I think the error messages are pretty clear in these cases. Trying to
set a hash with (standardized) EdDSA is not going to go well for you.
Have you tried this very nice walkthrough?
https://tools.ietf.org/html/draft-moskowitz-eddsa-pki-00
BBB
On Thu, Jun 6, 2019 at 9:47 AM Sowmya P wrote:
>
>
Hi ,
Have query regarding generation of X255519 and X448 certificate chain
Below is the script which i used to generate certificate chain of Ecdsa
type.
https://github.com/raja-ashok/sample_certificates/blob/master/ECC_Prime256_Certs/gen_ecc_cert.sh
Now for generating EdDSA certificate chain I am
On 08/14/2017 07:16 AM, Michael Ströder wrote:
Robert Moskowitz wrote:
I am getting a SAN in the csr e.g.:
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address:192.168.2.1
[..]
But I am not getting SAN in the cert. Perh
Robert Moskowitz wrote:
> I am getting a SAN in the csr e.g.:
>
> Attributes:
> Requested Extensions:
> X509v3 Subject Alternative Name:
> IP Address:192.168.2.1
> [..]
> But I am not getting SAN in the cert. Perhaps I need something for SAN in the
> -e
I am getting a SAN in the csr e.g.:
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address:192.168.2.1
this is with the following in the config:
[ req ]
# Options for the `req` tool (`man req`).
default_bits= 2048
distin
Robert Moskowitz wrote:
> On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote:
>> On Fri, Aug 11, 2017, Robert Moskowitz wrote:
>>
>>> I would want the 'openssl req' command to prompt for hwType and
>>> hsSerialNum. At least for now.
>>>
>> Note that you can't get the 'openssl req' command prompt for
On 08/11/2017 02:39 PM, Dr. Stephen Henson wrote:
On Fri, Aug 11, 2017, Robert Moskowitz wrote:
Frustrated...
On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:
My challenge comes to subjectAltName and its subfield
hardwareModuleName
per RFC 4108. I guess I am not 'getting' the s
On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote:
On Fri, Aug 11, 2017, Robert Moskowitz wrote:
I would want the 'openssl req' command to prompt for hwType and
hsSerialNum. At least for now.
Note that you can't get the 'openssl req' command prompt for this but you can
generate the extensio
On Fri, Aug 11, 2017, Robert Moskowitz wrote:
>
> I would want the 'openssl req' command to prompt for hwType and
> hsSerialNum. At least for now.
>
Note that you can't get the 'openssl req' command prompt for this but you can
generate the extension in an appropriate syntax: see my other messa
On Fri, Aug 11, 2017, Robert Moskowitz wrote:
> Frustrated...
>
> On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:
> >>My challenge comes to subjectAltName and its subfield
> >>hardwareModuleName
> >>per RFC 4108. I guess I am not 'getting' the subjectAltName section of
> >>'man x509
Frustrated...
On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:
My challenge comes to subjectAltName and its subfield
hardwareModuleName
per RFC 4108. I guess I am not 'getting' the subjectAltName section of
'man x509v3_config'.
Not all forms of SAN names are supported. If you look
Why thank you, Viktor. Let's see if I can get this right from RFC4108
On 08/11/2017 12:47 PM, Viktor Dukhovni wrote:
On Fri, Aug 11, 2017 at 03:29:25PM +, Salz, Rich via openssl-users wrote:
In the certificate extensions section you do something like:
subjectAltName = dns:www.exam
On Fri, Aug 11, 2017 at 03:29:25PM +, Salz, Rich via openssl-users wrote:
> In the certificate extensions section you do something like:
> subjectAltName = dns:www.example.com, IP:127.0.0.1
> and so on. The "pki.tgz"
>
> > And further it seems you are saying there is no support for HMN
Sigh. Well let's see want I can get done on this by the next
IEEE802/IETF week pair.
On 08/11/2017 11:56 AM, Salz, Rich wrote:
What is the procedure to get it added. RFC 4108 has been around for a while,
as has 802.1AR-2009.
Simplest way is to (get someone to) write the code and make a githu
> What is the procedure to get it added. RFC 4108 has been around for a while,
> as has 802.1AR-2009.
Simplest way is to (get someone to) write the code and make a github pull
requests.
Next way is to post a patch.
Next way is to open an issue and hope someone gets around to it.
> Though I a
On 08/11/2017 11:29 AM, Salz, Rich wrote:
Given these supported names, what goes into the config file to create a SAN
without having to specify it on the command line?
In the certificate extensions section you do something like:
subjectAltName = dns:www.example.com, IP:127.0.0.1
and so
> Given these supported names, what goes into the config file to create a SAN
> without having to specify it on the command line?
In the certificate extensions section you do something like:
subjectAltName = dns:www.example.com, IP:127.0.0.1
and so on. The "pki.tgz"
> And further it seem
Thanks for the response, Rich.
On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:
My challenge comes to subjectAltName and its subfield
hardwareModuleName
per RFC 4108. I guess I am not 'getting' the subjectAltName section of
'man x509v3_config'.
Not all forms of SAN names are suppor
> My challenge comes to subjectAltName and its subfield
> hardwareModuleName
> per RFC 4108. I guess I am not 'getting' the subjectAltName section of
> 'man x509v3_config'.
Not all forms of SAN names are supported. If you look in
include/openssl/x509v3.h you see the following:
# define GEN_OTH
Now that I can build a generic PKI with EDDSA, the next step is to add
creation of 802.1AR iDevID certificates. I am using the current draft,
sec 8, 802.1ARce-d2-2, but for this purpose it is essentially the same
(but clearer written) as sec 7, 802.1AR-2009.
I start with making the following
On Sat, Nov 17, 2012 at 10:56 PM, wrote:
> On 16-11-2012 19:57, Jeffrey Walton wrote:
>>
>> Hi Jacob,
>> On Fri, Nov 16, 2012 at 1:22 PM, Jakob Bohm wrote:
>>>
>>> On 11/16/2012 3:36 AM, Jeffrey Walton wrote:
...
Headless servers, entropy starvation, and rollbacks are a concern in
On 16-11-2012 19:57, Jeffrey Walton wrote:
Hi Jacob,
On Fri, Nov 16, 2012 at 1:22 PM, Jakob Bohm wrote:
On 11/16/2012 3:36 AM, Jeffrey Walton wrote:
...
Headless servers, entropy starvation, and rollbacks are a concern in
modern environments. OpenSSL and other entropy gathers, such as EDG,
don
Hi Jacob,
On Fri, Nov 16, 2012 at 1:22 PM, Jakob Bohm wrote:
> On 11/16/2012 3:36 AM, Jeffrey Walton wrote:
>>
>> ...
>>
>> Headless servers, entropy starvation, and rollbacks are a concern in
>> modern environments. OpenSSL and other entropy gathers, such as EDG,
>> don't account for the later.
On 11/16/2012 3:36 AM, Jeffrey Walton wrote:
...
Headless servers, entropy starvation, and rollbacks are a concern in
modern environments. OpenSSL and other entropy gathers, such as EDG,
don't account for the later. Its best to take the bull by the horns
and do it yourself. At minimum, you need t
On Fri, Nov 16, 2012 at 9:17 AM, Graham Leggett wrote:
> On 16 Nov 2012, at 4:36 AM, Jeffrey Walton wrote:
>
>> On Thu, Nov 15, 2012 at 10:41 AM, Jeffrey Walton wrote:
>>> On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai wrote:
CryptGenRandom(hCryptProv, SEED_SIZE, buf); // On Windows
On 16 Nov 2012, at 4:36 AM, Jeffrey Walton wrote:
> On Thu, Nov 15, 2012 at 10:41 AM, Jeffrey Walton wrote:
>> On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai wrote:
>>>
>>> CryptGenRandom(hCryptProv, SEED_SIZE, buf); // On Windows OS
>>> apr_generate_random_bytes(buf, SEED_SIZE); // On
On Thu, Nov 15, 2012 at 10:41 AM, Jeffrey Walton wrote:
> On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai wrote:
>>
>> CryptGenRandom(hCryptProv, SEED_SIZE, buf); // On Windows OS
>> apr_generate_random_bytes(buf, SEED_SIZE); // On Linux OS
>>
Speaking of poor documentation.
I looked a
> From: Jeffrey Walton [mailto:noloa...@gmail.com]
>
> On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai
> wrote:
> >...
> > #define SEED_SIZE 128
> >...
> > //RAND_seed(buf, SEED_SIZE);
> > RAND_add(buf, SEED_SIZE, (20/100) * SEED_SIZE);
> >
> > k = RAND_status();
> >
> > }
> I'm not sure 20% e
On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai wrote:
> Hi,
>
> At one place, we are using following logic for generating self-signed
> certificate:
>
> #define SEED_SIZE 128
>
> k = RAND_status();
> while(k == 0)
> {
> // custom logic for getting random numbers from system variables
> ...
>
> Crypt
>From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar
>Sent: Wednesday, 11 April, 2012 03:16
>Thanks Dave could you please elaborate below lines too
Meta-answers: you can read the instructions for any OpenSSL
utility on Unix with man (here man req and man x509)
(you may need
Thanks Dave could you please elaborate below lines too
$(OPENSSL) req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
-config root.cnf
$(OPENSSL) x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions
certificate_extensions -signkey rootkey.pem -out rootcert.pem
$(CAT) rootcert
> From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar
> Sent: Monday, 09 April, 2012 01:54
> I am newbie to OpenSSL. I am trying to understand how certificates
> are generated. I downloaded the samples and started understanding
> the "Makefile" that came wit
hi,
The third command will just concatenate the key and certificate in one
file. You can open server.pem and verify.
Regards,
Akash
On Mon, Apr 9, 2012 at 11:23 AM, Mithun Kumar wrote:
> I am newbie to OpenSSL. I am trying to understand how certificates are
> generated. I downloaded the sample
* AngelWarrior wrote on Wed, May 20, 2009 at 15:18 -0500:
> "I dont need to know with whom I am contacting but after
> contact my messages should be private."
If you sent your message to just anybody, how can it be private?
oki,
Steffen
--[ End of message ]--
* Scott Gifford wrote on Wed, May 20, 2009 at 21:52 -0400:
> AngelWarrior writes:
>
> > but this still requires a CA kind of certificate right.I dont
> > know if the client will be have a CA certificate to
> > authenticate it.If I am wrong please explain me how it can be
> > done.
>
> Regular SS
AngelWarrior wrote:
> but this still requires a CA kind of certificate right.
> I dont know if the client will be have a CA certificate
> to authenticate it.If I am wrong please explain me how
> it can be done.
The usual solution (as used on secure web pages, for credit card orders, and
so on) i
AngelWarrior writes:
> but this still requires a CA kind of certificate right.I dont know if the
> client will be have a CA certificate to authenticate it.If I am wrong please
> explain me how it can be done.
Regular SSL only requires a certificate on the server. Encrypted Web
browsing with htt
AngelWarrior wrote:
> Thank you for replying.
> I am thinking of this design.Is this feasible.My design approach
> is mainly based on
> "I dont need to know with whom I am contacting but after contact
> my messages should be private."
I don't think this is a coherent approach unless you layer som
On Wed, May 20, 2009 at 03:18:34PM -0500, AngelWarrior wrote:
> Thank you for replying.
> I am thinking of this design.Is this feasible.My design approach is mainly
> based on
> "I dont need to know with whom I am contacting but after contact my messages
> should be private."
For pseudonymous sec
Thank you for replying.
I am thinking of this design.Is this feasible.My design approach is mainly
based on
"I dont need to know with whom I am contacting but after contact my messages
should be private."
client(My own application)
Server (My own application)
1.(client)create a normal socket and
> AngelWarrior writes:
>
> > but this still requires a CA kind of certificate right.
> > I dont know if the client will be have a CA certificate
> > to authenticate it.If I am wrong please explain me how
> > it can be done.
>
> The server must have or know something that an attacker does not
> ha
AngelWarrior writes:
> but this still requires a CA kind of certificate right.
> I dont know if the client will be have a CA certificate
> to authenticate it.If I am wrong please explain me how
> it can be done.
The server must have or know something that an attacker does not have or
know. Othe
but this still requires a CA kind of certificate right.I dont know if the
client will be have a CA certificate to authenticate it.If I am wrong please
explain me how it can be done.
On Wed, May 20, 2009 at 2:47 PM, Scott Gifford wrote:
> AngelWarrior writes:
>
> > I need some Info.I have a clien
forgot to say at step 7 and 8 agreed upon encryption algorithm
On Wed, May 20, 2009 at 3:18 PM, AngelWarrior
wrote:
> Thank you for replying.
> I am thinking of this design.Is this feasible.My design approach is mainly
> based on
> "I dont need to know with whom I am contacting but after contact
AngelWarrior writes:
> I need some Info.I have a client and server application which
> requires a secure medium for the transferring of data between each
> other. Currently I am using openssl to achieve this using private
> and public key certificates with RSA encryption. I don't want to
> ship t
On Wed, May 20, 2009 at 02:37:58PM -0500, AngelWarrior wrote:
> I need some Info.I have a client and server application which requires a
> secure medium for the transferring of data between each other. Currently I
> am using openssl to achieve this using private and public key certificates
> with
Hi,
I need some Info.I have a client and server application which requires a
secure medium for the transferring of data between each other. Currently I
am using openssl to achieve this using private and public key certificates
with RSA encryption. I don't want to ship the certificate with each eve
Thanks, David, that's exactly what I needed. I already found some examples,
but these are very clear as steps to create the cert.
One more question, though: how do you convert an RSA public key from an
(uint8_t *) type to the RSA type defined in OpenSSL (or to EVP_PKEY). I have
been googling on th
Kyle,
2008/8/19 Kyle Hamilton <[EMAIL PROTECTED]>
> What you're saying is this:
>
> 1) You know who the principal is (and therefore the CN to stick into
> your certificate), due to your pre-existing protocol.
> 2) You know what the public key is, also due to your pre-existing protocol.
> 3) You'v
> The only thing that I need is to certify the public key of
> the client by the server, therefore the common name and
> related infos are not used and have no meaning in this
> context. Moreover, the certification chain is local/private,
> so it does not involve interactions with external (public
What you're saying is this:
1) You know who the principal is (and therefore the CN to stick into
your certificate), due to your pre-existing protocol.
2) You know what the public key is, also due to your pre-existing protocol.
3) You've already verified the proof of possession of the private key
(
Silviu VLASCEANU wrote:
Hello,
I am developing an application which also has some CA functions. The
application knows the public key, KpC, of a client which has a priori
proven to this app the possession of KpC through an out-of-band mean.
Therefore, when the application "calls" the CA functi
Thanks for your answer, David. Let me explain some more of my problem.
The reason for not wanting to make a "usual" CSR is that my client is not
able to send the CSR to the server (CA) app. In fact, I am extending an
existing communication protocol, where I keep the already defined message
types a
Silviu Vlasceanu wrote:
> To reformulate,
> Is there a way to generate a certificate without a proof of possession?
> Thanks.
Absolutely. Just stuff all the fields that you want into the certificate and
sign it. Simply take the fields from wherever you have them rather than from
the CSR.
Yo
To reformulate,
Is there a way to generate a certificate without a proof of possession?
Thanks.
2008/8/18 Silviu VLASCEANU <[EMAIL PROTECTED]>
> Hello,
>
> I am developing an application which also has some CA functions. The
> application knows the public key, KpC, of a client which has a prior
Silviu Vlascaenu wrote:
> I am developing an application which also has some CA functions.
> The application knows the public key, KpC, of a client which has
> a priori proven to this app the possession of KpC through an
> out-of-band mean. Therefore, when the application "calls" the CA
> functio
Hello,
I am developing an application which also has some CA functions. The
application knows the public key, KpC, of a client which has a priori proven
to this app the possession of KpC through an out-of-band mean. Therefore,
when the application "calls" the CA functionality to generate the clien
On Fri, Sep 28, 2007 at 08:37:12PM +0530, Urjit Gokhale wrote:
> > > > considered as proposition to discussion. Real, secure programming
> should
> > > > be based on existing, well checked protocols (which is possible in
> this
> > > > case).
> > >
> > > The OP was going to embed his CA's private
> > > considered as proposition to discussion. Real, secure programming
should
> > > be based on existing, well checked protocols (which is possible in
this
> > > case).
> >
> > The OP was going to embed his CA's private key in his installer.
>
> The OP was not thinking clearly about key management
Hello,
> > > Now you *are* saying that if you just use something to validate the
> > > certificate, you are safe.
> > >
> > > You and I are in violent agreement, you just don't see it. You
> > > also suggest
> > > setting up an SSL connection that provides everything except
> > > MITM detection.
>
On Thu, Sep 27, 2007 at 11:38:39AM -0700, David Schwartz wrote:
> > considered as proposition to discussion. Real, secure programming should
> > be based on existing, well checked protocols (which is possible in this
> > case).
>
> The OP was going to embed his CA's private key in his installer.
> Hello,
> > Now you *are* saying that if you just use something to validate the
> > certificate, you are safe.
> >
> > You and I are in violent agreement, you just don't see it. You
> > also suggest
> > setting up an SSL connection that provides everything except
> > MITM detection.
> > You then
On Wed, Sep 26, 2007 at 04:28:15PM -0700, David Schwartz wrote:
>
> Victor Duchovni wrote:
>
> > Use a self-signed cert and and a trusted source of peer<->cert or cert
> > fingerprint mappings. The public CA is just one mapping function.
>
> Well then you're going to have to argue with yourself
Hello,
> Now you *are* saying that if you just use something to validate the
> certificate, you are safe.
>
> You and I are in violent agreement, you just don't see it. You also suggest
> setting up an SSL connection that provides everything except MITM detection.
> You then take something from th
Victor Duchovni wrote:
> Use a self-signed cert and and a trusted source of peer<->cert or cert
> fingerprint mappings. The public CA is just one mapping function.
Well then you're going to have to argue with yourself since you said not to
do this two posts ago:
>>>Actually not the certificate,
On Wed, Sep 26, 2007 at 03:58:08PM -0700, David Schwartz wrote:
> I am not enough of an expert to comment for sure on this, but it seems that
> there would be no harm in using the certificate for this purpose. A MITM
> cannot create an SSL session that uses the same certificate as the real
> serve
> On Wed, Sep 26, 2007 at 11:03:21AM +0200, Steffen DETTMER wrote:
>
> > > > So your point is that some property from the original
> > > > certificate (lets say some hash or so) could be included in
> > > > the extra authentication to detect a MITM (or whatever faked)
> > > > certificate? In that
On Wed, Sep 26, 2007 at 11:03:21AM +0200, Steffen DETTMER wrote:
> > > So your point is that some property from the original
> > > certificate (lets say some hash or so) could be included in
> > > the extra authentication to detect a MITM (or whatever faked)
> > > certificate? In that case, SSL w
* David Schwartz wrote on Tue, Sep 25, 2007 at 14:47 -0700:
[...]
> > I'm not sure if I understand "...including these...". If, for
> > instance, each side (and only them) share a secret 3DES key and
> > use it for some challenge-response-authentication inside a SSL
> > tunnel then I would assume
> > In this second step of verification, you can exchange public keys,
> > certificates, challenges, responses, and so on. Each side can
> > verify what it
> > is talking to on the other side by whatever mechanism you want.
> Ahh, yes, ok. But the result would not be SSL but
> something-SSL-based
* Victor Duchovni wrote on Tue, Sep 25, 2007 at 11:40 -0400:
> On Tue, Sep 25, 2007 at 05:20:28PM +0200, Steffen DETTMER wrote:
> > creating a new TLS (version) standard/RFC
>
> Approximately correct, not a new TLS standard, the existing TLS 1.1 is
> likely sufficient, rather a new standard cipher-
On Tue, Sep 25, 2007 at 05:20:28PM +0200, Steffen DETTMER wrote:
> > GSSAPI uses Keberos-5 KDCs for key management.
>
> Ahh, you mean creating a new TLS (version) standard/RFC, that is
> using GSSAPI and is to be used e.g. inside large organizations
> that already have some GSSAPI available (beca
* Victor Duchovni wrote on Tue, Sep 25, 2007 at 09:27 -0400:
> On Tue, Sep 25, 2007 at 11:58:45AM +0200, Steffen DETTMER wrote:
> > > I would like to see GSSAPI support in TLS (so would Microsoft
> > > and a few others). This addresses key management, without
> > > requiring secondary protocols, an
On Tue, Sep 25, 2007 at 11:58:45AM +0200, Steffen DETTMER wrote:
> > No, the challenge is key management. TLS is just fine.
>
> What do you mean, `TLS is just fine'?
TLS is a sound protocol, the problem is not the protocol, the problem
is key management.
> Doesn't it depend on the requirements
* Victor Duchovni wrote on Mon, Sep 24, 2007 at 21:05 -0400:
> > Whatever you want to call it. The point is, if the client
> > can't validate the self-signed cert, you need some other way
> > to make sure the server and client have opposite ends of the
> > *same* SSL connection, rather than ends of
* David Schwartz wrote on Mon, Sep 24, 2007 at 07:42 -0700:
> > Storing some fingerprint of a certificate or public key locally
> > in some trusted place (such as a local file system) seems to be
> > quite secure (should be the same level as having a CAs root
> > certificate in a file), however, I'
On Mon, Sep 24, 2007 at 03:01:56PM -0700, David Schwartz wrote:
>
> > SSL works just fine to prevent MITM with self-signed certs, provided
> > the client has prior knowledge of the self-signed cert.
>
> Right, but what if they don't?
Create a key management system that makes it so, or deploy a
> SSL works just fine to prevent MITM with self-signed certs, provided
> the client has prior knowledge of the self-signed cert.
Right, but what if they don't?
> It can then
> check for the right public key, or the right certificate fingerprint
> (more convenient via the OpenSSL API than extract
Hello,
> > Basically, in this case you can use the original SSL authentication to
> > bootstrap a separate MITM detection step. I strongly recommend doing this in
> > a custom application if you use SSL in a way that prevents its normal MITM
> > detection from being effective.
>
> I strongly
On Mon, Sep 24, 2007 at 12:31:15PM -0700, David Schwartz wrote:
> > Hello David,
> > I would like to learn more on MITM in this particular scenario. I
> > used to believe that if a server is using a signed certificate,
> > the MITM is not possible (Is it possible with techniques like DNS
> > poiso
> Hello David,
> I would like to learn more on MITM in this particular scenario. I
> used to believe that if a server is using a signed certificate,
> the MITM is not possible (Is it possible with techniques like DNS
> poisoning?). Looks like I missed something important. Could you
> point me to t
>> Storing some fingerprint of a certificate or public key locally
>> in some trusted place (such as a local file system) seems to be
>> quite secure (should be the same level as having a CAs root
>> certificate in a file), however, I'm not sure if this works with
>> OpenSSL which seems to expect t
> Storing some fingerprint of a certificate or public key locally
> in some trusted place (such as a local file system) seems to be
> quite secure (should be the same level as having a CAs root
> certificate in a file), however, I'm not sure if this works with
> OpenSSL which seems to expect to be
* David Schwartz wrote on Sun, Sep 23, 2007 at 22:51 -0700:
> > Here is my understanding about a real CA.
> > A real CA would be an agency or like, which would have the infrastructure
> > required to sign certificate requests (say openssl toolkit, its own key
> > pair, its own root certificate etc)
> 4. If I have to generate a unique certificate for every server, myself, I
> would have to burn so many different CDs. In addition to that, I will have
> to maintain almost a complete CA system.
> 5. This is doable, when the number of customers is small, say 5 -
> 10. But I
> do
lient) to the customers, I burn
them on a CD and ship them.
4. If I have to generate a unique certificate for every server, myself, I
would have to burn so many different CDs. In addition to that, I will have
to maintain almost a complete CA system.
5. This is doable, when the number of custo
> I doubt if self signed certificate will be a good idea, as
> against a signed
> certificate.
> With the approach I am proposing, the server installer itself works like a
> CA.
> Only an authorized person will have access to this installer (say
> admin) and
> can generate a signed certificate.
I
> > For now, my purpose is not to establish and identity of a server with
the
> > certificate. I plan to use a signed certificate, so that the client can
be
> > sure
> > that the server indeed holds the private key associated with the
> > public key
> > provided by the server in its certificate.
>
> For now, my purpose is not to establish and identity of a server with the
> certificate. I plan to use a signed certificate, so that the client can be
> sure
> that the server indeed holds the private key associated with the
> public key
> provided by the server in its certificate.
You have a n
o what's the point of the entire exercise?!
For the requirement of certificate generation on the fly
(during installation) following is the scenario:
A] I have a client - server application that I would be shipping to
different customers.
The admin at every customer will install the client an
On Wed, Sep 19, 2007 at 08:01:28AM -0700, David Schwartz wrote:
>
> > So could someone guide me with the best practices used in such scenarios?
> > Is there a way to securely embed the private key in the installers / CA
> > certificate?
>
> I guess I'm confused. What purpose would a certificate
> So could someone guide me with the best practices used in such scenarios?
> Is there a way to securely embed the private key in the installers / CA
> certificate?
I guess I'm confused. What purpose would a certificate serve if anyone can
generate one that serves any purpose?
If I can generate
Hello everyone,
I have a server application that will use Openssl to communicate with its
clients over SSL secured channel.
This server requires a unique signed server certificate.
I plan to use my personal CA to issue these server certificates.
Now for the ease of deployment, I plan to create s
OpenSSL's command-line tool does not. The underlying library can
handle it, though, if you write your own certificate-generation routine.
-Kyle H
Hi,
Does using openssl we can generate multiple certificate concurrently.
I was experimenting on one of my application which require a
Hi,
Does using openssl we can generate multiple certificate concurrently.
I was experimenting on one of my application which require around 50
certificates to be generated in 1 sec.
Please let me know does open ssl handles the multiple certificate
requests simultaneously.
Regards,
A Kataoka
Hello everybody,
i m trying to create openssl for generating multiple certificate generation,
simultaneously.
but the error i m having during this process is that "some other process is
using serial file". Is there any mean by which i can perform the simultaneous
crt generation b
p going if an error,
like a bad request, occurs.
Regards,
Simon McMahon
"Sowjanya Malika" <[EMAIL PROTECTED]>
12/13/2006 10:40 PM
To
Simon McMahon/Australia/Contr/[EMAIL PROTECTED]
cc
Subject
Re: ocsp responder certificate generation documentation( reg)
Hi,
hope Ia
eight and works so it is worth the effort! You can certainly learn a
lot about OCSP responder from using this one.
Regards,
Simon McMahon
"Sowjanya Malika" <[EMAIL PROTECTED]>
12/06/2006 10:21 PM
To
Simon McMahon/Australia/Contr/[EMAIL PROTECTED]
cc
Subject
ocsp responder c
Hello Mr. Ringaby,
Thanks for the reply.
> My guess is that the script code somehow got messed
> up when
> you copied it from the site, or maybe the script for
> some
> reason contains hidden characters.
I think you are right Sir because I copied the script
from the site on a windows machine and
On Tue, Jan 11, 2005, Servie Platon wrote:
> Hello Dr. Henson,
>
> And thank you again for this advice.
>
> --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
>
> > I suggest you ignore that script: and use the CA.pl
> > script and the appropriate
> > documentation instead.
>
> As suggested b
1 - 100 of 127 matches
Mail list logo
