On 22/03/18 03:34, Norm Green wrote:
> How does one specify the CRL to the SSL_CTX when setting up a
> connection? I would expect there to be something similar to
> SSL_CTX_use_certificate(), such as:
>
> int SSL_CTX_use_crl(SSL_CTX *ctx, X509_CRL *crl)
X509_STORE_load_locations() ?
It appears t
How does one specify the CRL to the SSL_CTX when setting up a
connection? I would expect there to be something similar to
SSL_CTX_use_certificate(), such as:
int SSL_CTX_use_crl(SSL_CTX *ctx, X509_CRL *crl)
but can nothing like that.
Norm Green
--
openssl-users mailing list
To unsubscribe:
is this line which is responsible for asking client
certificate:
##
clientca=/root/sslCA/cacert.pem capath=/root/sslCA
##
/root/sslCA/cacert.pem is CA certificate.
I also created a crl.pem in /root/sslCA/crls/ for certificate revocation.
The situation is as follows:
If a
rver.
> In squid.conf file there is this line which is responsible for asking
> client certificate:
>
> ##
> clientca=/root/sslCA/cacert.pem capath=/root/sslCA
> ##
>
> /root/sslCA/cacert.pem is CA certificate.
>
> I also created a crl.pem in /root/sslCA/crls/ for certi
Hi,
How do I check in my code, if a certificate is revoked or not?
>From what I googled :
The x509 certificate contains set of CRL distribution points, ie set of urls.
We need to download the crl list .
Crl list contains serial numbers of certificates revoked and the date in which
they were revok
Dear OpneSSL support team
Could you please answer to my questions:
1. What process occurs when we revoke the certificate with the command: openssl
ca -revoke
2. Why openssl software allows to one Certification Authority(CA) to revoke
certificate signed by another CA.
Thank you in advance
Best re
essage -
From: "John Doe"
To: openssl-users@openssl.org
Sent: Wednesday, November 4, 2009 10:27:32 AM GMT -05:00 US/Canada Eastern
Subject: Certificate Revocation Lists and Apache...
Hi,
I need a little help with Certificate Revocation Lists.
I did setup client certificates f
Hi,
I need a little help with Certificate Revocation Lists.
I did setup client certificates filtering with apache and it seem to work fine
so far (used a tutorial on http://www.adone.info/?p=4, down right now).
I have a "CA" that is signing a "CA SSL".
Then, the "CA SS
Hello everybody,
please help me in solving this issue.
thanks in advance.
warm regards
piyush
piyush tewari <[EMAIL PROTECTED]> wrote:
Hello,
I want to revoke my certificate by specifying CRLfile in the stunnel.conf.
the commands that i m using are:-
1. for generating t
Hello,
I want to revoke my certificate by specifying CRLfile in the stunnel.conf.
the commands that i m using are:-
1. for generating the CRL file
openssl ca -gencrl -keyfile ca_key -cert ca_crt -out my_crl.pem
2. for revoking the certificates
openssl ca -revoke bad_crt_file -keyfile
Sorry to prolong this thread, but does the function X509_CRL_verify()
actually check to see if the CRL has expired? If not what function
performs this verification? I'm confused as to the actually mechanics of
using the default_crl_days in code.
-David Brock-
Ber
Jorey Bump wrote:
[...]
OK, if someone acquired your CA's key you're deep in the dirt,
regardless wether you use CRLs or not, since the evil one can build
his/her own CRLs with the signature of your CA. ;)
But only with the passphrase of the CA private key, correct?
Yes, correct, the bad
Jorey Bump wrote:
Bernhard Froehlich wrote:
The idea behind a CRL is to have the possibility to publicly revoke a
certificate before it expires (so setting default_crl_days equal to
default days is not very sensible, you should just work without a CRL
in such a case).
Is this as simple as
Bernhard Froehlich wrote:
Jorey Bump wrote:
Is this as simple as commenting out default_crl_days? I've noticed
that a certificate with a longer default_days will be treated as
expired when default_crl_days is reached. Yet, I don't see the CRL
period in the signed certificate when I view it w
Bernhard Froehlich wrote:
The idea behind a CRL is to have the possibility to publicly revoke a
certificate before it expires (so setting default_crl_days equal to
default days is not very sensible, you should just work without a CRL in
such a case).
Is this as simple as commenting out defau
Jorey Bump wrote:
I'm nearly complete in setting up my own CA, but I'm not sure how to
manage Certificate Revocation Lists (CRL). I noticed that related
settings such as *RevocationUrl are commented out in the default
openssl.cnf. Should I fill these in and post my CRL, or should I
I'm nearly complete in setting up my own CA, but I'm not sure how to
manage Certificate Revocation Lists (CRL). I noticed that related
settings such as *RevocationUrl are commented out in the default
openssl.cnf. Should I fill these in and post my CRL, or should I just
make defaul
was signed with client's
certificate and then it would be checked for signature and proccessed
propely on server's side.
I am known that there is no certificate revocation request in OpenSSL.
Is there the possibility of usage standart features such as CSR,CRL
instead of not existing CRR?
ide.
I am known that there is no certificate revocation request in OpenSSL.
Is there the possibility of usage standart features such as CSR,CRL
instead of not existing CRR?
Any suggestion ?
__
OpenSSL Project
That did the trick. Thanks a lot!
On Fri, 2004-05-14 at 12:52, Olaf Gellert wrote:
> Aaron Smith wrote:
> > We have been using OpenSSL to generate certificates for various
> > applications here with a home grown CA (created using openssl ca). We
> > recently started upgrading our servers fro
Aaron Smith wrote:
> We have been using OpenSSL to generate certificates for various
> applications here with a home grown CA (created using openssl ca). We
> recently started upgrading our servers from Redhat 7.3 to RHEL 3.0. The
> machine that used to house the CA directories used openssl
We have been using OpenSSL to generate certificates for various
applications here with a home grown CA (created using openssl ca). We
recently started upgrading our servers from Redhat 7.3 to RHEL 3.0. The
machine that used to house the CA directories used openssl version
0.9.6b (RedHat R
Hi Guys,
Heres one for you. When you create the root certificate
with openssl it is given a serial number of 0. Every other
root signed certificate (peer certs) is given a serial
number of 0X where X is the next certificate number e.g.
01.
The certificates signed by root can be revoked and
up
to see corresponding RFCs.
Hope can be of help.
Hazel
> hello all,
>
> I have read a few literatures, but still I can't figure out what
> certificate revocation list (CRL) is all about?
> Is there anybody who can give me an explaination, or show me good stuffs
> t
Mario Fabiano wrote:
> Try to see the matter from a different point of view.
Ok.
> Suppose that your CA is a big organisation which is supported by a large
> number of RA responsible to approve certificate requests from end users.
> The approval is made only against a face to face identity proo
Andrew Cooke wrote:
> Do you see what I mean? Your decision to ask the user for a password
> makes sense when the utilities are used alone, but when they are used as
> part of a larger script it adds an extra request for a password that is
> a nuisance. That is what I meant about using the scri
Massimiliano Pala wrote:
> Andrew Cooke wrote:
[...]
> > If people want to use the utility routines as a "library" to build their
> > own CA scripts, then it would be better, for example, to provide a
> > separate routine that checks that they know the CA password. In that
> > way the person wr
Andrew Cooke wrote:
> My comment is an observation, rather than an argument for changing: You
> are imposing a security model on users that a malicious party can
> circumvent by changing the code. This isn't really acceptable as part
> of a library (which may be assembled by others for a variet
Massimiliano Pala wrote:
> Mario Fabiano wrote:
> > openssl ca -revoke asks for the CA key protection password, but the CA
> > key should be needed only to issue the CRL thst must be signed.
> NO. As the CA, from now on will consider the certificate REVOKED and in
> every CRL issued will mark it
Mario Fabiano wrote:
>
> I have just a remark and a question:
>
> openssl ca -revoke does not give back a return code, which should very
> useful when you invoke the command from a script.
Sure, if no one if going to patch this I can do it (as I wrote this part!)
it should not take long.
> op
Neill [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, December 14, 1999 5:14 AM
To: [EMAIL PROTECTED]
Subject: Certificate Revocation
Has anyone implemented certificate revocation yet? We need to implement
it on our servers, I was going to write a back end script to compare the
users certifica
Andrew Cooke wrote:
[...]
> PS OpenSSL seems better than SSLeay (even more comments in the code!) -
> thank-you to everyone who has contributed.
I just realised that could be read two ways, one of which only makes
sense as sarcasm - I meant "more comments in the code, even"... :-)
_
PS OpenSSL seems better than SSLeay (even more comments in the code!) -
thank-you to everyone who has contributed.
Patrick O'Neill wrote:
>
> Has anyone implemented certificate revocation yet? We need to implement
> it on our servers, I was going to write a back end scrip
Has anyone implemented certificate revocation yet? We need to implement
it on our servers, I was going to write a back end script to compare the
users certificate to the index.txt database and see if it exists. If
this is not the correct way, or someone has already written a similar
program, I
34 matches
Mail list logo
