Hi All,
I'm working on a PERL script that creates the key,
then req, then gets cert signed then makes a p12 file
using a randomly generated password etc.
I have also writting a PERL script that reads through
directories looking for files with "BEGIN CERTIFICATE"
and then calls x509 to convert the
Not sure what your trying to attempt but have you
search the list of subjectAltName? Also you may be
able to configure your web server to handle the
different CN names, again, depending on what your
trying to do.
--- "Jan F. Schnellbaecher" <[EMAIL PROTECTED]>
wrote:
> Hello,
>
> can anybody e
= FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic
Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
--- ray v <[EMAIL PROTECTED]> wrote:
> Hi Team! All!
Hi Team! All!
I'm just googled to death and need help on this one.
Server 2003
Exchange 2003
Latest patches...all of them..
Last year I generated cert requests with the
certutil -new myserver.inf myservers.req
When generating the certificate I use extendedKeyUsage
= 1.3.6.1.5.5.7.3.1 for Serv
Can this be done with out having to make a new private
key? Or am I just barking up the wrong tree?
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Alicia,
Thank you for getting back to me
I need to take the Root CA certificate/private key and
change the modulus from 512 bit to 2048 bit. I assume
that I have to make a new Root CA Certificate request
and then sign it with the old one?
The problem that I have is newer devices are not
allowin
I know this is a noob question but I have inherited an
existing CA based on openssl. I need to change some
existing certificates from 512 bit to 2048 bit. I have
the private keys and was wondering if the proper
approach was to renew the certificate and modify them
there? Or is this not possible? Po
This is probably a real noob question but I've no idea
where to start looking. I've inherited an openssl
based CA. The ROOT CA certificate is 512 bits long.
RSA Public Key: (512 bit)
Modulus (512 bit):
The is the best way to change this? I thought maybe
renewal might be the best r
Ok finally had time to work on this project again and
solve the problem.
To fix the problem I upgraded from
vpn3000-4.1.5.B-k9.bin to vpn3000-4.1.7.E-k9.bin
--- ray v <[EMAIL PROTECTED]> wrote:
> Yes, first thing I did was install the CA root
> certificate and the sub CA certi
> Have you installed the CA cert on the cisco?
>
> David Gianndrea
> Senior Network Engineer
> Comsquared Systems, Inc.
>
> Email: [EMAIL PROTECTED]
> Web: www.comsquared.com
>
>
> ray v wrote:
> > Has anyone been able to get a certificate signed
>
Has anyone been able to get a certificate signed by
openssl CA to accept the identity certificate?
1. Gen manual pkcs10 req on 3kvpn
2. Sign 3kvpn req and make cert
3. install cert through cut and paste or file transfer
error message
Error installing SSL certificate: Incomplete chain.
I verifi
eater than 2048 This includes the CA
>
>
>
> ray v <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 05/12/2005 01:16 AM
> Please respond to
> openssl-users@openssl.org
>
>
> To
> openssl-users@openssl.org
> cc
>
> Subject
> Cisco concent
Hi All, Hi Steve!
Does anyone have documentation on how to get a
concentrator to accept certificate signed by openssl?
Cisco VPN 3030 4.x
On the concentrator I have install both my Root CA
certificate and the Sub CA I used to sign request for
internal devices. Next I generate a manual request
I don't know if this will help but here are some stats
from our humble little server.
Hardware:
2 3gig xeon cpu's
2 gig ram
70 gig hardware raid 1
Linux AS 3
We can generate 1 certificate(1024 bits key length) at
.02 seconds per certificate. It would probably be
faster if we didn't create the p
Thanks for the help all!
As far as I can tell you can not use the certificate
snap-in to create a certificate request for a
third-party CA. If you try it will fail claiming that
it can not contact the CA server.
If you install the CA management tool and then try to
make a request the certificate
penssl certificate on LDAPS or has an idea why the
server can't find the private I would be appreciative.
thanks group!
--- Rafeeq Ahmed <[EMAIL PROTECTED]> wrote:
> Hi ray
>
> check this
> http://www.madboa.com/geek/openssl/
>
> regards
> Rafeeq
>
> On
Is there anyway to rebuild the index.txt file?
Basically this file hasn't been properly maintained in
the past. As I understand it, this file is critical
for processes like CRLs and since I'm going way beyond
simple certificate issuer. I would like to fix this
file before moving on.
Any suggestio
I'm trying to get our domain controllers to make use
of certificates generated by our openssl based CA. Is
there documentation out there on how to make this work
correctly? Any pointers would be appreciated!
Requirements for making third-party certificates work
http://support.microsoft.com/default
RL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
--- ray v <[EMAIL PROTECTED]> wrote:
> Let me see if I understand what your saying?
>
> I need to generate another CA certificate the has
> only
> ssl client set yes?
>
>
ds almost everything accept CA ability which is
turned off by basicConstriants. So if what is written
above is true then how to you remove types?
I'm sure that I don't have all the facts here, but
there are a bit confusing..
--- Michael Weiner <[EMAIL PROTECTED]> w
s but we also want to restrict the purpose
field to just "ssl client". We don't want to include
ssl server, netscape*, objsign, or e-mail. ... just
ssl client.
There must be a way to do this during CSR signing but
I'm just not sure what to look for?
--- Michael Weiner <[EMA
Hello all!
I'm looking for ways to turn off and on features in
the "Certificate purposes" are of a certificate. I've
read over extfile and extension plus looked at
basicContraints.
I'm unclear by the documentation written for openssl,
x509, ca, etc., just how to do this. Can someone
please point
Hi all!
I'm writting this up to help those that my wish to
insert thier own values into the extension section of
a certificate for use on internal applications. I do
not know yet what the outcome will be when using these
extension with main stream compliant applications.
In the begining I didn't
Ok I can get x509 to accept the extension now,
something like this
extensions = extend
[extend]
#basicConstraints = critical,CA:true
1.3.6.1.4.1..1002 =
DER:06:09:2B:06:01:04:01:D6:1F:87:6A
openssl x509 -in test.crt -text -noout
X509v3 extensions:
1.3.6.1.4.1..1002:
> making a custom extension that would carry the same
> information you're trying to add to the DN?
>
> Also check the most updated documentation on the
> options
> for OpenSSL command line tools -- seems to me I saw
> some
> new options pop up for modifying the DN in
a way to do this with out patching
openssl's code?
If yes, what would be your suggestion?
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Wed, Nov 10, 2004, ray v wrote:
>
> > I wish to add something like
> >
> > 1.3.6.1.4.1..1 to th
I wish to add something like
1.3.6.1.4.1..1 to the Distinguished name
something like...
CN=Me,O=FOO,OU=Bar,1.3.6.1.4.1..1=stuff
What's the best way to do this when you need to
specify the -extfile option? Or is it really necessary
to use the -extfile ?
Below is my test extfiles, could you please tell me
what I'm doing wrong?
First attempt:
extensions = extend
[extend]
pid = 1.3.6.1.4.1..1002
12130:error:2207C082:X509 V3
routines:DO_EXT_CONF:unknown extension
name:v3_conf.c:123:
12130:error:2206B080:X509 V3
routines:X509V3_EXT_conf:error
Thank Charles! This completely clears things up for
me.
AWESOME!
--- Charles B Cranston <[EMAIL PROTECTED]> wrote:
> > Could someone be so kind as to post examples of
> their
> > extfile or extensions section?
>
> Here's an example of a shell script that generates
> an entire
> PKI: root, two
Could someone be so kind as to post examples of their
extfile or extensions section?
thanks in advance!
__
Do you Yahoo!?
Check out the new Yahoo! Front Page.
www.yahoo.com
___
ECTED]> wrote:
> On Tue, Nov 09, 2004, ray v wrote:
>
> > Thanks Dr. Henson
> >
> > Ok this might be a sad indicator about my skill
> > regarding this matter. Autoconfig is?
> >
>
> Its a mechanism where compliant OpenSSL applications
> can load v
Thanks Dr. Henson
The link you sent was the one I used to base my
current configuration on. Its enivitable but I have a
few more questions below.
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Tue, Nov 09, 2004, ray v wrote:
>
> > Hi All!
> >
>
Hi All!
I created an OID section but I'm a little confused
with how to use it. My example...
oid_section = my_oids
[my_oids]
value1 = 1.3.6.1.4.1..1
value2 = 1.3.6.1.4.1..2
value3 = 1.3.6.1.4.1..3
If I specify the -config sample.cnf when creating the
key, request and ce
Ok second day to experiment with OIDs. I found our
company regiester OIDs. I use them like so..
oid_section = company_oids
[company_oids]
val1 = 1.3.6.1.4.1.9.50
val2 = 1.3.6.1.4.1.9.51
val3 = 1.3.6.1.4.1.9.52
So when I make certificates everything goes well no
errors. However when
Hi All,
I've searched/read through much of the openssl-users
group and documents provided by openssl.org. I'm still
fuzzy about how to accomplish my task, maybe someone
can help out.
First of I'm not a coder, I can hack some, if its very
simple stuff.
I wish to add three custom fields for tracki
35 matches
Mail list logo