onder
JB> program).
JB>I would recommend to also implement traditional CRLs, since for
JB> smaller CAs
JB> it is a better solution for browsers and servers that support it.
JB> Enjoy
JB> Jakob
JB> --
JB> Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wis
MS> On Fri, Feb 13, 2015 at 11:33 AM, Sean Leonard
wrote:
>> Using the openssl pkcs12 -export command, is it possible to specify a
>> "-certpbe" value that does not do encryption? Perhaps you only want
>> integrity protection--you don't care whether the certificates are shrouded.
>> The PKCS #1
Gregory,
>> * - Windows indeed will not handle a .p12 cert+key with the PKCS5 v2 [i.e.
>> aes-256] encryption on it. It appears to only handle 3DES. [I didn't test
>> every possible PBE - just 3DES and AES256]
The Microsoft Windows operating system uses Cryptographic Service Provider
(CSP
Ok, so I know this isn't strictly an OpenSSL question, so I apologize - but I'd
guess someone here knows the answer, or can direct me to the correct resource.
[I've done a lot of searches, but no real luck.]
I'm trying to import both a private key and certificate generated with OpenSSL
int
Ok, so I know this isn't strictly an OpenSSL question, so I apologize - but I'd
guess someone here knows the answer, or can direct me to the correct resource.
[I've done a lot of searches, but no real luck.]
I'm trying to import both a private key and certificate generated with OpenSSL
into
Ok, so I know this isn't strictly an OpenSSL question, so I apologize - but I'd
guess someone here knows the answer, or can direct me to the correct resource.
[I've done a lot of searches, but no real luck.]
I'm trying to import both a private key and certificate generated with OpenSSL
into a W
JH> On 30/09/14 03:30, Michael Sierchio wrote:
>> There are many places where a PKI breaks - hash collisions are far
>> down the list. Most internal CA implementations offer no more
>> effective security or trust than just using self-signed certs - the
>> objective seeming to be to make browsers
[SNIP]
>> However this looks like the key is encrypted with 3DES, but I "exported" it
>> from the Cert+Key with "-aes256" - so I'm puzzled why I'd have a 3DES
>> encrypted p12.
DT> You thought you did but you didn't.
DT> The doc is a bit subtle, but the -$cipher option is listed under "PARSING"
Cert+Key with "-aes256" - so I'm puzzled why I'd have a 3DES encrypted
p12.
Help! :)
-Greg
So, hopefully this will be the last post in the thread. [fat chance, eh!?]
I've gone back and re-encrypted the private keys [thanks Dave, again!] and this
is the result from
So, hopefully this will be the last post in the thread. [fat chance, eh!?]
I've gone back and re-encrypted the private keys [thanks Dave, again!] and this
is the result from an asn1parse
openssl asn1parse http://www.sloop.net
---
ion with openssl req; that saves decrypting
it before encrypting it with your preferred cipher.
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Gregory Sloop
Sent: Tuesday, 09 September, 2014 01
elf - but perhaps
that trust is misplaced in this case.]
Again, glad for any follow-up advice - it's been an interesting thread - at
least for me.
-Greg
For the legacy formats (dashes-BEGIN PRIVATE RSA KEY or PRIVATE EC KEY)
just look on the DEK-Info: header line.
For PKCS#8 format
ck
cipher. They are going to attack the password or some other [weak] part in the
system.
Jeff
On Mon, Sep 8, 2014 at 4:00 PM, Gregory Sloop wrote:
Continuing top posting. [Which doesn't bother me nearly as much as it seems to
bother others... ]
Yes! That was a fantastic answer.
state-of-the-art
machines, they could probably break one of your keys in a couple of months.
That doesn't look like a plausible threat to me, unless you're protecting
something really valuable.
Disclaimer - I haven't double-checked any of those figures.
Does that help?
Micha
There is nothing special about cracking a certificate password versus any other
password. There is a lot of literature out there; a web search will easily
give you enough information to be depressed. I think your biggest faulty
assumption is that your users will pick truly random 10char passw
General question:
I've done a number of searches and can't find a lot about the subject. [I've
searched the list archives too...at least as best I could.]
In several cases, the most obvious being OpenVPN, I use client certificates
generated by openssl, with a pass-phrase [password]. This means
GS> So, I'm working with an EAP-TLS system running under freeradius.
GS> I've setup things to use a CRL [not OSCP] to revoke certificates and
GS> all works well.
GS> However, the parameter default_crl_days=XXX puzzles me.
GS> Through trial and error [mostly error] I know that if I don't
GS> rege
GS> So, I'm working with an EAP-TLS system running under freeradius.
GS> I've setup things to use a CRL [not OSCP] to revoke certificates and
GS> all works well.
GS> However, the parameter default_crl_days=XXX puzzles me.
GS> Through trial and error [mostly error] I know that if I don't
GS> reg
So, I'm working with an EAP-TLS system running under freeradius.
I've setup things to use a CRL [not OSCP] to revoke certificates and
all works well.
However, the parameter default_crl_days=XXX puzzles me.
Through trial and error [mostly error] I know that if I don't
regenerate the CTL every def
19 matches
Mail list logo
