Sincerely,
Giang Nguyen
> Date: Fri, 13 Mar 2009 00:22:56 +0100
> From: st...@openssl.org
> To: openssl-users@openssl.org
> Subject: Re: Can't recognize intermediate CA
>
> On Thu, Mar 12, 2009, Rene Hollan wrote:
>
&g
>> I used openssl with the intermediate CA to sign a separate cert, which
>> had a AKID keyid but no issuer, and that chain recongizes fine.
>>
>> Could the problem be the fact that yahoo.pem has an AKID keyid AND
>> issuer? (onr or the other is sufficient, but I could find nothing that
>> said th
> I used openssl with the intermediate CA to sign a separate cert, which
> had a AKID keyid but no issuer, and that chain recongizes fine.
>
> Could the problem be the fact that yahoo.pem has an AKID keyid AND
> issuer? (onr or the other is sufficient, but I could find nothing that
> said that bo
serial numbers and the key id's. they looked ok to me. so at
this point, i dont have any ideas.
>
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Giang Nguyen
> Sent: Thursday, March 12, 2009
the cacert has pathlen:1 in its "X509v3 Basic Constraints"
> Subject: Can't recognize intermediate CA
> Date: Thu, 12 Mar 2009 15:00:47 -0700
> From: rene.hol...@watchguard.com
> To: openssl-users@openssl.org
>
> I'm tearing my hair out trying to get an in
what do you mean "private certificate"? you mean the server wants to verify its
own certificate before accepting connections? or the client wants to verify its
own certificate before initiating connections? (i guess it doesn't matter
either way, though.)
assuming you have the CA certs and the
if you have a certificate in a X509 object, the x509.h header mentions the
function:
EVP_PKEY *X509_get_pubkey(X509 *x);
From: binome_...@hotmail.com
To: openssl-users@openssl.org
Subject: get public Key from a certificate
Date: Tue, 24 Feb 2009 10:29:42 +
hello
how can i get the publ
i think it's because your "my-cacert.pem" is not considered a CA: it has
"CA:FALSE"
arch [temp]$ openssl x509 -in my-cacert.pem
-BEGIN CERTIFICATE-
MIIC9jCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJDQTET
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMR
gt;> type regardless.
>>
>> This is specified in PKIX (currently RFC 5280); in order to maintain
>> standards-conformance OpenSSL cannot change this behavior. (Nor can
>> it even offer an option to change it, since its job is to maintain
>> security-system interoperabili
> > I was under the impression that openssl allows loading multiple CRLs
> > for the same issuer. But, this does not seem to be the case as is
> > proved by using "openssl verify".
> >
> > $ ls -l ./ca/
> > total 24
> > lrwxrwxrwx 1 pshah users 10 Jan 28 21:56 ba4bb3b6.0 ->
> > cacert.pem
you should try http://openssl.org/docs/crypto/RAND_add.html#
_
Windows Live™: E-mail. Chat. Share. Get more ways to connect.
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_allup_howitworks_012009
the "req" man page mentions:
-subj arg
sets subject name for new request or supersedes the subject name
when processing a request. The arg must be formatted as
/type0=value0/type1=value1/type2=..., charac-
ters may be escaped by \ (backslash), no spaces are skipped
> I think Robin tested it, so yes it works... But you need the bugfixes
> he sent to the list...
>
> Robin: Am I right?
actually i referred to session resumptions with abbreviated handshakes.
i think the "bugs/patches" comment was in the context of renegotiations with
full handshakes.
"> Btw, d
> I think I will go for the hack that misuses re-negotiation as a kind of
> heartbeat, keep alive or echo request. I tried to avoid this hack at
> first because it is a computational burden. AFAIK re-negotiation means
> restarting from scratch which means that expensive public key operations
> hav
> then you can try X509_set_pubkey() (in x509.h) to obtain the "EVP_PKEY *"
> object
of course i meant X509_get_pubkey().
_
Windows Live™: Keep your life in sync.
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t1_allup_howitw
if you have the "X509 *" object (in your code), then you can try
X509_set_pubkey() (in x509.h) to obtain the "EVP_PKEY *" object, then you can
use the various PEM_write_..._RSAPublicKey() (in pem.h).
_
Windows Live™ Hotmail®: Chat.
> This actually addresses both the questions. In the distant past some
> applications encoded certificate requests incorrectly and/or required an
> incorrect encoding. That is there to tolerate and/or generate such stuff.
thanks.
_
> Does the release of 0.9.8j also include the FIPS module support?
do you mean anything other than this?
http://www.mail-archive.com/openssl-users@openssl.org/msg55535.html
This is the first full release of OpenSSL that can link against the
validated FIPS module version 1.2
First, background (questions at the end):
Version 2 of the pkcs 9 spec at
http://www.rsa.com/rsalabs/node.asp?id=2131 (PDF:
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-9-v2/pkcs-9.pdf) says in
section 5.4.1:
"A challenge-password attribute must have a single attribute value."
At first I expected th
nils
>Frédéric Donnat wrote:
>
> Hi,
>
> Sorry for the mistake (nothing to deal with openssl.cnf file). I was just
> looking for ca.txt file.
>
> Is it normal behavior of openssl to be able to view a certificate without
> serial number using (without any error mentioned):
> openssl
sorry please ignore; this had been asked before:
http://www.mail-archive.com/openssl-users@openssl.org/msg41502.html
> From: [EMAIL PROTECTED]
> To: openssl-users@openssl.org
> Subject: signature failure when certificate contains no serial number (ie,
> not one that equals zero)?
> Date: Sat,
i was messing around with (self-signed) certificate creation/signing
and ran into this. the following two certificates are the same except
for the serial number: "with_serial" has a serial number that is zero,
and "no_serial" does not have any serial number.
the "with_serial" certificate verifies
22 matches
Mail list logo
