ect: Re: Request for a -noverify option for openssl ca
> Sandipan Gangopadhyay wrote:
> >
> > Hi.
> >
> > openssl ca performs a signature check on the CSR prior to issuing the
> [...]
> > the DN that needs to be expanded or modified or marked up by the CA.
> [...
Hi.
openssl ca performs a signature check on the CSR prior to issuing the
certificate. I could not find (I had posted on the list before) anyway to
shut it off, and had to finally add a line to openssl ca to generate a
warning on signature verification failure rather than a fatal error.
Can we h
> robert> just say so. give it up to some other mini monopoly and lets
> robert> them compete and see who gets to the Valhalla first.
Give it up ? Mini monopoly ?
Its Open Source. Its free for anyone to take and 'reach Valhalla' !
Regards,
Sandipan
- Original Message -
From: "Richard
opensslreq
-in pkcs10receivedfromclient.csr
-config configfilewithDN.cnf
-out pkcs10withNewDN.csr
is ignoring the DN in the config file.
The pkcs10receivedfromclient.csr has "DC=COM"
and configfilewithDN.cnf has
[ req ]
...
distinguished_name = req_distinguished_name
[ req_dis
I am using
./openssl ca -batch -config inxuser.cnf -out inxUser.crt -infiles
inxUser.csr
to certify a CSR in inxUser.csr into inxUser.crt
Can I do something (say, inside the inxuser.cnf) to override (change) the CN
requested in the CSR while granting the certificate ?
Thanks,
Sandipan
[PS This
Message -
From: "Sandipan Gangopadhyay" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 28, 2001 12:57 PM
Subject: Re: XEnroll.AcceptPKCS7 returns error 0x80092004 on MS IE 5.5
> Does anyone know the address of the Microsoft CryptoAPI mailing list ?
Does anyone know the address of the Microsoft CryptoAPI mailing list ?
Unless I am mistaken, CEnroll matches the certificate PKCS7 with the request
(and related private key) before it accepts it. Like Greg says.
This is essential because PKCS7 does not carry the private key. By itself,
its conte
The documentation shows that the subj option to supercede the DN in the CSR
can be used in CRL mode.
1. Can I use it in the normal CSR => CRT certification mode ?
2. How do I specify this option ? Would [ CN=xxx,[EMAIL PROTECTED] ] do ?
Thanks,
Sandipan
___
Thanks for the pointer.
I had put the directory of the ssl.crt (crt store) in the
SSLCACertificatePath originally. Then, I also put the actual common Root CA
crt file name in the SSLCACertificateFile (when Oliver Bode suggested it). I
also looked at the handshake process as suggested by Dr Henson
I know this has more to do with IE idiosyncrasies, but I have the following
problem with my Client Certificate:
1. I have a client certificate (Digital ID) generated with Xenroll and
certified by an OpenSSL CA. I am able to use the private key and certificate
to sign emails.
2. I have an Apache-M
Greg,
When the client signs the handshake message hash with its private key, how
does the server (say, Apache/ModSSL) authenticate that encryption/signature
? Is the client's certificate also enclosed ? Asked for by the server ?
Needs to be stored on the server in advance ?
Regards,
Sandipan
--
entire DER encoded certificate.
You can calculate it using the 'openssl' utility via:
openssl dgst -sha1 -c < cert.der
_
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_
- Original Message -
From: Sandipan
I used Xenroll and openssl to create a Digital ID
on a Windows System. This is working fine. I can
use it to sign emails.
My question is that when I view this certificate on
IE or OE, Windows shows the digital ID's SHA1 Thumbprint.
This obviously is a hash, but of what ? The public
key i
--
--
> --
> Ger Hobbelt a.k.a. Insh_Allah mailto:[EMAIL PROTECTED]
> --
--
> --
> Peter Pan can fly when he thinks his Happy Thought.
> I want to fly too.
> My Happy Thought is... one part Prozac and one part LSD...
> Wow! Awesome, dude!
>
Do we need openssl 0.9.6 for the -batch option ?
Will it work with 0.9.4 ?
It gives -
-batch: No such file or
directory1549:error:02001002:system library:fopen:system
lib:bss_file.c:244:fopen('-batch','r')1549:error:20074002:BIO
routines:FILE_CTRL:system lib:bss_file.c:246:
e requests.
#
# Modified by Sandipan Gangopadhyay 2000.02.14 for Privae Limited
# INXSERVER KEY CERTIFICATION CONFIGURATION FILE
RANDFILE= $ENV::HOME/.rnd
oid_file= $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile
I want to use Xenroll to generate a keypair on a Windows system and submit
the public key over HTTPS POST to an ApacheServer/Mod_SSL with a CGI
invoking openssl ca for the signing. Thanks to Greg Stark's samples and the
MS Xenroll site, I have been able to start on this task.
I have a few questio
t; [EMAIL PROTECTED]
> _____
>
>
>
> - Begin Original Message -
> From: "Sandipan Gangopadhyay" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, February 20, 2001 9:14 AM
> Subject: Xen
Back in 1997, there was a discussion with Dr Henson on the use of
Xenroll.dll with MSIE and (then SSLeay) OpenSSL.
http://remus.prakinf.tu-ilmenau.de/ssl-users/archive22/0040.html
Could someone tell me anything about the following two issues :
1. Xenroll uses ActiveX that is by default disabled
, February 16, 2001 11:18 PM
Subject: Re: New OID in openssl.cnf
> From: "Sandipan Gangopadhyay" <[EMAIL PROTECTED]>
>
> sandipan> I did :
> sandipan> [ new_oids ]
> sandipan> domainComponent=0.9.2342.19200300.100.1.25
>
> Did you understand tha
,
Sandipan
- Original Message -
From: "Richard Levitte - VMS Whacker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, February 16, 2001 3:28 PM
Subject: Re: New OID in openssl.cnf
> From: "Sandipan Gangopadhyay" <
I need a new OID in the certificate. This OID is DC
The DC I want is the top level element in the Distinguished Name.
Ie. dc = cn, ou, o, dc
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution li
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, February 14, 2001 3:33 PM
Subject: Re: obtaining input from a file or from the command line
> From: "Sandipan Gangopadhyay" <[EMAIL PROTECTED]>
>
> sandipan> Thanks - you have saved me from grave error. I had assume
/openssl.html#. If your password is
badpass,
> then you can use openssl genrsa -des3 -out rca.key -passout pass:badpass
>
> _
> Greg Stark
> Ethentica, Inc.
> [EMAIL PROTECTED]
> _____
>
>
>
> - Origina
How could I ask it NOT to require a passphrase at all ?
Thanks,
Sandipan
- Original Message -
From: "Dr S N Henson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 14, 2001 3:38 AM
Subject: Re: obtaining input from a file or from the command line
> Sean Conley wro
Q1. How do I have openssl pick up the Country,
Area, etc. details from a text file rather than from the console ? Eg, in the
following:
./openssl req –new –x509 –days 365 –key
rca.key –out rca.crt
Q2. How do I have openssl not request a
passphrase while generating a key pair as in:
./o
26 matches
Mail list logo
