_
From: openssl-users [openssl-users-boun...@openssl.org] on behalf of Dmitry
Belyavsky [beld...@gmail.com]
Sent: Tuesday, March 19, 2019 21:09
To: openssl-users@openssl.org
Subject: Re: Howto prevent cycles in engine invocation ?
Hello Andreas,
I used smth like
===
RSA_METHOD my_rsa_meth
Hello Andreas,
I used smth like
===
RSA_METHOD my_rsa_method = {
"My RSA method",
0, /* pub_enc */
0, /* pub_dec */
0, /* priv_enc */
my_priv_dec, /* priv_dec */
0, /* rsa_mod_e
If you create a selfsigned certificate, the signature algorithm will obviously
be that of the public key of the certificate. If you use an EC key, you can
only end up with a ecds-with* signature. If you want sha1WithRSAEncryption,
you need to create a RSA key. Or have your EC-certificate signed
On Thu, 4 Aug 2011, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Alan Buxey
Sent: Thursday, 04 August, 2011 03:54
Thank you! But now I'm spending my time with another issue
with this: I
cannot create certificate longer than I month:
The server certificate was
> From: owner-openssl-us...@openssl.org On Behalf Of Alan Buxey
> Sent: Thursday, 04 August, 2011 03:54
> > Thank you! But now I'm spending my time with another issue
> with this: I
> > cannot create certificate longer than I month:
> > The server certificate was created by command:
> > ope
When you are creating a CA and issuing certificate you are building a PKI
(Public Key Infrastructure). In operating a PKI, you might want to
consider crafting a certification policy, specifying the process for
managing the lifecycle of your certificates, securing the CA's private key,
securing th
On Thu, 4 Aug 2011, Bernhard Fröhlich wrote:
Am 04.08.2011 08:23, schrieb Tomas Macek:
We have some web servers and I want to create self signed certificates for
them.
What do I want:
- I want to create my own certification authority keys and certificate,
that will be imported to all web b
Am 04.08.2011 08:23, schrieb Tomas Macek:
We have some web servers and I want to create self signed certificates
for them.
What do I want:
- I want to create my own certification authority keys and
certificate, that will be imported to all web browsers of our employees
- I want to create certi
On Thu, 4 Aug 2011, Alan Buxey wrote:
Hi,
Thank you! But now I'm spending my time with another issue with this: I
cannot create certificate longer than I month:
This is my CA certificate validity:
...
Not Before: Aug 3 10:07:14 2011 GMT
Not After : Aug 2 1
Hi,
> Thank you! But now I'm spending my time with another issue with this: I
> cannot create certificate longer than I month:
>
> This is my CA certificate validity:
> ...
> Not Before: Aug 3 10:07:14 2011 GMT
> Not After : Aug 2 10:07:14 2012 GMT
> ...
>
Thank you! But now I'm spending my time with another issue with this: I
cannot create certificate longer than I month:
This is my CA certificate validity:
...
Not Before: Aug 3 10:07:14 2011 GMT
Not After : Aug 2 10:07:14 2012 GMT
...
This is my server'
Everything seems to be fine, only for new installations it is recomended to use at least 2048 bit keyand, at least some time ago, openssl used to default to MD5 for certificate signatures,check, if it is not the case. Citējot Tomas Macek : We have some web servers and I want to create self signe
Hi There:
If you're looking for a cookbook, and want a fairly comprehensive explanation
of how all of the moving parts work:
http://www.carillon.ca/library/openssl_testca_howto_1.2.pdf
Have fun.
Patrick.
On August 19, 2009 07:18:39 am deblarinteln wrote:
> Hi Goetz, *,
>
> > There is the ma
Hi Goetz, *,
> There is the man page x509v3_config.
> It should contain the info you need.
> A hint: x509v3_config describes data found in the openssl.cnf file.
> So this data is used on creating a certificate / CSR...
well I have created a certificate with all neccessary data. At least I think
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
deblarinteln wrote:
| Hi Goetz,
Hello deblarinteln,
| | It is called subjectAltName extension.
|
| would you mind telling me how and where I have to define the AltName(s) ?
There is the man page x509v3_config.
It should contain the info you need.
A
Hi Serge,
| Use a wildcard domain for your CN
| Unless each domain had a separate IP
| You need to specify *.mydaomin.tld as the CN
so, my CN entry should look like this, if I get you right:
*.mydomain.tld
and the subdomains would get then kinda automically the certificate or will
I have to
Hi Goetz,
| It is called subjectAltName extension.
would you mind telling me how and where I have to define the AltName(s) ?
And still, how will I get my *.pem certificate converted into a .cer
certificate?
Thanks a lot
Niels
--
View this message in context:
http://www.nabble.com/Howto-cr
On 08/12/2009 09:50 AM, Goetz Babin-Ebell wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
deblarinteln schrieb:
| Hi,
|
| well I have to create a certificate for our maindomian as well as
for some
| subdomains.
|
| The structure will look pretty much like this:
|
| mydomain.tld
| mail.myd
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Emerson Saito wrote:
| Is needed one certificate for each domain or subdomain.
| Uses like *.mydomain.tld is not recomended.
???
What do you want to say ?
If you have one system that serves several addresses
(like mydomain.tdl, mail.mydomain.tdl, ow
Is needed one certificate for each domain or subdomain.
Uses like *.mydomain.tld is not recomended.
2009/8/12 Goetz Babin-Ebell
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> deblarinteln schrieb:
> | Hi,
> |
> | well I have to create a certificate for our maindomian as well as for
> some
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
deblarinteln schrieb:
| Hi,
|
| well I have to create a certificate for our maindomian as well as for some
| subdomains.
|
| The structure will look pretty much like this:
|
| mydomain.tld
| mail.mydomain.tld
| owa.mydomain.tld
It is called subjectAl
Hi,
>
> well I have to create a certificate for our maindomian as well as for some
> subdomains.
Use a wildcard domain for your CN
Unless each domain had a separate IP
You need to specify *.mydaomin.tld as the CN
HTH
Regards,
Serge Fonville
Has anyone of you an idea how to get that done, so t
Thanks a lot!!!> Date: Wed, 20 Feb 2008 09:18:18 +0100> From: [EMAIL
PROTECTED]> To: openssl-users@openssl.org> Subject: Re: Howto asume yes by
default when generate a certificate..> > Francisco Javier schrieb:> > Hello, I
am trying to generate a certificate using an
Francisco Javier schrieb:
Hello, I am trying to generate a certificate using an external
application, but I need to automaticaly answer YES to the question
Sign the certificate? [y/n]:
exec("openssl ca -out certificados_usuarios/ALL/ALL_cert.pem -passin
pass:mipass -days 365 -infiles c
Thanks for this. I also found the Openssl perl module useful
(http://search.cpan.org/dist/Crypt-OpenSSL-RSA/RSA.pm) as it has a
function new_key_from_parameters which uses the rsa components to
generate a key.
Dr. Stephen Henson wrote:
On Wed, Apr 11, 2007, Iain Pople wrote:
Hi,
I am tryin
On Wed, Apr 11, 2007, Iain Pople wrote:
> Hi,
>
> I am trying to replace a legacy system with openssl. The legacy system
> used RSA keys but stored them in its own format. I can extract the RSA
> components but I'm not sure how to generate a PEM formatted RSA key.
> What is the easiest way to
Hello,
> I am trying to replace a legacy system with openssl. The legacy system
> used RSA keys but stored them in its own format. I can extract the RSA
> components but I'm not sure how to generate a PEM formatted RSA key.
> What is the easiest way to do this? Can the command line tools do it,
On Sat, Mar 17, 2007 at 05:08:06PM -0400, Greg Martin wrote:
> Try this:
> openssl x509 -in filename.pem -text -noout
>
> You should see an issuer: statement that talks about the CA.
>
Rather depends on what the OP meant by "verify", and what context
this is to be performed.
--
Viktor
Try this:
openssl x509 -in filename.pem -text -noout
You should see an issuer: statement that talks about the CA.
\\Greg
Jamie F. wrote:
Hi all,
I have a bit strange Q: i've created a self-signed certificate (first
i created a CA (root certificate) then created another certificate
from it l
John Mok wrote:
> As the number of PCs are many, it is too difficult, if not impossible,
> to install the self-signed certificates of both rootCA1 and rootCA2 as
> trusted root CAs on every PCs.
>
> Is there any better way that to cross-certify both rootCA1 and rootCA2,
> such that the machines wi
Note: forwarded message attached.
__
Do you Yahoo!?
All your favorites on one personal page Try My Yahoo!
http://my.yahoo.com --- Begin Message ---
It works now! I have successfully sent an email using
smtp.gmail.com
as for auth login plain,
Serge wrote:
Wow! that was fast answer from this mailing list! Thanks a lot!
it works for the connection, I can say EHLO, and it answer, now, what
is the rest of sending an email using ssl/tls as gmail ask for
STARTTLS command which I send (I learned that by using telnet). But it
answer unrecong
Wow! that was fast answer from this mailing list! Thanks a lot!
it works for the connection, I can say EHLO, and it answer, now, what is the rest of sending an email using ssl/tls as gmail ask for STARTTLS command which I send (I learned that by using telnet). But it answer unrecongnized command? S
Serge wrote:
So far, I have tried with ssl functions, then with BIO functions but
without success. I have search an answer or documents explaining how
to do that but not found.
Here's what I do with ssl:
SSL *ssl;
SSL_CTX *ctx;
void __fastcall TForm1::Button1Click(TObject *Sender)
{
char rep
On Wed, Dec 31, 2003, Christian Weber wrote:
> Dear OpenSSL user,
>
> does anybody have a hint how to add a signed attribute during signing
> with smime? Further: which OID should be taken to add a attribute like
> "siged on behalf of..." or "representing (a function)".
>
You need to use the lo
Hi,
I have written this patch to be used with a hardware Crypto PKCS#11
accelerator
which can store keys. It is used in my company in TrustWay SSL accelerator
and,
TrustWay Apache-SSL accelerator with the Bull PCI CC2000 HSM.
Our HSM doesn't require C_Login. I believe that call to C_Login is mandat
Please check www.tldp.org SSL Certificates HOWTO
Cheers.
On Mon, 2002-12-30 at 15:15, William Michael Grim wrote:
Hi there, I just signed up for openssl-users today because I was going to
ask a question but then think I figured out what I needed to figure out.
Anyway, I created a HO
To avoid this, you must:
1) remove the passphrase from the certificate
or
2) write a script to feed the passphrase at startup
This is in the FAQ: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC31
rgds,
Owen Boyle
>-Original Message-
>From: fabien POILLIOT [mailto:fabien.POILLIOT@;orac
Check out the Securing and Optimizing Linux Guide on www.linuxdoc.org.
There are detailed description, needs minor correction, to generate your own
certificate.
Good luck for you.
Liguo (Leo)
Alexey S. Poluntchenko wrote:
> using openssl X509 api ?
> mb any examples exist ?
>
> thanks
_
There r no such a directory exists. I saw the selfsign.c in demos but it
throws an exception (access violation) in callback function when dumping to
console (PEM_write_X509 & X509_write_fp). whats the problem?
thanks in advance
> On Mon, Sep 23, 2002 at 03:19:29PM +0400, Alexey S. Poluntchenko w
On Mon, Sep 23, 2002 at 03:19:29PM +0400, Alexey S. Poluntchenko wrote:
> using openssl X509 api ?
> mb any examples exist ?
openssl-0.9.6g/demos/x509/*
regards
christian
>
> thanks
__
OpenSSL Project
Francois Guerry schrieb:
> I do not think that you can use every nCipher key with OpenSSL.
> You must build the key pair with a nCipher command (generatekey or keysafe)
> with the option "application" = embed (see nCipher documentation).
For OpenSSL Engine the application is hwcrhk...
> The priv
I do not think that you can use every nCipher key with OpenSSL.
You must build the key pair with a nCipher command (generatekey or keysafe)
with the option "application" = embed (see nCipher documentation).
The private key is stored in the HSM module, but you will have :
- a private key file wich
If the private key is given away, the the certificate is useless, and does not protect anything it signs.
As you seem very smart, how do you renew a certificate with openssl when you are a CA?
Cheers.
On 02 Nov 2001 09:33:19 -0800, Michael Sierchio wrote:> > Franck Martin wrote:
> >
> > I ag
> Franck Martin wrote:
>
> I agree with you. I will make the modification. Yes the CA root certificate should
>be protected.
No, you still don't have a clue -- you don't protect a certificate, it's
essentially a public document. You protect the private key.
I agree with you. I will make the modification. Yes the CA root certificate should be protected.
However, if I use a certificate signed by the root CA, and I connect to the webserver, how do I install the root CA inside the browser without creating too much problem for the user so that the Cert
> Franck Martin wrote:
>
> I have just written a little HOWTO, to be able to handle certificates.
> I'm happy to receive comments and suggestions to improve it.
>
An alternative location for the OpenSSL configuration file can be
specified using the environment variable OPENSSL_CONF.
The comman
o:[EMAIL PROTECTED]]On Behalf Of Franck Martin
> Sent: Friday, November 02, 2001 5:13 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: HOWTO...
>
> Anybody, know how to write in docbook format on MS WinX? I don't want to
> install lyx with cygwin...
_
Umm. You wrote a Linux based HOWTO using MS Word?
Maybe check out http://www.linuxdoc.org/LDP/LDP-Author-Guide/ and get it
into a standard Linux format? I'm sure it would be more likely to be accepted.
-- Scott
On Fri, Nov 02, 2001 at 03:33:03PM +1200, Franck Martin wrote:
> I have just written
Hi Olaf et Al.
Use this command line with your settings.
It should work since in my LX box it works with Netscape/OutLook!
openssl pkcs12 -export -inkey hostKey.pem \
-in hostCert.pem -name "soggy" \
-certfile caCert.pem -caname "Root CA" \
On Thu, Oct 19, 2000 at 06:03:02PM +0200, Thomas Leyer wrote:
> I want to use this in kernel mode, so I think the
> exclusion of ssl2 should take place while I build the
> libs...
Try compiling with -DNO_SSL2. If this does not work out of the box,
send patches to openssl-dev.
__
I want to use this in kernel mode, so I think the
exclusion of ssl2 should take place while I build the
libs...
_unfortunately_ it's no compile time option, so I'm
scared of having to extract it manually :-(
bye
Thomas
On Thu, 19 Oct 2000, Barnes, Michael L. wrote:
> That is not a c
That is not a compile time option, but you can easily
specify either in your application or an existing one
(like modssl) to not use ssl2.
Mike
> -Original Message-
> From: Thomas Leyer [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, October 19, 2000 11:48 AM
> To: [EMAIL PROTECTED]
> Subje
Markus Wagner wrote:
>
> Hi,
>
> when signing new certificates with openssl ca one can use the -config
> option to specify which CA and options to use.
>
> But when creating a self signed root certificate there is no such
> option.
There is an equivalent option. The normal way to create a self
> -Original Message-
> From: Thomas Reinke [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 14, 2000 5:43 PM
> To: [EMAIL PROTECTED]
> Subject: Re: howto get IE & Netscape to accept CA?
>
>
>
> > >
> > > If the Root Cert is not there, o
> >
> > If the Root Cert is not there, or if no root authority is
> > claimed (as in the case of self-certify), the browser asks
> > you if you trust this site - three or four dialog boxes allow
> > you to say 'yes' for now, or 'yes' for any future sessions.
> > ONLY if you say 'yes' for a future
> If that's true, I'm going to delete IE and Netscape from all
> mys systems and
> only use lynx, as at least this one do not support HTTPS (I think) :-)
>
You can find some documentation on this site ;)
http://www.ocf.berkeley.edu/~jeffwong/lynxstuff/SSL/index.html
Regards,
> Bern
> -Original Message-
> From: Gao Yuhang [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 13, 2000 4:12 PM
> To: [EMAIL PROTECTED]
> Subject: Re: howto get IE & Netscape to accept CA?
>
>
> Use the mime: application/x-x509-ca-cert
What do you mean? do yo
Use the mime: application/x-x509-ca-cert
Hazel
>
>
> Does anyone have the URL for how Netsape and/or MSIE validate or
> test then accept a CA for inclusion in their web browsers?
>
> I tried a lot of combinations on some search engines and hit a blank
> I am thinking about trying the phone an
I am trying to find the best way to let IE/Netscape to accept our CA,
But even the certificate can be embed to next version IE/Netscape, all
end-user that use our certificate must upgrade their broswer too! It's
too hard. Maybe the best way is only to use default CA's certificate
like Verisign, T
Get mod_ssl ftom http://www.modssl.org and read the INTSALL file.
It explains it all.
Cheers
Paul
On Wed, 15 Mar 2000, [iso-8859-1] "C.Mejía (ECOFOR y Cía. Ltda.)" wrote:
> Hi!!:
> I like to know if there is some documentation like the HOWTO in order to
> install and run SSL in my Apache
Niklas Höglund wrote:
>
> On Tue, Aug 17, 1999 at 03:58:41PM +0200, Michael Portz wrote:
> > Niklas Höglund wrote:
> > >
> > > In case you havent, try adding -ffunction-sections to the compiler
> > > switches. This can reduce executable size quite a bit.
> > >
> >
> > Ahem, which compiler are you
On Tue, Aug 17, 1999 at 03:58:41PM +0200, Michael Portz wrote:
> Niklas Höglund wrote:
> >
> > In case you havent, try adding -ffunction-sections to the compiler
> > switches. This can reduce executable size quite a bit.
> >
>
> Ahem, which compiler are you refering to? GNU´s suite doesn´t know
Niklas Höglund wrote:
>
> On Fri, May 28, 1999 at 08:16:33AM +0200, Michael Portz wrote:
> > Michael Portz wrote:
> > I played around a bit more and the following turned out to work for me:
> >
> > ./config 386 no-bf no-cast no-dh no-dsa no-idea no-rc2 no-rc4 no-rc5 no-ssl2
>-DSSL_FORBID_ENULL
You might want to use ash, the latest versions support
line editing, tab completion etc.
Peter 'Luna' Altberg wrote:
>
...
>
> Well, maybe not. I also was playing with those same config switches
> yesterday, but it seems 'SSL-MZtelnet' has some problems compiling with
> OpenSSL (SSLeay goes fi
> From: Michael Portz [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 28, 1999 8:17 AM
[snip]
> I played around a bit more and the following turned out to
> work for me:
>
> ./config 386 no-bf no-cast no-dh no-dsa no-idea no-rc2
> no-rc4 no-rc5 no-ssl2 -DSSL_FORBID_ENULL
>
> Adding no-ripemd a
Michael Portz wrote:
>
> Peter 'Luna' Altberg wrote:
> >
> > Hi all,
> >
> > I'm making a single floppy Linux router/firewall. For now I'm running
> > the 'telnetd' from the GNU 'inetutil' package on it, but I'll rather be
> > using SSL-MZtelnet instead. Unfortunately, I don't have much space lef
Peter 'Luna' Altberg wrote:
>
> Hi all,
>
> I'm making a single floppy Linux router/firewall. For now I'm running
> the 'telnetd' from the GNU 'inetutil' package on it, but I'll rather be
> using SSL-MZtelnet instead. Unfortunately, I don't have much space left
> on the floppy now. Do anyone hav
68 matches
Mail list logo
