Hello,
Can s_client be used to send additional certificates (i.e. certificates that
are not part of the chain for the current connection)
I am trying to do the following (pseudocode):
s_client -key myclient.key -cert myclient.cer -verifyCAfile expectedserverCA
-connect server:port
On Wed, Oct 20, 2021 at 3:26 PM Vishal Sinha <mailto:vishals1...@gmail.com>> wrote:
Hi
We are using openssl 1.1.1c version on our client and server.
Client and Server are doing EAP-TLS authentication using
certificates which are more than 4k in size (using 1
I'm also a bit confused at how this became the limiting factor for the
application
in question.
https://datatracker.ietf.org/doc/html/draft-ietf-emu-eaptlscert-08 has some
discussion of how large certificates can cause issues for EAP (as well as some
guidance to EAP deployments as to h
Hi
We are using openssl 1.1.1c version on our client and server. Client
and Server are doing EAP-TLS authentication using certificates which
are more than 4k in size (using 1 root CA and 2 intermediate CAs).
We noticed that the server is not able to handle it gracefully due
t;
> We are using openssl 1.1.1c version on our client and server. Client and
> Server are doing EAP-TLS authentication using certificates which are more
> than 4k in size (using 1 root CA and 2 intermediate CAs). We noticed that
> the server is not able to handle it gracefully due to ins
On 20/10/2021 10:56, Vishal Sinha wrote:
We are using openssl 1.1.1c version on our client and server. Client and
Server are doing EAP-TLS authentication using certificates which are
more than 4k in size (using 1 root CA and 2 intermediate CAs). We
noticed that the server is not able to
Hi
We are using openssl 1.1.1c version on our client and server. Client and
Server are doing EAP-TLS authentication using certificates which are more
than 4k in size (using 1 root CA and 2 intermediate CAs). We noticed that
the server is not able to handle it gracefully due to insufficient buffer
Did you ever get to the root of this?
-Philip
> On Oct 30, 2018, at 5:52 PM, Pietu Pohjalainen wrote:
>
> Dear all,
>
> I have been trying to verify hardware attestation certificates originating
> from different Android phones with the OpenSSL tool. There seems to
On 14/07/2021 13:31, Matt Caswell wrote:
>
>
> On 13/07/2021 19:44, Christian Schmidt wrote:
>> Hello all,
>>
>> I am currently trying to build both client and server of an application
>> that uses TLS 1.3 and mutual authentication using certificates. The
&g
On 13/07/2021 19:44, Christian Schmidt wrote:
Hello all,
I am currently trying to build both client and server of an application
that uses TLS 1.3 and mutual authentication using certificates. The
application works so far - I can establish connections, certificates are
verified, data is
Hello all,
I am currently trying to build both client and server of an application
that uses TLS 1.3 and mutual authentication using certificates. The
application works so far - I can establish connections, certificates are
verified, data is successfully transmitted, etc.
However, I have an
print all certs.
David
On 7 April 2021 04:58:38 CEST, Nan Xiao wrote:
> Hi Viktor,
>
> > By "a file" you clearly mean a "PEM file" with one or more certificates
> exclosed in "-BEGIN ...".."-END ..." delimiters.
>
> Ye
Hi Viktor,
> By "a file" you clearly mean a "PEM file" with one or more certificates
exclosed in "-BEGIN ...".."-END ..." delimiters.
Yes, this is what I mean.
> openssl crl2pkcs7 -nocrl -certfile somefile.pem |
opessl pkcs7 -prin
On Wed, Apr 07, 2021 at 10:14:42AM +0800, Nan Xiao wrote:
> Greetings from me! By default openssl-x509 can only dump one
> certificate from the file:
By "a file" you clearly mean a "PEM file" with one or more certificates
exclosed in "-BEGIN ..."..&
.html), and
can't find a method to dump all certificates.
Could anyone give some clues in dumping all certificates from a file?
Thanks very much in advance!
Best Regards
Nan Xiao
On Thursday, 21 January 2021 13:05:21 CET, David von Oheimb wrote:
I'd welcome support for CBOR(-encoded) certificates since they can save
a lot of space
for both the data itself and the code handling it, which may be vital
for IoT scenarios, for instance.
It looks like the standardizati
> I'd welcome support for CBOR(-encoded) certificates since they can save a lot
> of space
> for both the data itself and the code handling it, which may be vital for IoT
> scenarios, for instance.
> It looks like the standardization of their definition got pretty far al
Uri:
>
> Unfortunately, there's no ASN.1 -> CBOR codec generator, AFAIK, which is why
> I'm asking here.
Nope, and if there were, it would not generate the same result as the
compressions routines that Ben referenced.
Russ
I'd welcome support for CBOR(-encoded) certificates since they can save
a lot of space
for both the data itself and the code handling it, which may be vital
for IoT scenarios, for instance.
It looks like the standardization of their definition got pretty far
already.
Although it is cert
e:
> I meant not "CBOR protocol" (which, in all likelihood, doesn't and
shouldn't exist) but CBOR encoding of X.509 certificates (which, hopefully,
does exists).
>
> At least, I'm looking for a tool that would convert between these two
encodings (DE
" (which, in all likelihood, doesn't and shouldn't
> exist) but CBOR encoding of X.509 certificates (which, hopefully, does
> exists).
>
> At least, I'm looking for a tool that would convert between these two
> encodings (DER and CBOR) for specific objects (
I meant not "CBOR protocol" (which, in all likelihood, doesn't and shouldn't
exist) but CBOR encoding of X.509 certificates (which, hopefully, does exists).
At least, I'm looking for a tool that would convert between these two encodings
(DER and CBOR) for specific
k in progress.
-Ben
From: Blumenthal, Uri - 0553 - MITLL
Sent: Wednesday, January 20, 2021 4:22 PM
To: openssl-users
Subject: Parsing and generating CBOR certificates?
I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL
to parse and/or ge
I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL
to parse and/or generate certs in CBOR encoding?
Thanks
Regards,
Uri
smime.p7s
Description: S/MIME cryptographic signature
12:21 PM, Richard Simard
> wrote:
>
> I would like to know if among you, if anyone would have a good example in
> order to integrate a Certificates Transparency list into my certificates.
>
> Tank You!
> Richard Simard
>
I would like to know if among you, if anyone would have a good example in order
to integrate a Certificates Transparency list into my certificates.
Tank You!
Richard Simard
Oh my, I figured it out after digging through the OpenSSL source code.
My CA certificate and the client certificate both had the same common
name, so they were clobbering each other.
Changing the name of the CA certificate solved the problem.
On Sun, 15 Nov 2020 at 14:10, Samuel Williams
wrote:
Hello
I generate a CA (self signed), and then generate a certificate from
that CA, which should be used by a HTTP/2 client and server during
testing.
This code was working as recently as 12 months ago, but it seems like
something has stopped it from verifying correctly.
Here is how the CA is gen
but I'm not sure if that's even technically
possible. A workaround might be for us to expose some API to set it -
but exposing such internal details is also quite horrible.
>
>
>> One possibility that springs to mind (which is also an ugly hack) is to
>> defer the val
use something ...
}
Please note that replacing "if" with "while" in mycallback() would make
the compiled code identical with myengine() but would not solve the
problem: Instead of the failed assertion, the callback would get into an
infinite loop...
The callback _relies_
lback execution, fetch the intermediate certificates,
> and then complete validation before happily returning to the
> SSL_connect() caller. Life is easy when you can use threads or block
> thousands of concurrent transactions!
I suspect this is the way most people do it.
> Wh
Hello,
TLDR: How can we pause the SSL_connect() progress and return to its
caller after the origin certificate is fetched/decrypted, but before
OpenSSL starts validating it (so that we can fetch the missing
intermediate certificates without threads or blocking I/O)?
ASYNC_pause_job() does not
> The second certificate seems garbaged at the 4th RDN of the
> issuerName.
> The Base64 edition might have added or deleted some characters.
Sorry, looks like my manual word wrapping lost a character:
-BEGIN CERTIFICATE-
MIIHbDCCBVSgAwIBAgIIO7L2MrGOOTMwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNV
On 2020-06-25 13:25, Hubert Kario wrote:
On Thursday, 25 June 2020 12:15:00 CEST, Angus Robertson - Magenta
Systems Ltd wrote:
A client is having problems reading Polish Centum issued personal
certificates with OpenSSL 1.1.1, which read OK with 1.1.0 and earlier,
mostly.
Using PEM_read_bio_X509
original certificates supplied by the end user
had unwrapped base64 blocks, lines 2,500 long. I wrapped them for
email.
If I try the asn1parse command on the wrapped certificates, they now
attempt to parse, the OK is fine, the bad one now gives an error
message from asn1parse
More information, the original certificates supplied by the end user
had unwrapped base64 blocks, lines 2,500 long. I wrapped them for
email.
If I try the asn1parse command on the wrapped certificates, they now
attempt to parse, the OK is fine, the bad one now gives an error
message from
On Thursday, 25 June 2020 12:15:00 CEST, Angus Robertson - Magenta Systems
Ltd wrote:
A client is having problems reading Polish Centum issued personal
certificates with OpenSSL 1.1.1, which read OK with 1.1.0 and earlier,
mostly.
Using PEM_read_bio_X509 with some of these certificates says
A client is having problems reading Polish Centum issued personal
certificates with OpenSSL 1.1.1, which read OK with 1.1.0 and earlier,
mostly.
Using PEM_read_bio_X509 with some of these certificates says
error::lib(0):func(0):reason(0), while the X509 command line
tool says 'unab
Subject: Enabling SSL Virtual Hosts on Apache Web Server and Installing Free
SSL Certificates on CentOS Web Panel Web Hosting Control Panel
Author: Mr. Turritopsis Dohrnii Teo En Ming, Singapore
Date: 1st Mar 2020, Sunday
EXTREMELY DETAILED INSTRUCTIONS OF TEO EN MING'S
On Fri, Feb 7, 2020 at 4:02 PM Michael Wojcik
wrote:
>
> > From: Michael Leone [mailto:tur...@mike-leone.com]
> > Sent: Friday, February 07, 2020 13:13
> >
> > I've got it almost all figured out, except how to get a subjectAltName
> > automatically populated by the CN of the requestor. My requests
> From: Michael Leone [mailto:tur...@mike-leone.com]
> Sent: Friday, February 07, 2020 13:13
>
> I've got it almost all figured out, except how to get a subjectAltName
> automatically populated by the CN of the requestor. My requests aren't
> asking for a SAN, but Chrome isn't happy without one, so
On Fri, Feb 7, 2020 at 3:08 PM Michael Wojcik
wrote:
>
> > From: Michael Leone [mailto:tur...@mike-leone.com]
> > Sent: Friday, February 07, 2020 11:55
> >
> > How is that this works for everyone else, and not me? :-)
>
> It doesn't.
>
> I just reviewed this whole note stream, and realized you're
> From: Michael Leone [mailto:tur...@mike-leone.com]
> Sent: Friday, February 07, 2020 11:55
>
> How is that this works for everyone else, and not me? :-)
It doesn't.
I just reviewed this whole note stream, and realized you're using "openssl req"
to create the certificate, rather than "openssl c
On Fri, Feb 7, 2020 at 1:46 PM Michael Leone wrote:
>
> On Fri, Feb 7, 2020 at 12:35 PM Michael Wojcik
> wrote:
> > Or copied using the copy_extensions option, as noted in the discussion of
> > that issue.
> >
> > In the OpenSSL configuration file used by "openssl ca", in the CA section
> > (th
On Fri, Feb 7, 2020 at 12:35 PM Michael Wojcik
wrote:
> Or copied using the copy_extensions option, as noted in the discussion of
> that issue.
>
> In the OpenSSL configuration file used by "openssl ca", in the CA section
> (that is, the section named by the default_ca option, or in the section
onably recent version of OpenSSL.
So:
1. Make sure your threat model allows copying extensions from CSRs to
certificates.
2. Make sure your CA configuration has "copy_extensions=copy" (or possibly
copyall, though use cases justifying that are less common).
3. Make sure the CSRs you're
I think the mismatch is that CSR extensions are not carried over; they have to
be added at signing time.
See https://github.com/openssl/openssl/issues/10458
On Fri, Feb 7, 2020 at 11:02 AM Sergio NNX wrote:
>
> This is the basics of OpenSSL!
>
> You would like to add extensions to a CSR or the problem arises when signing
> it?
Yes, when I sign, I get no extensions that are requested in the CSR.
Nor are any added, when I sign (requested or not).
> >
]" or perhaps "[ server_cert ]".
>
> > Nope, no key extensions in the generated cert, even when passing
> > "-extensions user_cert" on the CLI.
>
> > I'll keep plugging away, I guess.
>
> What's in the [user_cert] stanza?
This:
From: openssl-users on behalf of Michael
Leone
Sent: Saturday, 8 February 2020 2:01 AM
To: openssl-users@openssl.org
Subject: Re: Problems adding specific extensions to signed certificates
On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni
wrote:
>
> On Thu, F
t; certificate. But I don't want to have to use an addon file, I want to
> > add parameters to all signed certificates.
>
> The documentation of x509(1) which you're using with "-req" as a
> mini-CA, states explicitly:
>
>-extfile filename
>
On Fri, Feb 7, 2020 at 8:54 AM Michael Leone wrote:
> Thanks, tho, I did learn a thing or two. I see from this example
>
> openssl req -config $cfgdir/openssl-root.cnf $passin \
> -set_serial 0x$(openssl rand -hex $sn)\
> -keyform $format -outform $format\
> -key $rootca/private/ca.
ficate. But I don't want to have to use an addon file, I want to
> > add parameters to all signed certificates.
>
> The documentation of x509(1) which you're using with "-req" as a
> mini-CA, states explicitly:
>
>-extfile filename
>
parameters to all signed certificates.
The documentation of x509(1) which you're using with "-req" as a
mini-CA, states explicitly:
-extfile filename
File containing certificate extensions to use. If not specified
then no extensions are added to the
.
Oh, I can add extensions by signing and using the -extfile option, and
specifying a file with the specific options I want to give the
certificate. But I don't want to have to use an addon file, I want to
add parameters to all signed certificates.
keyUsage=digitalSignature,keyEn
Viktor Dukhovni wrote:
> On Tue, Jun 25, 2019 at 10:38:50AM -0400, Michael Richardson wrote:
>> openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
>> -nodes -subj "/CN=${ULA_HOSTNAME}" \
>> -keyout ${KEY_NAME}.key -out ${KEY_NAME}.csr -outform DER \
>> -reqex
; affected this? Made it work before. My impression is that 1.0.x did *not*
> support ECDSA certificates, yet it seemed to generate CSRs, just does not
> put in the
> right OIDs in the public parts such that it is recognized by others.
> ***
OpenSSL 1.0.2 has reasonably complete ECDS
t think about the version that there)
***
My question is: is there some build options that I can't see that might have
affected this? Made it work before. My impression is that 1.0.x did *not*
support ECDSA certificates, yet it seemed to generate CSRs, just does not put
in the
right
root:root, chmod 400. And ideally your Root CA files should not be
hosted on your web server, otherwise a server compromise also
compromises your root authority.
https://redmine.lighttpd.net/projects/1/wiki/docs_ssl
Permissions
Be careful to keep your .pem file private! Lighttpd reads all pemfiles
Hi - I created a question on Super User about questions on file permissions and
what the file permissions should be on created files. See link here:
https://superuser.com/questions/1368747/file-permissions-for-openssl-created-files-for-https-web-server-lighttpd
Could someone comment on what file
Dear all,
I have been trying to verify hardware attestation certificates originating
from different Android phones with the OpenSSL tool. There seems to be not
too much information about how are these supposed to work. With OpenSSL I'm
getting mixed results.
Android developer spe
> On Sep 22, 2018, at 8:28 AM, Carsten wrote:
>
> I can sign certificate requests successfully, BUT
> if the request contains SAN attributs (subjectalternatenames) they are
> ignored -not visible in the signed certificate.
>
> I found many exambles how to create a SAN-Certificate using t
Hi list,
this is about setting up a certificate authority to sign incoming
(forgeign) certificate requests.
I have installed
/var/caintermed # openssl version -a
OpenSSL 1.1.2-dev xx XXX
built on: Fri Sep 21 10:19:51 2018 UTC
platform: linux-armv4
opti
nything you want to pass to
SSL_CTX_set_client_CA_list(3)
See the docs. Some clients (IIRC Java's TLS stack) don't send any
client certificates unless the server solicits a certificate from
a matching CA, and leaving the list empty may not work for such
clients.
--
Viktor.
--
openssl-use
gt; > On Sep 11, 2018, at 2:09 AM, Armen Babikyan
> wrote:
> >
> > I have a question regarding openssl and verification of client
> certificates. Is there a way to have an openssl-enabled server ask for a
> client certificate, and when it receives one it can't veri
> On Sep 11, 2018, at 2:09 AM, Armen Babikyan wrote:
>
> I have a question regarding openssl and verification of client certificates.
> Is there a way to have an openssl-enabled server ask for a client
> certificate, and when it receives one it can't verify, rather
Hello,
I have a question regarding openssl and verification of client
certificates. Is there a way to have an openssl-enabled server ask for a
client certificate, and when it receives one it can't verify, rather than
immediately terminating the handshake, it would allow the connection, but
Hi,
On 13 October 2017 at 12:03, lists wrote:
> On 10/10/2017 05:40 PM, Jorge Novo wrote:
>
> As most of us know, the Google Chrome Navigator ask about Subject
> Alternative Name instead the Common Name.
>
> I want to distribute a little *openssl.cnf* file for creation the CSR
> files with my
On 10/10/2017 05:40 PM, Jorge Novo wrote:
Hi everyone,
As most of us know, the Google Chrome Navigator ask about Subject
Alternative Name instead the Common Name.
I want to distribute a little /openssl.cnf/ file for creation the CSR
files with my specific values and establish the Subject A
Hi everyone,
As most of us know, the Google Chrome Navigator ask about Subject
Alternative Name instead the Common Name.
I want to distribute a little *openssl.cnf* file for creation the CSR files
with my specific values and establish the Subject Alternative Name = Common
Name. I want yo ask ab
/legacy-settings
allows the reading of Md5 Client certificates (which are still being
installed in "not released yet" phones)
I am almost concerned this is being done intentionally to meet some
security downgrade requirement. I the more reason to only use this cert
to bootstrap yo
Hi
thanks for all the comments and suggestions, especially the ones I could
understand
centos 7
yum upgrade
openssl version gives:
OpenSSL 1.0.2k-fips 26 Jan 2017
it looks like
echo 'LegacySigningMDs md5' >> /etc/pki/tls/legacy-settings
allows the reading of Md5 Cli
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Jeffrey Walton
> Sent: Wednesday, September 27, 2017 13:15
> To: OpenSSL Users
> Subject: Re: [openssl-users] Hardware client certificates moving to Centos 7
>
> >
> > Heck, MD4 and MDC
On 09/27/2017 10:10 PM, Michael Wojcik wrote:
> On Behalf Of Jochen Bern
> Sent: Wednesday, September 27, 2017 06:51
>> I don't know offhand which OpenSSL versions did away with MD5, but you
>> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches)
>> straight off CentOS 7 repos
>
> U
has GOST, MD4,
> MD5, MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard lengths), and
> Whirlpool.
>
> Some of those algorithms may still needed for some use cases. For
> example, Apple still ships (or used to ship until recently) some
> certificates that use MD2. They were present
iguration, I believe. I'm looking at 1.0.2j here and it has GOST, MD4,
> MD5, MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard lengths), and Whirlpool.
Some of those algorithms may still needed for some use cases. For
example, Apple still ships (or used to ship until recently) some
certifica
rs@openssl.org
> > Subject: Re: [openssl-users] Hardware client certificates moving to
> Centos 7
> >
> > I don't know offhand which OpenSSL versions did away with MD5, but you
> > *can* install an 0.9.8e (+ RHEL/CentOS backported security patches)
> > straight o
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Jochen Bern
> Sent: Wednesday, September 27, 2017 06:51
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] Hardware client certificates moving to Centos 7
>
> I don't know offh
On 09/27/2017 02:07 PM, Stuart Marsden wrote:
> Is there a way a can install a version of openssl on a dedicated standalone
> Centos 7 server which will support these phones?
> That would be preferable to me than having to leave Centos 6 servers just
> for this
I don't know offhand which OpenSSL
On 09/27/2017 08:07 AM, Stuart Marsden wrote:
Hi
I think I know what you are going to say - MD5?
Lots of problems with that cert. If you have some connection with the
vendor, have them read IEEE 802.1AR-2009 standard for Device Identity
credentials. You will be supporting this phone diff
Hi
I think I know what you are going to say - MD5?
I ran openssl s_server -verify , then ran the x509 command as you suggested
using the captured client certificate
This phone model has only just gone into production, and I am using a "preview
version" of the hardware
Is there a way a can in
On 09/26/2017 08:04 PM, Kyle Hamilton wrote:
openssl x509 -noout -text -in clientcertificate.pem
You may need to extract the client certificate from wireshark, but you
could also get it from openssl s_server.
Specifically, that error message is suggesting that there's a message
digest encoded
openssl x509 -noout -text -in clientcertificate.pem
You may need to extract the client certificate from wireshark, but you
could also get it from openssl s_server.
Specifically, that error message is suggesting that there's a message
digest encoded into the certificate which is unknown to the tru
On 09/26/2017 11:26 AM, Stuart Marsden wrote:
Hi
I have Centos/Apache servers for securely provisioning IP phones using hardware
client certificates embedded in the phones.
for this test I have allowed all protocols and ciphers
on Centos 6 this works fine, the rpms are:
openssl098e-0.9.8e
Sorry how can I tell ?
I can run a wireshark if necessary
thanks
> On 26 Sep 2017, at 16:36, Wouter Verhelst wrote:
>
> On 26-09-17 17:26, Stuart Marsden wrote:
>> [ssl:info] [pid 1611] SSL Library Error: error:0D0C50A1:asn1 encoding
>> routines:ASN1_item_verify:unknown message digest algori
On 26-09-17 17:26, Stuart Marsden wrote:
> [ssl:info] [pid 1611] SSL Library Error: error:0D0C50A1:asn1 encoding
> routines:ASN1_item_verify:unknown message digest algorithm
So which message digest algorithm is the client trying to use?
--
Wouter Verhelst
--
openssl-users mailing list
To unsub
Hi
I have Centos/Apache servers for securely provisioning IP phones using hardware
client certificates embedded in the phones.
for this test I have allowed all protocols and ciphers
on Centos 6 this works fine, the rpms are:
openssl098e-0.9.8e-20.el6.centos.1.x86_64
openssl-1.0.1e-57.el6
I'm creating X509 certificate requests and certificates in code, trying
to add X509v3 Subject Alternative Name, with 1.1.0f.
But if I add a list of four domains, ie:
www1.mydomain
www2.mydomain
www3.mydomain
www4.mydomain
The certificate seems to ignore some and repeat others:
X
DN, but does not place matching distinct subject key identifiers
> in the certificates it issues, then OpenSSL will not correctly handle
> multiple candidate issuers that differ in the public key, but provide
> no hints in the issued certificates which issuer to use.
>
> I'm not fami
On 9/20/2017 2:25 PM, Viktor Dukhovni wrote:
>> On Sep 20, 2017, at 12:33 PM, Jordan Brown
>> wrote:
>>
>> Q: Does OpenSSL's trust-list verification support trusting multiple
>> certificates with the same subject name and overlapping validity periods?
> On Sep 20, 2017, at 12:33 PM, Jordan Brown
> wrote:
>
> Q: Does OpenSSL's trust-list verification support trusting multiple
> certificates with the same subject name and overlapping validity periods?
>
> In more detail:
>
> We have customers who issue r
On 9/20/2017 10:28 AM, Walter H. via openssl-users wrote:
> On 20.09.2017 18:33, Jordan Brown wrote:
>>
>> Q: Does OpenSSL's trust-list verification support trusting multiple
>> certificates with the same subject name and overlapping validity periods?
>>
> do
On 20.09.2017 18:33, Jordan Brown wrote:
Q: Does OpenSSL's trust-list verification support trusting multiple
certificates with the same subject name and overlapping validity periods?
do these replacement certificates have the same serial number and the
same private key?
smim
Q: Does OpenSSL's trust-list verification support trusting multiple
certificates with the same subject name and overlapping validity periods?
In more detail:
We have customers who issue replacement certificates with the same
subject name and different validity periods. We'd like to
On 09/13/2017 09:31 AM, Michael Richardson wrote:
Robert Moskowitz wrote:
> The devices never test out the lifetime of their certs. That is up to
Exactly...
(Do you think about the MacGyver/StarTrek/A-Team/Leverage/MissionImpossible
plot line that goes along with each engineering decisio
> Le 13 sept. 2017 à 17:08, Michael Wojcik a
> écrit :
>
>> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
>> Of Michael Richardson
>> Sent: Wednesday, September 13, 2017 09:32
>>
>> I suspect that the value: literal value 1231235959Z will simply come to
>> mean "
certificates, the best you can do it put a
very large value in the notAfter field. Some software may have issues around
32bit representation of classic Unix time_t and therefore have problems with
times greater than 2038; OpenSSL does not have those problems.
The OpenSSL command-line tools do not
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Michael Richardson
> Sent: Wednesday, September 13, 2017 09:32
>
> I suspect that the value: literal value 1231235959Z will simply come to
> mean "the end of time", even after the year 10,000. It has a well known
>
An X509v3 certificate has “notBefore” and “notAfter” fields. If either of
those is not present, then it is not an X509v3 certificate. The time marked by
those fields is the validity period.
If you want “never expires” X509v3 certificates, the best you can do it put a
very large value in the
Robert Moskowitz wrote:
> The devices never test out the lifetime of their certs. That is up to
Exactly...
(Do you think about the MacGyver/StarTrek/A-Team/Leverage/MissionImpossible
plot line that goes along with each engineering decision?...)
> validating servers. And the iDevID is no
1 - 100 of 1890 matches
Mail list logo
