> From: edr
> Sent: Friday, 11 March, 2022 03:59
>
> On 10.03.2022 20:27, Michael Wojcik wrote:
> > Personally, I'd be leery of using openssl ca for anything other than
> dev/test purposes, in which case frequent CRL generation seems unlikely to
> be a requirement.
also CAs failed to generate the certs and CRLs correctly. :-/
>
That is a very good point you are making - thank you for this input.
On 10.03.2022 20:27, Michael Wojcik wrote:
> Personally, I'd be leery of using openssl ca for anything other than dev/test
> purposes, in which ca
ally, I'd be leery of using openssl ca for anything other than dev/test
purposes, in which case frequent CRL generation seems unlikely to be a
requirement. AIUI, openssl ca isn't really intended for production use.
> It's a pity that there is not something like an OpenSSL key age
On 3/10/22 14:06, edr dr wrote:
I would like to be able to automate the process of updating CRLs in
order to be able to keep the CRL validity time short.
Understandable.
At the same time, I do not want to store passwords used for
certificate creation in cleartext anywhere.
It's a pity that the
Dear all,
I am building a private PKI using the openssl "ca" functionality.
My setup includes a root CA that issues intermediate certificates and
intermediate CAs issuing endpoint certificates.
I would like to be able to automate the process of updating CRLs in order to be
able to ke
Hi Michael,
On 28/04/2020 15:21, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
tincanteksup
Sent: Tuesday, April 28, 2020 07:02
[tct@arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf
-keyfile private/ca.key -cert
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> tincanteksup
> Sent: Tuesday, April 28, 2020 07:02
> [tct@arch-hyv-live-64 pki]$ openssl ca -verbose -config safessl-easyrsa.cnf
> -keyfile private/ca.key -cert ca.crt -status $serial_number
>
>
Greetings openssl users,
I'm a long time lurker..
I am trying to use 'openssl ca' command to verify the status of a
certificate
by serial number only. I can successfully complete this task, however, the
'openssl ca' command always returns an error on completion.
I m
ins: a more verbose error message would have made the
problem with the setup much clearer!
regards,
Erich
On Wed, 4 Dec 2019, Erich Eckner wrote:
Hi,
I'm trying to sign a csr by running
`CA=signing-ca openssl ca -verbose -config /etc/simple-pki/ca-ssl.conf -name
signing_ca
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
I'm trying to sign a csr by running
`CA=signing-ca openssl ca -verbose -config /etc/simple-pki/ca-ssl.conf -name
signing_ca -in /tmp/tmp.Qz3EoKa0S4/fileserver-lo.ddns.eckner.net.csr -out
/tmp/tmp.Qz3EoKa0S4/fileserver-lo.ddns.eckner.ne
gt; used as I showed.
> >
> > -key has a different meaning for openssl ca than for openssl req, so
> > my PIN was my -key argument. It got my keyfile from the openssl conf
> > file.
>
> And this is precisely why you're not an idiot. We're not consistent
> betw
In message
on Tue, 16 Oct 2018 10:34:31 +0200, Peter Magnusson
said:
> Sorry, I am an idiot =)
No you're not.
> Problem resolved, user error. -key was the problem and should not be
> used as I showed.
>
> -key has a different meaning for openssl ca than for openssl req
Sorry, I am an idiot =)
Problem resolved, user error. -key was the problem and should not be
used as I showed.
-key has a different meaning for openssl ca than for openssl req, so
my PIN was my -key argument. It got my keyfile from the openssl conf
file.
On Tue, Oct 16, 2018 at 10:23 AM Richard
I'm curious about this error line from the 'openssl ca' output:
> 140735853761408:error:28078064:UI routines:UI_set_result_ex:result too
> large:crypto/ui/ui_lib.c:910:You must type in 4 to 32 characters
It should be interesting to try and figure out what pass phrased wa
#x27;m trying to understand how to make "openssl ca" prompt for a PKCS#11
> login pin. Version is openssl-1.1.1.
>
> openssl req works as I would expect, prompting for PIN:
>
> YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
> local-build/bin/openssl \
> req -config yubi
Hi,
I'm trying to understand how to make "openssl ca" prompt for a PKCS#11
login pin. Version is openssl-1.1.1.
openssl req works as I would expect, prompting for PIN:
YUBIHSM_PKCS11_CONF=yubihsm2-pkcs11.conf \
local-build/bin/openssl \
req -config yubihsm2-openssl.conf -new \
-outform in the following is invalid:
openssl ca -outform $format -config $cadir/openssl-root.cnf -extensions
v3_intermediate_ca\
-keyform $format -days 3650 -notext -md sha256 \
-in $dir/csr/intermediate.csr.$format -out
$dir/certs/intermediate.cert.$format
where format=der
On 08/21/2017 01:41 PM, Jeffrey Walton wrote:
openssl req -outform $format -config $cadir/openssl-root.cnf -set_serial
0x$(openssl rand -hex $sn)\
-inform $format -key private/ca.key.$format -subj "$DN"\
-new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.$format
u
> openssl req -outform $format -config $cadir/openssl-root.cnf -set_serial
> 0x$(openssl rand -hex $sn)\
> -inform $format -key private/ca.key.$format -subj "$DN"\
> -new -x509 -days 7300 -sha256 -extensions v3_ca -out
> certs/ca.cert.$format
>
> unable to load Private Key
> 14049243077
format=der
openssl pkey -inform $format -in private/ca.key.$format -text -noout
Private-Key: (256 bit)
priv:
48:b3:4e:c5:0a:0c:af:78:b9:a2:d4:b8:7e:18:78:
f2:39:9c:77:51:a3:1c:6f:df:31:20:e3:e4:9a:52:
3d:06
pub:
04:ce:ff:5d:d4:c7:b6:9c:c2:31:d9:38:fe:2b:9c:
70:3a:fd:22:6d:97:
Jakob Bohm wrote:
> On 1/7/2014 12:17 AM, Biondo, Brandon A. wrote:
>> I am using ‘ca’ not ‘x509’. It too ignores/discards extensions. Turning
>> on copy_extensions solved the issue though, thanks. I have some
>> follow-up questions:
>>
>> 1.If including SANs in CSRs is non-standard, what is the ac
Brandon A.
Sent: Monday, January 06, 2014 18:18
To: openssl-users@openssl.org
Subject: RE: OpenSSL CA and signing certs with SANs
I am using 'ca' not 'x509'. It too ignores/discards extensions. Turning on
copy_extensions solved the issue though, thanks. I have some follow-up
q
those specific SANs, as well as any other
unusual extensions.
*From:*owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Dave Thompson
*Sent:* Monday, January 06, 2014 5:38 PM
*To:* openssl-users@openssl.org
*Subject:* RE: OpenSSL CA and signing certs with SANs
You might want to ask the CAcert folks what they do. I generate certs
thru them with SANs all the time.
--
Harlan Stenn
http://networktimefoundation.org - be a member!
__
OpenSSL Project http://
icate?
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dave Thompson
Sent: Monday, January 06, 2014 5:38 PM
To: openssl-users@openssl.org
Subject: RE: OpenSSL CA and signing certs with SANs
It is debatable whether putting SAN in the request is really '
On Mon, Jan 06, 2014 at 09:16:16PM +, Biondo, Brandon A. wrote:
> I am having trouble tracking down information regarding how you
> reconfigure an OpenSSL CA to handle SANs in requests. When you use
> an OpenSSL CA to sign this type of request, the certificate is made
> without i
#x27;?
The latter is IME much more common.
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Biondo, Brandon A.
Sent: Monday, January 06, 2014 16:16
To: openssl-users@openssl.org
Subject: OpenSSL CA and signing certs with SANs
Hello,
Forgive
Hello,
Forgive me if I breach etiquette. This is my first post to this list in quite a
while.
I am having trouble tracking down information regarding how you reconfigure an
OpenSSL CA to handle SANs in requests. There is a wealth of information on how
to configure OpenSSL to form a proper
On 28 Oct 2013, at 11:56, redpath wrote:
> I would like to know why the openssl CA command to revoke a cert
> (myfiletorevoke)
> needs the CA cert other than the cert I want to revoke.
>
> openssl ca -revoke myfiletorevoke -keyfile cakey -cert cacert -passin
> pass:CApas
On 28.10.2013, at 11:56, redpath wrote:
> I would like to know why the openssl CA command to revoke a cert
> (myfiletorevoke)
> needs the CA cert other than the cert I want to revoke.
This is to prove the authority of the operator.
> openssl ca -revoke myfiletorevoke -keyfile
I would like to know why the openssl CA command to revoke a cert
(myfiletorevoke)
needs the CA cert other than the cert I want to revoke.
openssl ca -revoke myfiletorevoke -keyfile cakey -cert cacert -passin
pass:CApass -config myconfig
I noticed that the command does not modify the cert I
.
Ensuring only one program at a time uses the "openssl ca" files is your job,
it is not part ofthe sample code.
The easiest way is to *copy* for any OCSP responder you run, and to do all
the other operationsonly when you (as the CA administrator) want to, one
command (or script) at a
used to secure store keys, but of course I need something to
manage expiration of keys
auto-magically.
--
View this message in context:
http://openssl.6102.n7.nabble.com/openssl-ca-revoke-tp45896p45900.html
Sent from the OpenSSL - User mailing list archive at Nabble.com
On 19.07.2013, at 22:33, redpath wrote:
> The command
>
> openssl ca -revoke ./demoCA/newcerts/1008.pem -config myconfig.cnf -passin
> pass:password
>
> seems to just update a database, the 1008.pem is not touched.
> Can someone tell me what this command really does for
The command
openssl ca -revoke ./demoCA/newcerts/1008.pem -config myconfig.cnf -passin
pass:password
seems to just update a database, the 1008.pem is not touched.
Can someone tell me what this command really does for revocation.
Also why keep a list of revoked certs, just delete them and if not
All ,
What would the default_ca section look like while using LunaCA3 HSM for
storing CA private key. Openssl looks for certificate and private_key on disk -
how do i make openssl ca routine aware of private keys on the HSM ( LunaCA3 )
Thanks.
- Simon Charles -
>From: owner-openssl-us...@openssl.org On Behalf Of James Burton
>Sent: Tuesday, 18 September, 2012 15:15
>Can you tell me what I am doing wrong , I am build a window application (
.exe )
>and I got this error:
>ign>cl.exe sign.c
>Microsoft (R) C/C++ Optimizing Compiler Version 17.00.50727.1 for
Hello
Can you tell me what I am doing wrong , I am build a window application ( .exe )
and I got this error:
ign>cl.exe sign.c
Microsoft (R) C/C++ Optimizing Compiler Version 17.00.50727.1 for x64
Copyright (C) Microsoft Corporation. All rights reserved.
sign.c
Microsoft (R) Incremen
> From: owner-openssl-us...@openssl.org On Behalf Of Pica Pica Contact
> Sent: Monday, 30 July, 2012 13:47
> Look at this example:
> This certificate was signed by "openssl ca" without changing subject,
> and "openssl req" did not use BMPString and UCS-2
On Sun, Jul 29, 2012, Dave Thompson wrote:
>
> Note that X.509 certs (and ASN.1 generally) don't actually support
> UTF8. They support several 1-byte codes (some now obsolete), BMPString
> which is 2-byte UCS-2, and UniversalString which is 4-byte UCS-4.
> I believe OpenSSL selects the smallest
signed by "openssl ca" without changing subject,
and "openssl req" did not use BMPString and UCS-2 in this case. CN string
contains Georgian letters but numbers are in ASCII so it is UTF-8 in fact.
So why "openssl ca" decides to use BMPString format? Looks like 1-
...
>
> Subject:
> CN=#003300300030003000300023044204350441044210e210d410e110e24e2d56fd
> ...skipped...
>
That apparently is dumping the UCS-2 bytes. Compare to above.
> There are no such problems in "openssl req", I can set UTF8
> strings with numbers in
My application uses X.509 certificates with commonName field set to following
format:
number#UserName,
for example
12345#JohnSmith
Everything is ok when UserName is in ascii, but when I sign new certificates
using this command, for example:
openssl ca -config ca_config.txt -subj &quo
Hi Folks,
what is the difference between the ca options
-key mypassword
and
-passin pass:mypassword ?
Is there any difference at all (or any guideline which to use when)?
Thanks in advance ...
__
OpenSSL Project
client side certificates with:
> openssl ca -passin pass:$ROOTCAPASS -batch -config openssl.cnf
> -days 365 -keyfile private/root-ca-key.pem -cert root-ca-crt.pem -in
> person/$1/$1-req.pem -out person/$1/$1-crt.pem
>
> Only to find out that email address was getting stripped out
Is there a doc somewhere that explains the differences between ca and x509 ?
I was signing client side certificates with:
openssl ca -passin pass:$ROOTCAPASS -batch -config openssl.cnf
-days 365 -keyfile private/root-ca-key.pem -cert root-ca-crt.pem -in
person/$1/$1-req.pem -out person/$1
Hi Steve,
> -Original Message-
> From: Dr. Stephen Henson
>
> On Wed, Aug 11, 2010, Eisenacher, Patrick wrote:
>
> > Hi,
> >
> > I can make openssl's ca tool issue certificates with the
> subject's dname encoded as UTF8String for requests with UTF-8
> encoded subject dnames. However, when
On Wed, Aug 11, 2010, Eisenacher, Patrick wrote:
> Hi,
>
> I can make openssl's ca tool issue certificates with the subject's dname
> encoded as UTF8String for requests with UTF-8 encoded subject dnames.
> However, when I change the subject via the -subj commandline option, I can't
> seem to g
Hi,
I can make openssl's ca tool issue certificates with the subject's dname
encoded as UTF8String for requests with UTF-8 encoded subject dnames. However,
when I change the subject via the -subj commandline option, I can't seem to get
a certificate with a UTF-8 encoded subject dname.
Here's w
No...
I may have been unclear: I was referring to the '-infiles' switch to the
openssl ca command, as referenced in the docs. This switch exists, ostensibly,
to sign multiple CSRs as a batch.
My point was only that, despite the stated constraint:
' if present this sho
er, wait. Lemme check something.
-inform PEM -in [filename].csr -days 1095 -out [filename].crt -config
../openssl.cnf
-Kyle H
On Sun, Apr 25, 2010 at 6:26 PM, Lou Picciano wrote:
> We've run into an interesting - apparently new? - behavior of the openssl ca
> command:
> I beli
The switch is -infile, not -infiles.
-Kyle H
On Sun, Apr 25, 2010 at 6:26 PM, Lou Picciano wrote:
> We've run into an interesting - apparently new? - behavior of the openssl ca
> command:
> I believe we've used the following command in the past (pre 1.0.0). (Don't
We've run into an interesting - apparently new? - behavior of the openssl ca
command:
I believe we've used the following command in the past (pre 1.0.0). (Don't know
why we were still using the -infiles option with a single input file -
something vestigial, no doubt; Nonet
ay for the type of certificate
> generated?
>
> What does your CA Certificate look like?
>
> If you want help setting up a CA that "just works" for most of these
> different
> kinds of certificates, you can grab our OpenSSL CA Setup guide
> (http://www.caril
n grab our OpenSSL CA Setup guide
(http://www.carillon.ca/library/openssl_testca_howto_1.2.pdf) - it's for the
more complex environment of CertiPath/US Federal Bridge interoperability, but
it gives you a good idea of what is required for the various profiles of
certificates to have them work
Hi Anton,
I don't know if my article can help you, but you can find what I wrote
here about OpenSSL CA and Thunderbird (I am sorry for my poor English)
here: http://www.homeworks.it/Html/OpenSSL_PKI_Articolo_Eng.html#InstEMailCert
Bye,
Alex
Anton Xuereb wrote:
Hi,
I'm
n grab our OpenSSL CA Setup guide
(http://www.carillon.ca/library/openssl_testca_howto_1.2.pdf) - it's for the
more complex environment of CertiPath/US Federal Bridge interoperability, but
it gives you a good idea of what is required for the various profiles of
certificates to have them work
nssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout
>> private/myca.key -out certs/myca.crt -days 1825
>>
>> I converted the request from DER to PEM format using:
>>
>> openssl req -in datareq.p10 -inform der -out datareq.csr
>>
>> In order t
509 -extensions v3_ca
-keyout private/myca.key -out certs/myca.crt -days 1825
I converted the request from DER to PEM format using:
openssl req -in datareq.p10 -inform der -out datareq.csr
In order to sign the request:
# openssl ca -config openssl.my.cnf -policy policy_anything -in
datareq.csr
req -in datareq.p10 -inform der -out datareq.csr
In order to sign the request:
# openssl ca -config openssl.my.cnf -policy policy_anything -in datareq.csr
I'm at a loss at the moment so any help would be appreciated.
Thanks ,
Anton
(I'm running nigtly tests of openssl builds on
several dozens of platforms for few years now, and these tests each time
requests dozen of certificates from central test CA each run), you can
forget about more efficient backend than txtdb functions, used by
openssl ca if number of the
On 2009.10.19 at 13:35:32 -0700, John R Pierce wrote:
> Matthias G?ntert wrote:
>> hello guys
>>
>> is anyone working on a replacement for the text based ca database? It
>> seems the database functions are defined in apps/ca.c and apps/apps.h,
>> at least for version 0.9.8k. wouldn't it be nice if
Matthias Güntert wrote:
hello guys
is anyone working on a replacement for the text based ca database? It
seems the database functions are defined in apps/ca.c and apps/apps.h,
at least for version 0.9.8k. wouldn't it be nice if we had something to
store the data in a relational db?
why? ther
hello guys
is anyone working on a replacement for the text based ca database? It
seems the database functions are defined in apps/ca.c and apps/apps.h,
at least for version 0.9.8k. wouldn't it be nice if we had something to
store the data in a relational db? is there something already out google
c
Thanks Bear, that did the trick!
On Mon, 18 Feb 2008, Bear Giles wrote:
Have you checked the conf file for the openssl ca? I haven't looked at it in
a long time, but I think you can specify whether an element is required or
optional
Have you checked the conf file for the openssl ca? I haven't looked at
it in a long time, but I think you can specify whether an element is
required or optional in it.
Bear
Josh wrote:
Howdy Folks,
I am trying to pretend to be a CA with OpenSSL. I have done this
before and gene
Howdy Folks,
I am trying to pretend to be a CA with OpenSSL. I have done this before and
generated certificates to use with private keys on Apache and IMAPs. However,
this time around, I need to pretend to be a CA that signs Tomcat certificates.
There is a minor problem. When I generate a
Hi everybody,
I'm using the openssl ca app to sign certificate requests. Often, I use
-subj to override the Subject supplied in the CSR. I have recently
encountered the following problem:
When combining -subj with -utf8 and I supply a UTF-8 String to -subj, like
this:
openssl ca -utf
2:32 PM
To: openssl-users@openssl.org
Subject: Custom CA vs Openssl CA
Are there any major advantages to using a third party packaged CA over
openssl's CA? The CA from openssl seems more than adequate for most
uses. A
concern I am hearing is developing an interface to openssl CA would be
Are there any major advantages to using a third party packaged CA over
openssl's CA? The CA from openssl seems more than adequate for most uses. A
concern I am hearing is developing an interface to openssl CA would be time
consuming and might have security issues. Is this a valid conce
hield HSM through CHIL
engine.
openssl ca command takes some arguments like:
$ openssl ca xxx xxx -engine chil -passin env:pwd
in the previous line the source of the password is the
enviromental variable pwd.
i could see that in ca command source
openssl-0.9.7e/src/app/apps.c there are a c
te snap-in for the system. Then on the
openssl CA I created a key then request then signed
the request with the CA's key then created a PKCS12
file from the newly cerate server key and sign
certificate.
I carried the pkcs12 file over to the server and
imported it with the certificate snap-in f
Ray,
I've enabled LDAPS on AD before, but only using MS Certificate Services
configured as an Enterprise CA, so I haven't tried this myself, but
here's an article that might be useful:
http://support.microsoft.com/?id=321051
Jim
___
A very important adjunct to step 4 is getting the
private key associated with the certificate into
the server. If step 1 is done ON THE SERVER
COMPUTER and it is not reinitialized in the meantime
etc etc then in step 4 the association between the
certificate and key should be recognized. However,
Thanks for you input Rafeeq
Ok so maybe I should clearify the situation a bit
more. I have the official openssl O'Reilly book so I
didn't really need help using the openssl command
line. I have an on going and viable CA and have been
issueing certificate for authentication for sometime
now.
My
On Mon, Feb 28, 2005, ray v wrote:
> I'm trying to get our domain controllers to make use
> of certificates generated by our openssl based CA. Is
> there documentation out there on how to make this work
> correctly? Any pointers would be appreciated!
>
> Requirements for making third-party certif
I'm trying to get our domain controllers to make use
of certificates generated by our openssl based CA. Is
there documentation out there on how to make this work
correctly? Any pointers would be appreciated!
Requirements for making third-party certificates work
http://support.microsoft.com/default
Thanks Doc. Worked a treat ;-)
regards
Andrew
On 10 Dec 2004, at 23:00, Dr. Stephen Henson wrote:
On Fri, Dec 10, 2004, Andrew M wrote:
hi,
I have just downloaded openssl ver 0.9.7e (OS X) and tried to initiate
the command to sign a cert:
openssl ca -config openssl.cnf -in unit-tests -server.csr
On Fri, Dec 10, 2004, Andrew M wrote:
> hi,
> I have just downloaded openssl ver 0.9.7e (OS X) and tried to initiate
> the command to sign a cert:
>
> openssl ca -config openssl.cnf -in unit-tests -server.csr -out
> unit-tests-server.pem
>
> On further investigation
what is the output of this command:
$ openssl version
./allan
Andrew M wrote:
hi,
I have just downloaded openssl ver 0.9.7e (OS X) and tried to initiate
the command to sign a cert:
openssl ca -config openssl.cnf -in unit-tests -server.csr -out
unit-tests-server.pem
On further investigation I
hi,
I have just downloaded openssl ver 0.9.7e (OS X) and tried to initiate
the command to sign a cert:
openssl ca -config openssl.cnf -in unit-tests -server.csr -out
unit-tests-server.pem
On further investigation I find that none of the required
folders/files/keystore exist which are required
* Dr. Stephen Henson <[EMAIL PROTECTED]> [041122 00:48]:
> Firstly you should note that nsCertType is largely obsolete now, the
> standard way to do things is with the extended key usage extension
> instead.
Can you recommend a good source to learn more about what must, should,
may be in certs? I
ail
>
> and that for a mail server client:
>
> nsCertType = server, email
>
> without using a different config file.
>
> Can I do this by overriding the default settings from the config file
> if I would pass the switch "client, email" or "server, emai
different config file.
Can I do this by overriding the default settings from the config file
if I would pass the switch "client, email" or "server, email" when I
call openssl?
In pseudocode:
# openssl ca -config ${conf} -days ${client_ttl} \
-policy policy_anything \
-ou
On Wed, 2003-12-17 at 05:02, Jon Barber wrote:
> Probably your best bet is OpenSCEP : http://openscep.othello.ch/ Having
> said that, openca looks very promising and has SCEP support in the CVS
> tree at the moment. OpenSCEP is quite lightweight & specific, whereas
> OpenCA is trying to be a ful
Does OpenSSL CA support/have CGI script?
If so, where is the location of cgi-bin script of OpenSSL CA.
Thank You.
Regards,
Sanborne
__
OpenSSL Project http://www.openssl.org
User Support Mailing
I dunno, I'm only about halfway through the Vesperman CVS book,
but when I used google to find openca and tried to find the
openca/openscep stuff I found that the HEAD version had been
removed from the archive, and that the versions in .attic
(:-) were merely half-page stubs.
Maybe I was at the wro
Peter Sylvester wrote:
Besides this, the protocol description itself demonstrates a very
interesting knowledge of HTTP. :-(
The hard coded URL cgi-bin/pkiclient.exe is not the worst part.
Which Cisco themselves seem to ignore. You can give an optional path to
the URL on the PIX, although it
Charles B Cranston wrote:
So, am I right that OpenSSL has the means to make these PKCS7 files
and the only new code development would be a network program to open
connections and send and receive the appropriate stuff?
Yes. The hardest part (and it isn't that hard) is assembling /
disassembling
> The projects I looked at that have SCEP are openca, ejbca and openscep.
> I also looked at Sun Certificate Server (now discontinued) and ended up
> using Microsoft Certificate Services on Win2000. RSA Keon CA supports
> SCEP, but I'm not rich enough to buy it.
>
I just remember that one pr
So, am I right that OpenSSL has the means to make these PKCS7 files
and the only new code development would be a network program to open
connections and send and receive the appropriate stuff?
I wonder if some of the code could be cribbed fro some of those
projects. Are any of them open source :-)
Charles B Cranston wrote:
Sorry for my ignorance, could you post a reference to SCEP? What would
it take to manhandle a standard certificate into this format? Or is it
a lot more difficult than that?
SCEP is a standard proposed by Cisco (Simple Certificate Enrollment
Protocol) see http://www.ci
You are right, I am using PIX Firewall version 6.3.x.
If there's no way I can import a certificate to the pix firewall, do you know how can
I sign the pix certificate using OpenSSL CA with the Set Up I have.
It seems that the pix firewall can't communicate with the CA server.
When
Sorry for my ignorance, could you post a reference to SCEP? What would
it take to manhandle a standard certificate into this format? Or is it
a lot more difficult than that?
Jon Barber wrote:
[EMAIL PROTECTED] wrote:
I'm assuming you mean a Pix Firewall version 6.3.x. I don't think
there is a
w
[EMAIL PROTECTED] wrote:
I'm assuming you mean a Pix Firewall version 6.3.x. I don't think there is a
way to get a certificate onto a Pix, as the "ca" commands can only create
certificates.
The only way to get a cert is via SCEP. There are only a handful of CAs
that support SCEP, and no open
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: 16 December 2003 14:34
> To: [EMAIL PROTECTED]
> Subject: Sign PIX certificate using OpenSSL CA
>
>
> I would like to sign a certificate created by pix firewall
> using OpenSSL C
I would like to sign a certificate created by pix firewall using OpenSSL CA server.
My current set up is: the OpenSSL CA server is
Network 1-- Router -- PIX Firewall Network 2
(CA server) VPN tunnel
I have established VPN tunnel between
I have noticed that when signing SPKAC vs. a PKCS10 request, the
resulting -out is in a different format.
For example:
"openssl ca -in request.spkac -spkac -out cert1.file" results in a DER
file where
"openssl ca -in request.pkcs10 -out cert2.file" results in a PKCS
Dr. Stephen Henson wrote:
Try upper case: CN, DC etc.
Thanks, that did the trick.
Mike
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECT
Title: Segmentation fault after each use of openssl
ca
AIX 5, openssl version OpenSSL 0.9.7 31 Dec
2002
If i use for example
openssl ca -policy
policy_anything -out newcert.pem -infiles new.pem
(...)
1 out of 1 certificate requests certified,
commit? [y/n]y
Write out database with 1 new
1 - 100 of 141 matches
Mail list logo
