Its not the server cert you need in the trusted certs store - it's the CA
root cert.
And you'll need any intermediate CA certs in the regular CA store
D.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stuart Halliday
Ok, so I put into the Trusted Root
This may seem a stupid question, but why do you want or need to do this?
You can generate an SS cert with a validity of (say 1 year) and just use it
without needing to generate a new one every time the system starts up. Is
there something special about the environment that I'm not aware of?
D.
Why would you want the private key to leave the token in clear anyway?
If you need to performs RSA private keyops, then ask the device to
sign/decrypt for you.
The CA3 FWIW will not even let you wrap a private key off under another key
as this HSM is intended for use as a CA's HSM.
If you need t
You don't want to specify the CA's private key as the argument for -CAfile,
you need to specify the CA certificate for that.
Also an indication of the errors you get would help ...
D.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Samy Thiyagarajan
Sent
Why not encrypt the file using PKCS#7 enveloped or signed and enveloped
data. 3DES-CBC or AES for date encryption, key encryption using intended
recipient public key, authentication using RSA singer public key?
If you need non-expanding data encryption using symmetric cipher, look at
EAS in CTR m
Strictly speaking 1.2.840.113549.1.5.13 is the OID for the "PBES2 encryption
scheme" from PKCS#5 V2.
Dave
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listope
I've not been there, but is it possible that this is a PKCS#12 bag?
Dave
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated
>If you want to separate the signature key from the encryption key, you
should have 2 keys, and not one key with 2 certificates.
Totally agreed - the reason for using key separation is that encryption keys
will (typically) have a shorter life time than signing keys (at least for
certificate valid
Howsabout using openssl req ?
That does what U want I think you will find.
Dave
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Au
Probably a good thing - all these zip files have been virus infested and I
don't think they are related to this mailing list at all in fact.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rajeev Aggarwal
Sent: 04 May 2005 11:47
To: openssl-users@openssl.
3.2 million certs! That's going to be "fun" when you get to certificate
rollover time!!!
What CA you using (I guess not openssl ca for that volume).
Dave
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ray v
Sent: 29 April 2005 05:00
To: openssl-users@
Also I'm surprised to see V3 cert with no KeyUsage section ...
It would also would be more normal to use Extended Key Usage to say it is
good for SSL Server etc. rather than use the old NetScape Cert Type ...
Dave
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Beh
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Certificate
is why it is failing. The server certificate needs:
X509v3 extensions:
2 CMS specification
On Tue, Apr 26, 2005, David C. Partridge wrote:
> Is there any expectation that openssl will be enhanced in the near future
to
> support the current CMS specification which I think is RFC3852? If
> possible retaining support for the old PKCS#7 "Signed and Enveloped
Is there any expectation that openssl will be enhanced in the near future to
support the current CMS specification which I think is RFC3852? If
possible retaining support for the old PKCS#7 "Signed and Enveloped" message
format?
TIA
Dave
Current recommendation is to put in the subjectAltName
extension.
Dave
You can do this in the config file - I'll leave others to tell you how as
I'm a bit rusty on that stuff.
The reason I'm replying is that it is definitely not good form to mark
AlternateName extension as critical. Of course it is valid to do that, but
why should a relying application be FORCED to
Sounds like the client doesn't have a key set and certificate, or the
certificate for the CA that issued the client's cert isn't installed at your
web server.
__
OpenSSL Project http://www.openssl.
Sounds to me like you're using openssl req rather than openssl ca
Dave
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Michael Weiner
Sent: 24 November 2004 14:12
To: [EMAIL PROTECTED]
Subject: serializing certificates
Is there a way to "force" a serial nu
I'm trying to build the html files for the docs from the pod files using
pod2html
The html files are getting built, but the links don't work between them and
I get lots of messages like:
C:\Perl\bin/pod2html.bat:
C:\openssl-0.9.7d\doc\ssl\SSL_CTX_set_ssl_version.pod:
cannot resolve L in paragrap
Richard Levitte said:
>Note that, as long as you only have applications that really know how
>to handle multiple verification paths, then you can throw all kinds of
>certificates at them without worrying. Unfortunately, that's not a
>reality yet.
Richard, is there any useful guidance you can po
Not at all, there's no man in the middle issue at all because the
certificates which are issued by a trusted TP g'tee the ownership of the
public key.
The logic goes like this:
You generate a random DES key known only to you. Let's call this KDE
You use this to encrypt the data. Lets call this
The "one shot" symmetric key is purely random.
No it's not a function of anyone's private or public key.
Once generated, it is encrypted using the public key of the recipient and
included with the message. If multiple recipients, the same key is used to
encrypt the data, and for each recipient i
Not correct.
You sign the message with YOUR private key. The signature is verified by
the recipient using your certificate which is issued by a CA.
If you are also enveloping, then the data is encrypted under a "one-shot"
symmetric key, and this symmteric key is then encrypted using the public
Anyone have any thoughts or an explanation for this???
Dave
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David C. Partridge
Sent: 17 September 2004 15:15
To: Openssl-Users
Subject: Problem signing certificate OpenSSL 0.9.7d
C:\temp>openssl vers
06 GMT (750 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
unable to rename c:/openssl-0.9.7d/apps/demoCA/serial to
c:/openssl-.9.7d/apps/demoCA/serial.old
reason: File exists
Thanks
David C. Partridge
Te
3:47:04 2004 GMT
Not After : Bad time valueCertificate is to be certified until
Bad time value (36525 days)
Sign the certificate? [y/n]:n
CERTIFICATE WILL NOT BE CERTIFIED
Regards,
David C. Partridge
Technical Products Director
Primeur Security Services
Tel: +44 (0)1926 511058
Mobile: +4
27 matches
Mail list logo
