On Sat, Feb 14, 2015, Benny Baumann wrote:
>
> I want to encode a new CRL's (X509_CRL_new), currently invalid,
> Signing algorithm (i2d_X509_ALGOR( crl->siging_alg, ... ) ) and
> restore that with "d2i_X509_ALGOR( &crl->signing_alg, ...)"
> afterwards.
.
--- Begin Message ---
Hi,
I am trying to encode deltas between CRLs directly in ASN1 (DER), which
works quite fine. Thereby I stumbled across a problem with encoding
X509_ALGORS to ASN1:
I want to encode a new CRL's (X509_CRL_new), currently invalid, Signing
algorithm (i2d_X509_ALGOR
; procedures).
>
>
> On 11/15/2011 1:52 PM, Olivier Sessink wrote:
>>
>> Hi all,
>>
>> on various sources on the internet I found that it is possible to
>> concatenate two X509 CRL's together.
>>
>> cat file1.pem file2.pem> combined.pem
>>
&g
: concatenate two CRL's
The concatenation of two digitally signed CRLs is not a valid digitally signed CRL. Some
applications may happen to have code to explicitly support this hack, but that ability
could actually be a security hole as an enemy could concatenate an outdated and a current
alternative is OCSP.
-Messaggio originale-
Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
Per conto di Jakob Bohm
Inviato: martedì 15 novembre 2011 14:07
A: openssl-users@openssl.org
Oggetto: Re: concatenate two CRL's
The concatenation of two digi
ossible to
concatenate two X509 CRL's together.
cat file1.pem file2.pem> combined.pem
However, if I run
openssl crl -in combined.pem -text -noout
I see only the revoked certificates from file1.pem
Is this not supported? Should I use a different command? Is this a bug?
Thanks for
Hi all,
on various sources on the internet I found that it is possible to
concatenate two X509 CRL's together.
cat file1.pem file2.pem > combined.pem
However, if I run
openssl crl -in combined.pem -text -noout
I see only the revoked certificates from file1.pem
Is this not supported?
Hi,
The certificate you got from the CA probably has a URL distribution point set
in it.
You didn't say what kind of cert you got (client or server?), or what is using
the cert (browser? or server?), but, for example, if it's a client cert, and
you're using it (for example) in a browser, then
Hi,
I have a CA-signed certificate chain and whenever the SSL
handshake is going on I see 'UnparseableException' related to CRL
URL's. This particular URL seems to point to the CA's LDAP. What
exactly is going on here ? The handshake succeeds but I am trying to
understand if this is an aut
On Fri, Sep 22, 2006, [EMAIL PROTECTED] wrote:
>
> Hi Team,
>
> How to I get the next update time of CRL in no. of seconds?
>
> The API of X509_CRL_get_nextUpdate(crl) returning value in different
> format(ASN1_TIME). How do I convert that API's return value in to
> "seconds"? My aim is to obta
tely
in no. of hours (the crl will be update after these many no.of hours.) So I am
converting that time in to seconds. Is it right?
Are there
any APIs available to get the CRL's next update time in seconds?
Could some body
throw some light on the same?
With best regards,
-Su
Hi
Team,
How can I get the
next update time of CRL in no. of seconds?
The API of
X509_CRL_get_nextUpdate(crl) returning value in different format. How do I
convert that API's return value in to "seconds"? My aim is to obtain the next
CRL update time in seonds. How to achieve that?
C
Hi
Team,
How can I get the
next update time of CRL in no. of seconds?
The API of
X509_CRL_get_nextUpdate(crl) returning value in different format. How do I
convert that API's return value in to "seconds"? My aim is to obtain the next
CRL update time in seonds. How to achieve that?
C
getting the basecrl's cdp.Please have a look at the code
mentioned below.
MY DOUBT: How to extract the delta crl's cdp? Can I use the
"NID_delta_crl" in the following API to extract the delta crl location
information?
pnt = X509_get_ext_d2i(x, NID_delta_crl, NULL, NULL);
Appreciate
On Thu, Nov 10, 2005, david kine wrote:
> Okay, I solved this problem in a very unexpected way.
>
> First of all, I was using s_server incorrectly. I
> neglected to add -CAfile. Doing so caused my
> application to get the error "23: certificate revoked"
> as expected.
>
> However, accessing se
Okay, I solved this problem in a very unexpected way.
First of all, I was using s_server incorrectly. I
neglected to add -CAfile. Doing so caused my
application to get the error "23: certificate revoked"
as expected.
However, accessing servers which were NOT revoked
still produced the error "3:
On Thu, Nov 10, 2005, david kine wrote:
> I tried your suggestion to set only
> X509_V_FLAG_CRL_CHECK, but unfortunately it did not
> help. Attempting to connect to ANY secure server
> still causes the same "unable to get certificate CRL"
> error.
>
> I know that the CRL is loaded successfully,
I tried your suggestion to set only
X509_V_FLAG_CRL_CHECK, but unfortunately it did not
help. Attempting to connect to ANY secure server
still causes the same "unable to get certificate CRL"
error.
I know that the CRL is loaded successfully, because I
can later extract it from the SSL_CTX and pri
On Wed, Nov 09, 2005, david kine wrote:
> I have a secure client application that loads a pkcs12
> file containing client cert, client key, and trusted
> root CA's. It works perfectly, connecting only to
> servers signed by the trusted CA's.
>
> However, when I load a single CRL file, then all
>
I have a secure client application that loads a pkcs12
file containing client cert, client key, and trusted
root CA's. It works perfectly, connecting only to
servers signed by the trusted CA's.
However, when I load a single CRL file, then all
connections fail:
"unable to get certificate CRL"
"SS
Very clever, thanks for the tips.
-David
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Wed, Nov 09, 2005, david kine wrote:
>
> > I've switched over to a Linux system running
> OpenSSL
> > 0.9.7a Feb 19 2003, and copied the CA.pl from
> Solaris,
> > now everything works fine.
> >
>
On Wed, Nov 09, 2005, david kine wrote:
> I've switched over to a Linux system running OpenSSL
> 0.9.7a Feb 19 2003, and copied the CA.pl from Solaris,
> now everything works fine.
>
> Going back to my original question, I need to create a
> root CA, then create a server CA (signed with the root
I've switched over to a Linux system running OpenSSL
0.9.7a Feb 19 2003, and copied the CA.pl from Solaris,
now everything works fine.
Going back to my original question, I need to create a
root CA, then create a server CA (signed with the root
CA), then create a server certificate (signed with th
On Wed, Nov 09, 2005, david kine wrote:
> I'm attempting to use CA.pl on a Solaris 10 Sparc
> system. OpenSSL is provided on the distribution CD's
> (OpenSSL 0.9.7d 17 Mar 2004). I use the following
> commands:
>
> 1. CA.pl -newca
> 2. CA.pl -newreq
> 3. CA.pl -signreq {problems at this
I'm attempting to use CA.pl on a Solaris 10 Sparc
system. OpenSSL is provided on the distribution CD's
(OpenSSL 0.9.7d 17 Mar 2004). I use the following
commands:
1. CA.pl -newca
2. CA.pl -newreq
3. CA.pl -signreq {problems at this step}
During the signreq, the program cannot open the C
On Tue, Nov 08, 2005, david kine wrote:
> In the book "Network Security with OpenSSL" on pages
> 124-125 is a list of OpenSSL commands to create a root
> CA, and a server CA signed with the root CA.
>
> My question is, how would I use the openssl CA command
> to revoke the server CA certificate b
In the book "Network Security with OpenSSL" on pages
124-125 is a list of OpenSSL commands to create a root
CA, and a server CA signed with the root CA.
My question is, how would I use the openssl CA command
to revoke the server CA certificate by the root CA,
and generate a CRL?
I have tried "o
pointed to a certain CDP to reduce CRL's size, CRL's are separated by
> the Issuing Distribution Point extension.
>
Does that follow any particular standard and are the CRLs publically
available?
> I am sorry but I didn't quite understand from your answer if there is an
I am not familiar with the term "IDP partitioning" (does IDP stands for
"Issuing Distribution Point"?).
The partitioning is not by reason codes, Every X certificates are
pointed to a certain CDP to reduce CRL's size, CRL's are separated by
the Issuing Distribution
ave a problem working with CA's that publishes partitioned CRL's.
>
>
> For the verification process I am adding the CRL's into an X509_STORE
> and in this store every CRL is identified by it's issuer, when working
> with partitioned CRL's there would be a
Hello,
I am using openssl (version 0.9.7) to support PKI
authentication to my product and I would like to implement revocation support, I
have successfully implemented support for a CA that publish a full CRL but I have
a problem working with CA’s that publishes partitioned CRL’s.
th. Is openldap suitable for serving up CRL's of
this size and bigger? Is there anyone doing this succesfully?
There is no problem with CRLs that size, indeed we successfully use OpenLDAP
with CRLs which are 50MB+ in size...
--
Best Regards,
M
Title: experiences with CRL's Ldap
Hi,
We recently ran into a problem where our Linux based openldap server couldn't handle the CRL requests (webservers failed, that host the "primary" CRL). Our CRL is about 2 MB at the moment and growing a couple of kilobytes ever
Title: experiences with "CRL's" in OpenLdap
Hi,
We recently ran into a problem where our Linux based openldap server couldn't handle the CRL requests. Our CRL is about 2 MB at the moment and growing a couple of kilobytes every month. The CRL's are downloaded over
Im trying to import a CRL generated by a commercial CA into Apache
(build 1.3.12 Open SSL 0.9.4) but have run into a problem. When I try
access the site with a certificate thats in my CRL I am allowed
access. If I create my own certificates and CRL using Microsoft
Certificate Server, everyth
erifyClient require
SSLVerifyDepth 1
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ and %{SSL_CLIENT_S_DN_O} eq
"Rabbits R Us Technical Consulting" and %{SSL_CLIENT_S_DN_OU} in
{"Documents", "Tech", "Dev"} )
EOF---
Hazel
Michael Harvey wrote
1. First, use "openssl ca" to generate a CRL.
2. Make sure that your web server supports CRL check. If it does, add
the CRL file path to the web conf file.
Hazel
Michael Harvey wrote:
> I Neeed Help with setting up CRL's
> I run a small www site for a special group
> I
37 matches
Mail list logo
