On 9/18/22 06:09, Philip Prindeville wrote:
On Sep 15, 2022, at 4:27 PM, Michael Wojcik via openssl-users
wrote:
You still haven't explained your threat model, or what mitigation
the application can take if this requirement is violated, or why
you think this is a "best practice". >
The threat
On 3/10/22 14:06, edr dr wrote:
I would like to be able to automate the process of updating CRLs in
order to be able to keep the CRL validity time short.
Understandable.
At the same time, I do not want to store passwords used for
certificate creation in cleartext anywhere.
It's a pity that the
On 6/18/20 9:12 AM, Williams, Gareth wrote:
> I can successfully add a multi-value RDN to the Subject of a
> certificate request using the + format in the config file:
> [..]
> However, if I add a SAN to the request:
> [..]
> the resulting request has them as separate RDNs (as if the + is not
> not
HI!
Does anybody know an engine implementation which delegates private key
operations to a running key agent listening on a Unix domain socket?
Similar like ssh-agent or gpg-agent but available for applications using
OpenSSL API.
Ciao, Michael.
On 12/7/18 11:44 PM, Michael Wojcik wrote:
> Homograph attacks combined with phishing would be much cheaper and
> easier. Get a DV certificate from Let's Encrypt for anazom.com or
> amazom.com, or any of the Unicode homograph possibilies>
> Part of the point of EV certificates was supposed to be ma
On 12/6/18 11:56 PM, Jakob Bohm via openssl-users wrote:
> Different levels of certainty is the point.
Which never worked well in practice, no matter how hard people tried to
clearly define levels if certainty.
Ciao, Michael.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org
On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote:
> On 05/12/2018 17:59, Viktor Dukhovni wrote:
>> IIRC Apple's Safari is ending support for EV, and some say that EV
>> has failed, and are not sorry to see it go.
>
> This is very bad for security. So far the only real failures have
> been:
Viktor Dukhovni wrote:
>> On Jan 19, 2018, at 10:09 PM, Frank Migge wrote:
>>
Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication
>>
>> This is were I would check first.
>>
>> I am not fully sure, but believe that Extended Key Usage should *not* be
>> there.
>
> Indeed the
Colony.three via openssl-users wrote:
> I've set mine to test this comprehensively. (Apache and NginX) With
> Apache Firefox -ignores- server-prescribed ciphers and chooses an EC.
> NginX does properly prevail with the algo. Was this an accident, Apache?
I'd suggest to read the Apache httpd doc
Michael Richardson wrote:
>
> Jakob Bohm wrote:
> >> I wanted to know when we use engine instance for encyrption/decryption
> >> operation, can it be done selectively?
>
> > Please beware that many TPM chips were recently discovered to contain a
> > broken RSA key generation algo
Tom Browder wrote:
> I plan to tidy my automation before the issue of new certs, but I wonder
> how critical it is to ensure unique certificate serial numbers given that
> the certs are only used for us. I'm not even sure I'll ever revoke any
> cert (they were issued to expire sometime in 2030).
>
Robert Moskowitz wrote:
> I am getting a SAN in the csr e.g.:
>
> Attributes:
> Requested Extensions:
> X509v3 Subject Alternative Name:
> IP Address:192.168.2.1
> [..]
> But I am not getting SAN in the cert. Perhaps I need something for SAN in the
> -e
Robert Moskowitz wrote:
> On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote:
>> On Fri, Aug 11, 2017, Robert Moskowitz wrote:
>>
>>> I would want the 'openssl req' command to prompt for hwType and
>>> hsSerialNum. At least for now.
>>>
>> Note that you can't get the 'openssl req' command prompt for
Sanjaya Joshi wrote:
> I use openldap_2.3.39 to initiate secure LDAP connection (starttls) to
> external LDAP
> server. The used openssl version is 1.0.2k.
I'm not sure whether OpenSSL 1.0.2k is even usable with this ancient OpenLDAP
version.
Especially it was set to historic status by the OpenL
Walter H. wrote:
> On 31.10.2015 13:01, Michael Ströder wrote:
>> Walter H. wrote:
>>> On 30.10.2015 21:42, Michael Ströder wrote:
>>>> Walter H. wrote:
>>>>> On Thu, October 29, 2015 11:07, Jakob Bohm wrote:
>>>>>> She (Eve) would kn
Walter H. wrote:
> On 30.10.2015 21:42, Michael Ströder wrote:
>> Walter H. wrote:
>>> On Thu, October 29, 2015 11:07, Jakob Bohm wrote:
>>>> She (Eve) would know that the requesting party Alice
>>>> was talking to Bob at the very moment she sent Trent
>
Walter H. wrote:
> On 28.10.2015 16:44, Jakob Bohm wrote:
>> On 27/10/2015 21:21, Walter H. wrote:
>>> On 26.10.2015 21:42, rosect...@yahoo.com wrote:
Hi, I need some help on this call.
I am building an OCSP client following guide in openssl and compile the
code in Cygwin enviro
Walter H. wrote:
> On Thu, October 29, 2015 11:07, Jakob Bohm wrote:
>> She (Eve) would know that the requesting party Alice
>> was talking to Bob at the very moment she sent Trent
>> the OCSP *request* for Bob's certificate.
>>
>> [...] equivalent of having (almost complete) real time
>> copies of
Alexandre Arantes wrote:
one of them asked me why did I choose not to add the client hostname to the
Client Certificate, thus making it usable only by that specific client.
There are no standardized naming rules for client certs like the TLS server
hostname check implemented at the client side
Graham Leggett wrote:
> On 13 Apr 2014, at 2:04 PM, Michael Ströder wrote:
>> No, it does *not* answer the question.
>>
>> The question was: Who is currently using it?
>
> Just to clarify any possible confusion, whether or not a piece of software
> actively uses the
Graham Leggett wrote:
> On 13 Apr 2014, at 12:25 PM, Hanno Böck wrote:
>
>> I wasn't really sure where to ask this, but I think this list is
>> appropriate.
>>
>> While having read so much about heartbleed, one question stays
>> unanswered for me all the time:
>> What's the use of this heartbeat
Walter H. wrote:
> subjectKeyIdentifier=hash
>
> which parts of the certificate are included in generating this hash value?
http://tools.ietf.org/html/rfc5280#section-4.2.1.2
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
Mario Lombardo wrote:
> Hi *,
>
> this is just an idea. However it would increase the security of our crypto
> system in case a trusted CA has been compromised.
>
> The idea is to implement a DNS lookup of a host whenever a ssl connection is
> going to be established. The lookup may search the TX
Graham Leggett wrote:
> In a typical client certificate scenario, you might verify that a certificate
> chain is complete, not expired, and trusted by a root certificate. If you
> were to choose a way to authorize the certificate over and above the check
> that the cert is valid, you might store
Jakob Bohm wrote:
> On 1/7/2014 12:17 AM, Biondo, Brandon A. wrote:
>> I am using ‘ca’ not ‘x509’. It too ignores/discards extensions. Turning
>> on copy_extensions solved the issue though, thanks. I have some
>> follow-up questions:
>>
>> 1.If including SANs in CSRs is non-standard, what is the ac
Viktor Dukhovni wrote:
> On Sat, Dec 28, 2013 at 05:56:41PM +0100, Michael Str?der wrote:
>
>>> http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2
>>>
>>> This is why I am working to implement and standardize SMTP with DANE TLS.
>>
>> DANE itself does not help.
Viktor Dukhovni wrote:
> With SMTP, PKIX certificate verification is pointless without explicit
> per-destination configuration:
>
> http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2
>
> This is why I am working to implement and standardize SMTP with DANE TLS.
You should better ask OpenLDAP questions on the openldap-technical mailing list:
http://www.openldap.org/lists/
Ciao, Michael.
Robbie Mingfu Zhang wrote:
> Hi:
>
> If I set the "TLSVerifyClient demand" on openldap server side, then I'll got
> below error
>
> (set TLSVerifyClient as never/allo
Viktor Dukhovni wrote:
> On Mon, Sep 23, 2013 at 10:54:04AM -0400, Salz, Rich wrote:
>
>>> Another option is to use LDAP's "STARTTLS" support on port 389.
>>
>> It seems the config to require it is a bit obscure;
>> http://www.openldap.org/lists/openldap-technical/201202/msg00414.html
>> might be
Bin Lu wrote:
> If I use "-nameopt utf8" option, the output of the subject is empty even for
> ascii string subject DN. This does not seem to match what is said in the man
> page. A bug?
>
> Please try out with the attached certificate (removing the .txt ext).
Are the DN attributes with non-ASC
Mailing List SVR wrote:
Il 20/07/2011 17:06, Dr. Stephen Henson ha scritto:
On Wed, Jul 20, 2011, Mailing List SVR wrote:
Il 20/07/2011 08:44, Mailing List SVR ha scritto:
Hi,
openssl seems unable to verify the attacched sod.pem, other pem
file works fine there is something strange with the
Eric S. Eberhard wrote:
or ... keep it simple and at least consider using stunnel.
I use stunnel myself in some situations. It's a great tool.
But bear in mind that the application then has no access to authentication
information of the SSL layer.
Ciao, Michael.
Bruce Stephens wrote:
> Bruce Stephens writes:
>
>> "Dr. Stephen Henson" writes:
>>
>> [...]
>>
>>> Is that unmodified OpenSSL 0.9.8o? If so that's peculiar I get the expected
>>> error here.
>>
>> No, it's Debian's 0.9.8o-2.
>
> Ah, my fault. Obvious in retrospect: Debian's openssl finds the
Bruce Stephens wrote:
> Erik Tkal writes:
>
>> Maybe that's a bug in OpenSSL 0.9.8o? The docs for verify say "It is
>> an error if the whole chain cannot be built up."
>
> Maybe, but I think it's just as reasonable to regard it as a bug in the
> docs.
>
> I think it's useful for verify to be a
Erik Tkal wrote:
> Your "rootcacert" is not a root cert, as it was issued by "C=US, ST=UT,
> L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com,
> CN=UTN-USERFirst-Client Authentication and Email". You need to append that
> cert as well to your CAfile.
Shouldn't it be possible
HI!
I'm feeling dumb since this simple command fails and I cannot see why:
$ openssl verify -CAfile rootcacert.pem subcacert.pem
subcacert.pem: C = DE, O = SCA Deutsche Post Com GmbH, CN = Signtrust CERT
Root CA 1:PN
error 2 at 1 depth lookup:unable to get issuer certificate
I've attached the ce
Michael Ströder wrote:
> man 1ssl verify says:
>
> "The third operation is to check the trust settings on the root CA. The root
> CA should be trusted for the supplied purpose. For compatibility with previous
> versions of SSLeay and OpenSSL a certificate with no trust setting
man 1ssl verify says:
"The third operation is to check the trust settings on the root CA. The root
CA should be trusted for the supplied purpose. For compatibility with previous
versions of SSLeay and OpenSSL a certificate with no trust settings is
considered to be valid for all purposes."
I wond
HI!
It's confusing that OpenSSL seems to output distinguished names in different
string representations.
While one can use command-line argument -nameopt to influence the output of
openssl x509 -issuer -subject this does not affect DN output of X.509v3
extensions and there's no such argument for
HI!
There is a difference when displaying the modulus with command-line tool.
Here's the relevant excerpt of the following command:
openssl x509 -noout -text -modulus -in cert.pem
[..]
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
John Nagle wrote:
>Normally, when a certificate is to be valid for more than one
> domain name, one name is in the "CN" field, and the others are in
> the "subjectAltName" extension.
>
>But look at the cert for "https://www.ipmirror.com/";.
This might serve as an interesting example for
Rainer Giedat wrote:
> i have a hard time figuring out how i can print the cipher used to
> encrypt a smime encrypted mail.
openssl smime -in test.eml -pk7out|openssl asn1parse
Or with OpenSSL 1.0 in case S/MIME MUA sent CMS instead of PKCS#7:
openssl cms -in test.eml -cmsout -outform pem|openss
Carla Coutinho wrote:
> I'm trying to generate an OCSP request containing Issuer Name Hash and
> Issuer Key Hash calculated with hashing algorithm SHA256.
> I've already instaled OpenSSL 1.0.0, which has the option '-sha256', but
> that doesn't seem to be working (the Hash Algorithm is always SHA1)
Luisç Nevesã wrote:
> I am trying to use mod_authz_ldap to query a X.509 certificate on a
> ldap directory
This is rather a LDAP-related question e.g. for the openldap-technical mailing
list if you're using OpenLDAP server or the more general list l...@umich.edu.
> in the directory, i have stored
the one to decide on
that but I want to propose that to my customer.
Ciao, Michael.
--
Michael Ströder Klauprechtstr. 11
Dipl.-Inform. D-76137 Karlsruhe, Germany
Tel.: +49 721 8304316
E-Mail:
shake kvc wrote:
>
> I want to be able to store CRLs in the openldap repository so that I can
> retrieve them using a LDAP client.
>
> Basically, the client would be given a LDAP URL as follows:
>
> ldap://xxx.yyy.com/CN=Challenger(1),CN=xxx,CN=C
> DP,CN=Public%20Key%20Services,CN=Services,CN=C
Dr. Stephen Henson wrote:
> On Tue, Mar 30, 2010, Michael Strder wrote:
>> Someone sent me an encrypted S/MIME message which I could not decrypt in
>> Mozilla's Seamonkey. Trying to determine the cause for that I wanted to look
>> at the RecipientInfos structure with OpenSSL 0.9.8k shipped with ope
HI!
Someone sent me an encrypted S/MIME message which I could not decrypt in
Mozilla's Seamonkey. Trying to determine the cause for that I wanted to look
at the RecipientInfos structure with OpenSSL 0.9.8k shipped with openSUSE
Linux 11.2 and and also tried with OpenSSL 1.0.0 (self-compiled).
But
HI!
Is there an API function in OpenSSL which extracts only the DER blob of
RecipientInfos from a CMS message (needed for encrypted S/MIME message). Or
has that to be done low-level with ASN.1 parser?
Ciao, Michael.
__
OpenSSL Pr
sandeep kiran p wrote:
> Ours is an LDAP directory enabled application where we use SSL/TLS to
> protect binds to the directory. Right now we are using OpenSSL 0.9.8g to
> do this. Our application depends on external directory servers for
> authentication which are not maintained by us. So it is on
Donny Dinh wrote:
>
> * ./openssl s_client -connect www.google.com:443 -state*
> [..]
> *6709:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record
> mac:s3_pkt.c:1057:SSL alert number 20*
> *6709:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:*
>
>
Victor Duchovni wrote:
> On Thu, Nov 23, 2006 at 06:46:23PM -0300, Mart?n Coco wrote:
>
>>My main goal is to design a PKI for our server infrastructure (ldaps,
>>https, mail, vpn, etc.) The problem is that, for example, when reading
>>the mentioned book, all the examples are based on people, but n
Victor B. Wagner wrote:
> RFC 2511 defines ASN.1 syntax for putting multiple certificate request
> into one message:
> [..]
> Question is - how widespread is use of this syntax, is there any
> real-world CA which understand CertReqMessages sequence.
There are several PKI implementations which sup
Ronald Wiplinger wrote:
>
> At 09:13 ¤W¤È 2001/8/20 +0200, you wrote:
>
> > The file you have sent was infected with a virus but InterScan
> > E-Mail VirusWall
> > could not clean it.
>
> I just wonder why this program send this info to the list and not
> to the person who sent the virus ;-)
B
StarTux wrote:
>
> [EMAIL PROTECTED] wrote:
>
> >We should be able to deal with this problem ourselves because it
> >affects us often enough.
Yes. :-(
> >ANy suggestions how?
>
> Who has admin rights to the list? Anyone with admin rights should be
> able to nuke anyone off of the list quietly
haikel wrote:
>
> I need to develop an application that allows me to update, automaticaly,
> netscape and IE with new certificates and private keys.
IMHO this is not possible in general since the user's certificate
and key database is hopefully protected with his/her passphrase.
If you want to
[EMAIL PROTECTED] wrote:
> >Ng Pheng Siong wrote:
> >>
> >> Hi,
> >>
> >> I've gotten a few messages about M2Crypto not working on
> >> Linux (Red Hat
> >> 7.1, SuSe 7.1) because "undefined symbol: EVP_rc5_32_12_16_ofb".
> >>
> >> I understand the packaged OpenSSL on those platforms are versions o
Robert Hannemann wrote:
>
> i´ve generated a Certificate with DER encoding and add it to an LDAP
> Directory User Entry. When i search the LDAPentry with Netscape
> Addressbook, the Attributes of the Result looks good, but the
> Certificate is displayed as an binary string like :
>
> use
[EMAIL PROTECTED] wrote:
>
> I created a cert with the host name known as www.evilempire.com
> and netscape was quite happy to accept it and never reported that
> the URL I typed in does not match the name carried within the cert.
You're wrong. Even those old Netscape Navigator 4.0x certainly as
[EMAIL PROTECTED] wrote:
>
> Although
> I'm seeing that much speed improvement (using the "openssl speed" tests),
> I'm also seeing a significant drop in the amount of CPU utilisation.
> [..]
> Even if it were the case that you would get only 3x improvement on a 1Ghz
> P3, you would still have su
Maxime Dubois wrote:
>
> This solution was interesting but it seems that I need the private key of
> the user certificate to sign the request
Yes, my fault. Use the old cert request.
You should store them for auditing reasons anyway.
Ciao, Michael.
__
Maxime Dubois wrote:
>
> What I wanted to know is: How does a root CA say it does not trust anymore
> a sub-CA it has signed before?
By revoking the certificate of the sub CA.
Revoking means putting it into the root CA's CRL.
Ciao, Michael.
__
Maxime Dubois wrote:
>
> So I need to keep request files as I keep cert files...
Maybe you can also try to generate a new request from an expired
cert.
openssl x509 -x509toreq
> I think renewal is interesting because [...]
It's always a matter of your local policy.
Ciao, Michael.
__
Reiner Buehl wrote:
>
> There is a (not recommended) possibility for this: If all of your hosts
> belong to the same domain you could generate a so called "wildcard
> certificate".
> This is a certificate with a hostname like '*.mydomain.org'
AFAIK this does not work with M$ IE.
Ciao, Michael.
mariano Jesús wrote:
>
> Somebody Knows if it's possible to send attach files with smime.
Yes, it's possible. Note the MIME in S/MIME.
Ciao, Michael.
__
OpenSSL Project http://www.openssl.org
Use
Marco Cunha wrote:
>
> we can't have our clients going around creating,
> signing & installing new certificates every once in a while so I was
> thinking about doing the following :
>
> Look into openssl.c and friends and figure out a way of making the server
> generate a CA cert and server cert
If we want to continue this thread I suggest to switch
to news:comp.dcom.vpn for not filling up openssl-users
with off-topic discussion.
Ciao, Michael.
__
OpenSSL Project http://www.openssl.org
Use
Peter Stamfest wrote:
>
> * IPSec is hard to configure
But please give us a reason why you believe that the configuration
of "your solution" would be easier. Yes, it's somewhat more
complicated than starting setup.exe and just click a "Next" button
if it's meant to be really secure.
> The main
Peter Stamfest wrote:
>
> On Fri, 5 Jan 2001, Michael Strvder wrote:
>
> > SSL sits on top of a connection-oriented protocol like e.g. TCP or
> > PPP. Some VPN products use SSL over PPP over UDP. Did you mean that?
>
> What I have in mind is not SSL over UDP.
Off course since UDP is not a conn
> Alex Cosic wrote:
>
> JSSE java client
> [..]
> untrusted certificate chain.
1. Slightly off-topic here. Better ask in
news:comp.lang.java.security
2. Read the docs of Sun's keytool. keytool -import -alias "My CA"
...
Ciao, Michael.
Peter Stamfest wrote:
>
> Hello OpenSSL users,
> [..]
> * UDP based instead of TCP based (see below for reasons)
SSL sits on top of a connection-oriented protocol like e.g. TCP or
PPP. Some VPN products use SSL over PPP over UDP. Did you mean that?
But what's wrong with IPSec, S/WAN and http://
> Optik Marko wrote:
>
> Please can you send me links from German-sites for openSSL?
> English is too difficult for me.
You're lucky (Du hast Glück):
http://www.pca.dfn.de/dfnpca/certify/ssl/handbuch/
Ciao, Michael.
__
OpenS
Dr S N Henson wrote:
>
> The email is always checked against the senders certificate: it is
> extracted from the signed email automatically so there is no need to
> donwload it manually.
Note: With Outlook (Express) you can turn off adding the sender's
certificate to the S/MIME signature to redu
Mahesh Anantharaman wrote:
>
> openssl smime -verify -noverify -nointern -nochain -in message.txt
> -certfile myfile.pem
Note that you normally MUST verify the validity of the sender's
certificate against a trusted root cert which you retrieved in a
secure way. Otherwise you have to make sure th
Ri Li wrote:
> I have some question about the SSL, when my office
> is using a Proxy server to go to the internet. Is the
> SSL encryption only encryt between the Proxy Server to
> the Internet Web Server? or protect from user under
> proxy server to Internet Web Server??
If you configured your
Deepak wrote:
>
> I have a piece of Java (JSSE) code
BTW:
news:comp.lang.java.security is a more appropriate
forum for these kind of questions...
Ciao, Michael.
__
OpenSSL Project http://www.ope
Deepak wrote:
>
> I have created a self signed server certificate on a local machine using
> OpenSSL. I want to connect to this machine using the same code but it gives
> an error "javax.net.ssl.SSLException: untrusted server cert chain". I want
> the code to trust this certificate.
You have to
Xiaohua Cheng wrote:
>
> So, now keytool can recognize the certificate your OpenSSL generates?
Yes. keytool of JDK 1.3, X509v3 server cert with some extensions.
> It always returns
> "unrecognized format" when I was trying to import certificate generated
> with OpenSSL into the keystore.
Try
Dr S N Henson wrote:
>
> making sure there's no summary info before BEGIN CERTIFICATE
> and seeing if you can find what format keytool wants.
Uuumpf! Yes, my fault (turning red): I did not remove the text
before BEGIN CERTIFICATE line. Sorry.
Ciao, Michael.
_
HI!
I'm currently trying to parse the X.509v3 certificate extensions
with the help of an ASN.1 parser module for Python. I'm somewhat
stuck into detail problems since I'm a total ASN.1 newbie. Maybe I
have misunderstood some concepts.
If I'm parsing the extensions do I have to use a-priori knowl
"Pablo J. Royo" wrote:
>
> I´m using this cert from Baltimore with openssl0.9.5a.
This question is for openssl-users not openssl-dev.
> I don´t know why they generate PEM certs with 76 chars in each line,
> instead of 64 as everybody does.
Should be no problem. Depends on their base64 lib.
>
Eric Rescorla wrote:
>
> Technically, they're both correct.
This posting is sent to the list several times.
Can someone stop this please?
Ciao, Michael.
__
OpenSSL Project http://www.openssl.org
HI!
I read the mod_ssl-README about Server Gated Cryptography / Global
Server IDs. Well, that seems interesting to me. I created a server cert
for a Notes/Domino Server 4.61 with X.509v3 attributes msSGC and nsSGC
set. But the Domino Server seems not to accept the certificate. Does
somebody has e
"Rubinstein, Dmitry" wrote:
>
> will have any hits from 'mil' TLD.
> [..]
> I've got 1768 total hits for 3 months
> [..]
> Have many hits and good luck unveiling the NSA conspiracy!
> [..]
> BTW, the military guy must have found your site pretty dull, if there
> were no more hits... ;-)
(Sigh!)
Hi Mike,
yes, you are on the wrong mailing-list.
Mike Bartlett wrote:
>
> I was under the impression that OpenSSL was an SSL mod
> to Apache BASED ON SSLEAY and hence should have its own method or
> similar method to getca. Any idea where getca is - should I install
> something else?
No. OpenS
Gideon Serfontein wrote:
>
> I am having a problem signing a Microsoft IE certificate ,
> [..]
> If anyone can help me , or has gotten the Xenroll.dll to work , please
> let me know.
I can send you a gzipped tar-ball with a snapshot of pyCA
(http://sites.inka.de/ms/python/pyca/) which does inclu
HI!
Please, can we stop the off-topic discussion here?
We have enough to read all day.
Ciao, Michael.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL
Stefan Kelm wrote:
>
> Moin,
>
> > > However, at least the current browsers will not check a
> > > certificate's
> > > validity based on hours and minutes but based on days.
> >
> > M$ IE definitely checks hours and minutes.
>
> IE version? Service Pack version?
IE 4 something. I did not chec
"Salz, Rich" wrote:
>
> >type of certificate to publish in an LDAP directory for support of
> >S/MIME,
> >etc. Are there any strong feelings about X.509 vs. PKCS12 (or others)
> or
> >encoding types?
>
> I thought everyone used the DER representation of the X.509 certificate
> structure. (Tha
HI!
I'm currently having a hard time integrating support for MS Internet
Explorer 4+ into my poor man's CA package pyCA.
I managed to generate a certificate request and get the issued
certificate installed into IE with some small VBScript code.
But I have several questions:
1. MS IE accepts CA
Jan Meijer wrote:
>
> but I'd like to know (if it is possible) the
> fingerprint before certifying.
> It all has to do with the verification
> process we want to do before certifying a key.
>
> The process can be described as follows:
> [..]
> During 4 the verification of the identity is done fa
ssl wrote:
>
> On Mon, 30 Aug 1999, Michael Ströder wrote:
>
> > ssl wrote:
> > >
> > > below the cert info, you'll see the "Check Certificate Status" button,
> > > [..]
> > > By this method, the cert must have "nsR
tls wrote:
>
> Can any one provide pointers to correctly creating a Object Signing CA
> and Object Signing Certificate (netscape x509v3 extensions) to be
> able to sign java jars and applets for trusted api interaction under
> netscape 4.61?
Create CA certificate with nsCertType objCA and c
CASTELAIN Didier wrote:
>
> Is there a Certificate server in Freeware or for a trial period ?
Have a look at:
http://www.openssl.org/related/apps.html
Ciao, Michael.
__
OpenSSL Project http:/
Erwann ABALEA wrote:
>
> On Tue, 13 Jul 1999, Radovan Semancik wrote:
>
> > I have problem with OpenSSL generated certificates. MSIE 4 and MSIE 5
> > both say that this certificate has expored:
> [..]
> - the server/client certificate has a notAfterDate that falls AFTER the
>CA's one... It'
> Raul Gutierrez wrote:
>
> I am installing the pyCA package
> and when i run from the browser the
> ca-index.py script i get the followin error:
>
> Internal Server Error
>
> When i saw the eeror log i saw the following:
> [..]
> Traceback (innermost last):
> File "/usr/local/apa
Lars Weber wrote:
>
> I have some (late) suggestions for the next OpenSSL-Release:
>
> 1) Fingerprint for requests
>
> This should calculate a unique fingerprint for the request and would
> make it possible to identify a request via this hash. I think this
> would be very helpful for CAs (well,
Phil Tracy wrote:
>
> At 04:33 AM 4/27/99 , you wrote:
> >I would like to announce a new beta release of pyca, a set of scripts
> >and CGI-BIN programs for setting up and running a certificate authority
> >using OpenSSL.
>
> Thanks for the contirbution! It looks great so far. I'm just getting
HI!
I would like to announce a new beta release of pyca, a set of scripts
and CGI-BIN programs for setting up and running a certificate authority
using OpenSSL.
See
http://sites.inka.de/ms/python/pyca/
for further details. Unfortunately there´s no real documentation
available up to now and t
HI!
I´m working on a CA framework which takes all parameters from
openssl.cnf. I want to write a (Python) script which does all of the CA
certificate stuff.
In order to generate a whole CA hierarchies (Root-CA signs other CA´s)
there should be a parameter in the openssl.cnf which CA is signed by
1 - 100 of 102 matches
Mail list logo
