Creating an array of values for generated certificates?

2007-03-23 Thread ray v
Hi All, I'm working on a PERL script that creates the key, then req, then gets cert signed then makes a p12 file using a randomly generated password etc. I have also writting a PERL script that reads through directories looking for files with "BEGIN CERTIFICATE" and then calls x509 to convert the

Re: Reading server name extension

2007-03-07 Thread ray v
Not sure what your trying to attempt but have you search the list of subjectAltName? Also you may be able to configure your web server to handle the different CN names, again, depending on what your trying to do. --- "Jan F. Schnellbaecher" <[EMAIL PROTECTED]> wrote: > Hello, > > can anybody e

Re: Exchange 2003 refuses imaps/pops connection after importing new openssl certs

2006-11-16 Thread ray v
= FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 --- ray v <[EMAIL PROTECTED]> wrote: > Hi Team! All!

Exchange 2003 refuses imaps/pops connection after importing new openssl certs

2006-11-15 Thread ray v
Hi Team! All! I'm just googled to death and need help on this one. Server 2003 Exchange 2003 Latest patches...all of them.. Last year I generated cert requests with the certutil -new myserver.inf myservers.req When generating the certificate I use extendedKeyUsage = 1.3.6.1.5.5.7.3.1 for Serv

change/convert 512 bit long modulus to 2048 on private key?

2006-05-19 Thread ray v
Can this be done with out having to make a new private key? Or am I just barking up the wrong tree? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

Re: Changing existing certificates from 512 bits to 2048 bits

2006-05-17 Thread ray v
Alicia, Thank you for getting back to me I need to take the Root CA certificate/private key and change the modulus from 512 bit to 2048 bit. I assume that I have to make a new Root CA Certificate request and then sign it with the old one? The problem that I have is newer devices are not allowin

Changing existing certificates from 512 bits to 2048 bits

2006-05-17 Thread ray v
I know this is a noob question but I have inherited an existing CA based on openssl. I need to change some existing certificates from 512 bit to 2048 bit. I have the private keys and was wondering if the proper approach was to renew the certificate and modify them there? Or is this not possible? Po

Root CA key bit length too small - How do I change this?

2006-05-17 Thread ray v
This is probably a real noob question but I've no idea where to start looking. I've inherited an openssl based CA. The ROOT CA certificate is 512 bits long. RSA Public Key: (512 bit) Modulus (512 bit): The is the best way to change this? I thought maybe renewal might be the best r

Re: Getting Cisco 3kvpn to accept openssl signed certs - anyone done it?

2005-06-01 Thread ray v
Ok finally had time to work on this project again and solve the problem. To fix the problem I upgraded from vpn3000-4.1.5.B-k9.bin to vpn3000-4.1.7.E-k9.bin --- ray v <[EMAIL PROTECTED]> wrote: > Yes, first thing I did was install the CA root > certificate and the sub CA certi

Re: Getting Cisco 3kvpn to accept openssl signed certs - anyone done it?

2005-05-23 Thread ray v
> Have you installed the CA cert on the cisco? > > David Gianndrea > Senior Network Engineer > Comsquared Systems, Inc. > > Email: [EMAIL PROTECTED] > Web: www.comsquared.com > > > ray v wrote: > > Has anyone been able to get a certificate signed >

Getting Cisco 3kvpn to accept openssl signed certs - anyone done it?

2005-05-17 Thread ray v
Has anyone been able to get a certificate signed by openssl CA to accept the identity certificate? 1. Gen manual pkcs10 req on 3kvpn 2. Sign 3kvpn req and make cert 3. install cert through cut and paste or file transfer error message Error installing SSL certificate: Incomplete chain. I verifi

Re: Cisco concentrator not accept certificate from openssl

2005-05-12 Thread ray v
eater than 2048 This includes the CA > > > > ray v <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 05/12/2005 01:16 AM > Please respond to > openssl-users@openssl.org > > > To > openssl-users@openssl.org > cc > > Subject > Cisco concent

Cisco concentrator not accept certificate from openssl

2005-05-11 Thread ray v
Hi All, Hi Steve! Does anyone have documentation on how to get a concentrator to accept certificate signed by openssl? Cisco VPN 3030 4.x On the concentrator I have install both my Root CA certificate and the Sub CA I used to sign request for internal devices. Next I generate a manual request

Re: CPU horsepower needed to run openssl

2005-04-28 Thread ray v
I don't know if this will help but here are some stats from our humble little server. Hardware: 2 3gig xeon cpu's 2 gig ram 70 gig hardware raid 1 Linux AS 3 We can generate 1 certificate(1024 bits key length) at .02 seconds per certificate. It would probably be faster if we didn't create the p

Re: Openssl CA for windows nt 2003, any docs on this out there?

2005-03-01 Thread ray v
Thanks for the help all! As far as I can tell you can not use the certificate snap-in to create a certificate request for a third-party CA. If you try it will fail claiming that it can not contact the CA server. If you install the CA management tool and then try to make a request the certificate

Re: Openssl CA for windows nt 2003, any docs on this out there?

2005-03-01 Thread ray v
penssl certificate on LDAPS or has an idea why the server can't find the private I would be appreciative. thanks group! --- Rafeeq Ahmed <[EMAIL PROTECTED]> wrote: > Hi ray > > check this > http://www.madboa.com/geek/openssl/ > > regards > Rafeeq > > On

Rebuilding the index.txt file?

2005-02-28 Thread ray v
Is there anyway to rebuild the index.txt file? Basically this file hasn't been properly maintained in the past. As I understand it, this file is critical for processes like CRLs and since I'm going way beyond simple certificate issuer. I would like to fix this file before moving on. Any suggestio

Openssl CA for windows nt 2003, any docs on this out there?

2005-02-28 Thread ray v
I'm trying to get our domain controllers to make use of certificates generated by our openssl based CA. Is there documentation out there on how to make this work correctly? Any pointers would be appreciated! Requirements for making third-party certificates work http://support.microsoft.com/default

Re: modifying Certificate purposes

2005-02-22 Thread ray v
RL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No --- ray v <[EMAIL PROTECTED]> wrote: > Let me see if I understand what your saying? > > I need to generate another CA certificate the has > only > ssl client set yes? > >

Re: modifying Certificate purposes

2005-02-22 Thread ray v
ds almost everything accept CA ability which is turned off by basicConstriants. So if what is written above is true then how to you remove types? I'm sure that I don't have all the facts here, but there are a bit confusing.. --- Michael Weiner <[EMAIL PROTECTED]> w

Re: modifying Certificate purposes

2005-02-22 Thread ray v
s but we also want to restrict the purpose field to just "ssl client". We don't want to include ssl server, netscape*, objsign, or e-mail. ... just ssl client. There must be a way to do this during CSR signing but I'm just not sure what to look for? --- Michael Weiner <[EMA

modifying Certificate purposes

2005-02-22 Thread ray v
Hello all! I'm looking for ways to turn off and on features in the "Certificate purposes" are of a certificate. I've read over extfile and extension plus looked at basicContraints. I'm unclear by the documentation written for openssl, x509, ca, etc., just how to do this. Can someone please point

Adding custom extensions (x509_extension) to your certificate

2004-11-12 Thread ray v
Hi all! I'm writting this up to help those that my wish to insert thier own values into the extension section of a certificate for use on internal applications. I do not know yet what the outcome will be when using these extension with main stream compliant applications. In the begining I didn't

Re: Can you add to the DN after the certificate request is made?

2004-11-12 Thread ray v
Ok I can get x509 to accept the extension now, something like this extensions = extend [extend] #basicConstraints = critical,CA:true 1.3.6.1.4.1..1002 = DER:06:09:2B:06:01:04:01:D6:1F:87:6A openssl x509 -in test.crt -text -noout X509v3 extensions: 1.3.6.1.4.1..1002:

Re: Can you add to the DN after the certificate request is made?

2004-11-10 Thread ray v
> making a custom extension that would carry the same > information you're trying to add to the DN? > > Also check the most updated documentation on the > options > for OpenSSL command line tools -- seems to me I saw > some > new options pop up for modifying the DN in

Re: Can you add to the DN after the certificate request is made?

2004-11-10 Thread ray v
a way to do this with out patching openssl's code? If yes, what would be your suggestion? --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > On Wed, Nov 10, 2004, ray v wrote: > > > I wish to add something like > > > > 1.3.6.1.4.1..1 to th

Can you add to the DN after the certificate request is made?

2004-11-10 Thread ray v
I wish to add something like 1.3.6.1.4.1..1 to the Distinguished name something like... CN=Me,O=FOO,OU=Bar,1.3.6.1.4.1..1=stuff What's the best way to do this when you need to specify the -extfile option? Or is it really necessary to use the -extfile ?

Re: examples of -extfile file -extensions section

2004-11-10 Thread ray v
Below is my test extfiles, could you please tell me what I'm doing wrong? First attempt: extensions = extend [extend] pid = 1.3.6.1.4.1..1002 12130:error:2207C082:X509 V3 routines:DO_EXT_CONF:unknown extension name:v3_conf.c:123: 12130:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error

Re: examples of -extfile file -extensions section

2004-11-10 Thread ray v
Thank Charles! This completely clears things up for me. AWESOME! --- Charles B Cranston <[EMAIL PROTECTED]> wrote: > > Could someone be so kind as to post examples of > their > > extfile or extensions section? > > Here's an example of a shell script that generates > an entire > PKI: root, two

examples of -extfile file -extensions section

2004-11-09 Thread ray v
Could someone be so kind as to post examples of their extfile or extensions section? thanks in advance! __ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com ___

Re: oid_section questions please help!

2004-11-09 Thread ray v
ECTED]> wrote: > On Tue, Nov 09, 2004, ray v wrote: > > > Thanks Dr. Henson > > > > Ok this might be a sad indicator about my skill > > regarding this matter. Autoconfig is? > > > > Its a mechanism where compliant OpenSSL applications > can load v

Re: oid_section questions please help!

2004-11-09 Thread ray v
Thanks Dr. Henson The link you sent was the one I used to base my current configuration on. Its enivitable but I have a few more questions below. --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > On Tue, Nov 09, 2004, ray v wrote: > > > Hi All! > > >

oid_section questions please help!

2004-11-09 Thread ray v
Hi All! I created an OID section but I'm a little confused with how to use it. My example... oid_section = my_oids [my_oids] value1 = 1.3.6.1.4.1..1 value2 = 1.3.6.1.4.1..2 value3 = 1.3.6.1.4.1..3 If I specify the -config sample.cnf when creating the key, request and ce

I have OIDs, I have extension, x509 only sees OIDS

2004-11-08 Thread ray v
Ok second day to experiment with OIDs. I found our company regiester OIDs. I use them like so.. oid_section = company_oids [company_oids] val1 = 1.3.6.1.4.1.9.50 val2 = 1.3.6.1.4.1.9.51 val3 = 1.3.6.1.4.1.9.52 So when I make certificates everything goes well no errors. However when

questions about custom extensions?

2004-11-08 Thread ray v
Hi All, I've searched/read through much of the openssl-users group and documents provided by openssl.org. I'm still fuzzy about how to accomplish my task, maybe someone can help out. First of I'm not a coder, I can hack some, if its very simple stuff. I wish to add three custom fields for tracki