and Novell eDirectory LDAP
servers and IBM Directory Server LDAP servers and all
sorts of servers. Now, the vendors may not make it EASY
to use non-proprietary
The .0, .1 etc suffix is from the way the Apache web server
(I guess its SSL module) tries to find certificates in a
directory. It hashes the subject name then looks for the
certificate under .0 then .1 etc so the digit
is used for collisions. I've never seen a .1 and we have
a BIG directory.
You
NO! They are NOT the same. Look at the first few bytes:
> From the public key:
> Modulus (1024 bit):
> 00:cb:aa:35:d5:df:19:39:84:81:36:10:02:84:c3:
^^ ^^ ^^
> From the private key:
> modulus:
> 00:a6:16:30:78:ca:2e:39:27:32:c9:36:c0:16:55:
^^ ^^ ^^
Nope, this key and cert do not match.
> Can people provide recomendations and other comments on
> which books to buy on PKI and IPsec
Some books I thought cost-effective, from easiest to hardest:
"Applied Cryptography: Protocols, Algorithms, and Souce Code
in C" by Bruce Schneier 2nd ed (Wiley 1996)
758 pages of extremely readable r
Well, since you didn't like my earlier bridge drawing,
there's a more orthodox one below. As for notation:
I tend to do a lot of diagrammatic reasoning myself,
so I tend to invent notation as I go along. If there
is a preferred notation [1] I'd be glad to redo these
diagrams in that form.
Since a
So, this is perhaps the most simple "bridge" PKI arrangement:
+-+---++-+---+
|T| ||T| |
+-+---++-+---+
| P Root++
Just finished a cover-to-cover reading of Planning for PKI [1] and it
sure cleared up some things for me. Thanks to Richard Levitte for
recommending it.
It seems most of the cognitive dissonance I've been having with this
PKI stuff is due to the "PKI theoretics" being based upon a pair of
assumpti
Gerd Schering wrote:
Richard Levitte - VMS Whacker wrote:
In message <[EMAIL PROTECTED]> on Fri, 24 Sep 2004
11:29:23 +0200, Gerd Schering <[EMAIL PROTECTED]> said:
Schering> is it possible to use domain name components - as in ldap -
Schering> for the certificate dn, i.e. something like
Scherin
Joppe Bos wrote:
Hello everyone,
I am fairly new with openssl and am trying to write a function which can
make a public / private key pair with GMP (an open source big number
library). I am doing this to compare the running time with openssl. I have
a few questions regarding the openssl genrsa c
At the risk of seeming even more confused than usual...
There's a lot of theory out there about cross certification and
bridges etc, but as far as I can tell it is really all theory, and
will REMAIN theory until the various "relying parties", that is,
the standard web browsers, can properly process
Alok wrote:
David C. Partridge wrote:
Once generated, it is encrypted using the public key of the recipient and
included with the message.
but then if i do something like
DES(key=hispubkey(data=somerandom))
i can always decrypt if i know hispubkey.
NO! Look, Alok, it's painfully obvious that y
Jon Bendtsen wrote:
i can verify a certificate against a root certificate, with
openssl verify -CAfile root.ca rsacert.pem
but how do i know that the certificate i try to verify has not been
revoked?
At the risk of seeming to oversimply a VERY complicated issue:
1. You have been downloading Ce
From RFC3280 section "4.2.1.13 Extended Key Usage"
If a certificate contains both a key usage extension and an extended
key usage extension, then both extensions MUST be processed
independently and the certificate MUST only be used for a purpose
consistent with both extensions. If ther
Why questions are particularly difficult to answer.
I guess the real answer is: because the programmer who wrote the
software in question decided to program it that way.
The "critical" bit was intended to be an aid to software upgrade:
Suppose you are trying to support a mix of old and new software
Perhaps one way to think of the IV is that it is part of the key.
That is, the IV and key are used to encrypt, and then the (same) IV
and the (same) key can decrypt. It's just that if the IV is sent
in clear text ("included in the structure...") then it is not secret.
One popular algorithm is to u
iting C code that
calls the library directly, or a Perl module to call the library
directly, instead of trying to shoe-horn the existing main programs???
Webmaster wrote:
Hello,
I also have a little question, with this methode I can
also send the passphase of the seckey of the CA??
The basic
If you're using Unix or another system that supports the
Environment variables, you can write a fixed openssl conf
file that references appropriate variables in appropriate
places. If you don't have Environment you can still write
a custom openssl conf file for each instance of signing.
Lule Chen
Ralph wrote:
Hello list members,
I'm trying to set up an Apache 2 based web server for multiple name
based virtual hosts. As it is not possible with mod_ssl to have a
seperate SSL certificate file for each virtual host...
Actually, you can, but they have to have separate IP addresses.
(Requiring t
The code to "understand" the notAfter output is fairly
simple. You can use either Date::Parse or a kluge using
Date::Calc like this:
use Date::Calc(
qw"Decode_Month Add_Delta_YMDHMS Date_to_Time Date_to_Text Timezone"
);
print ($ed=),"\n"; # < This is the output from -enddate:
if ( ($m,$d,$
One danger with casting a structure as a string is that zero bytes
(which can happen due to "slack bits" in the structure) might be
interpreted as an end-of-string that would prematurely terminate
the data.
If you're going to process binary data, look for an API where you
specify both a pointer and
Technically this is true, as DER requires the determinate length
encoding options and disallows the indeterminate length ones...
Alicia da Conceicao wrote:
Hi Steve:
Its not ASN1 because the OpenSSL ASN1 code isn't fully streaming and to do so
would be a massive undertaking which has so far not at
There might not BE a definition of getc since it returns
an int and the default is to return an int. I searched
in /usr/include and /usr/include/sys on one of my Unix
machines and it was not explicitly defined...
What exactly is the problem you are running into with
doing IO on 128-255 characters?
om number that the machine is going to base
its security on...
Michal Hlavac wrote:
Charles B Cranston wrote:
You could split into two 16-character pieces and then
XOR the two pieces against each other.
hmmm... but result of substr(hmac, 0, 16) ^ substr(hmac, 16, 16) is not
human readable code...
Well, x509 specifies the representations of crypto objects
(like certificates and keys) as sequences of binary bytes [1].
DER [2] is just those binary bytes in a file, while PEM [3]
is a way to encode x509 as a sequence of printable characters.
So it is entirely possible for a file to be both PEM a
I think I understand how I was wrong, most of the stuff I
work with negotiates the secure connection immediately,
such as web on 443 (https) and ldaps (667?). I see that
if there was a reqired interaction before switching over
into secure mode (which is TLS rather than SSL?) that it
might not be s
You can generate your own certificates with OpenSSL, but you
need to either get your root certificate into every piece of
"verifying software" (browser), or else get all your users to
manually accept each certificate, which greatly reduces
security (because, with no way to know any better, they wil
The web does not use continuous connections. Typically for a
web app you do a POST request, passing in data items and getting
back the next in the process, but the SSL connection is
closed at that point, and another, different, connection is
opened the next time you push a button or otherwise int
Mark H. Wood wrote:
Um, feel free to point me elsewhere, but I'm having trouble visualizing
what's being discussed. I keep reading "branched certificate chain", but
what I understood from the description is like this:
Before:OurRoot ---> Level1 ---> EndUsers
After: IdenT
Rich Salz wrote:
I was envisioning something much simpler.
Existing applications that know about the "root" CA work without
configuration changes. New applications that need to know about the new
"larger" PKI just add the new root to their list of trust anchors. I
suppose that's really a bri
Actually, it might be as easy as changing the "name" of the root
and issuing a new L1 certificate. The branch happens when an
unmodified client (which still has the local root installed)
needs to decide who has signed the L1 certificate. Its two
choices are
1. the local root
2. the "missing link
Follow up to previous posting: I did try to do some experimentation
in the context of trying to design a clean transition from the root
we made in 1998 to the root I made in 2003. I did not have a great
deal of success because the browsers I was working with at the time
(Netscape 4.7x and IE 4 or
Rich Salz wrote:
At the risk of being immodest, you might find this column useful:
http://webservices.xml.com/pub/a/ws/2003/12/09/salz.html
This is a verbatim quote from the text at that URL:
> The root will sign the Level 1 CA and then be taken offline.
> Anyone who wants to validate any iden
Ron Croonenberg wrote:
I tried to get a certificate to work on Windows200 with IIS too.
I don't know if this is off topic, but how can I sign a certificate request,
created on a windows2000 server. I want to sign the request and create a
certificate on a linux machine running openssl then take th
Doing it via:
openssl rsa -in inca.key.pem -des3 -out outca.key.pem
would be preferable since the -des3 would trigger output
encryption, and you would be ASKED for the new pass phrase,
while using stdin it just gapes at you with no prompt.
I was (unsuccessfully) trying to remember the trigger for
What is the default encryption exponent used in RSA encryption by OpenSSL?
Is it e = 2^16 + 1 = 65537?
Anybody knows where can I find this default value in the source files?
It's actually the Public Exponent field in the certificate, so you would
find it in the code that makes new certificates.
Ce
OOPS, sorry, it is a C++ reserved word even though it is
not a C reserved word, and I guess it would be a Good Idea
for OpenSSL to be callable from C++ as it used to be...
Charles B Cranston wrote:
We cannot find "explicit" as a reserved word in a (fairly old)
ANSI C book. Is th
We cannot find "explicit" as a reserved word in a (fairly old)
ANSI C book. Is this the GNU compiler or a vendor compiler?
Could this be a vendor-specific extension? Is there a compiler
command line switch to remove vendor-specific extensions?
Would the GNU compiler work better anyway?
Just grab
With reference to Charles' comments, I still have the
> luxury of time before having to issue certs in anger.
With us it was not time, per se, if you notice the postings
for our CA we had our first signing party in February of
the year that our 5-year 1998 previous root expired in August.
So that'
I hadn't come across a hashed directory before and, having read the relevant
sections in the OpenSSL documentation (openssl -verify and x509 -hash), I
must admit it still doesn't make an awful lot of sense to me. I am working
on Windows so perhaps that is the cause of the problem (amongst many
othe
Dr. Stephen Henson wrote:
The [sic] look like the standard CRT components.
So:
a = iqmp
c = dmp1
f = dmq1
And, in fact, if you look at the PNG's in the posting,
"iqmp"Inverse of Q mod P a = Q^-1 mod P
"dmp1"D mod prime 1 c = Ks mod (P-1)
"dmp2"D mod prime 2
Pardon my ignorance, but I don't know the "canonical" variable name
assignments, so "a, c, and f" mean nothing to me. I did a simple
google and found this paper which describes Montgomery's method,
including a version in MIPS 64 assembly language.
Perhaps this will help you get better oriented:
h
However, still I don't see any reason why this function increments its
second argument ? And why to the first byte after the DER-encoded INTEGER
(it's out of preallocated memory) ?
The usual reason for building library routines that bump an output
pointer is to be able to use them in a chained fa
prefab wrote:
I had the same question for
subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:(copy emailAddress)
In Windows the environment variable replacement only works if you set the
variable before calling openssl for signing the request:
set [EMAIL PROTECTED]
openssl x509 -req ...
Does any
I dunno, I'm only about halfway through the Vesperman CVS book,
but when I used google to find openca and tried to find the
openca/openscep stuff I found that the HEAD version had been
removed from the archive, and that the versions in .attic
(:-) were merely half-page stubs.
Maybe I was at the wro
:-)
If somebody else is actively working on this, please warn me off...
Jon Barber wrote:
Charles B Cranston wrote:
Sorry for my ignorance, could you post a reference to SCEP? What would
it take to manhandle a standard certificate into this format? Or is it
a lot more difficult than that?
SCEP is
Sorry for my ignorance, could you post a reference to SCEP? What would
it take to manhandle a standard certificate into this format? Or is it
a lot more difficult than that?
Jon Barber wrote:
[EMAIL PROTECTED] wrote:
I'm assuming you mean a Pix Firewall version 6.3.x. I don't think
there is a
w
stigate in my copious free time...
Charles B Cranston wrote:
I don't recall why this code uses a temp file for the serial
number instead of using another pipe.
# Make serial number as even-number-of-digits hex string and write file
my $hex = sprintf("%lX",$serial);# Co
Dr. Stephen Henson wrote:
> You should where possible use the command line switches
> rather than "expect" because the prompts of the various
> commands may change.
> You can generate requests via template configuration
> files and there are various ways to supply passphrases.
While I agree 100% w
Best I can tell from looking at the code, the failure is somewhere
in this block (which I have edited a bit for readability):
# Convert the signed cert to a pkcs12 certificate
# so Netscape and IE can import. (and clean up some files)
`rm -f "./temp/$input{'email'}.pem"`;
`cat
./temp/$in
Well, it might be easier to answer this question if we knew what
you were trying to install the certificate into. For the Apache
server the certificate and private key are placed into filesystem
files which are then named in the configuration files. The
installation instructions vary for other pr
Sreedhara M. Reddy wrote:
Hi,
Can someone guide me how to generate certificate and key
> pairs for client authentification in SSL applications.
First, are you really sure that this is what you want to do?
The problem with client certificates is that they tie the
client down to a specific workstat
1 - 100 of 153 matches
Mail list logo
