Re: OpenSSL 3.0 FIPS module configuration file

On Tue, 15 Feb 2022 at 09:53, Tomas Mraz wrote: > Please note that there are two checksums in the configuration file. One > of them is the FIPS module checksum and the other is the checksum of > the configuration. You can copy the file across machines if it is > without the c

Re: OpenSSL 3.0 FIPS module configuration file

Please note that there are two checksums in the configuration file. One of them is the FIPS module checksum and the other is the checksum of the configuration. You can copy the file across machines if it is without the configuration checksum - that means the selftest will be always run when the

Re: OpenSSL 3.0 FIPS module configuration file

stall process runs the self tests before generating the configuration file.  If the self tests fail, the module doesn't install.  Copying the configuration file across avoids the self tests and therefore isn't compliant. Pauli On 15/2/22 02:25, Richard Dymond wrote: Hi Probably a dum

Re: OpenSSL 3.0 FIPS module configuration file

h the FIPS standards.  I forget which standard it is but the self tests are mandated to be run on each device independently. The fipsinstall process runs the self tests before generating the configuration file.  If the self tests fail, the module doesn't install.  C

Re: OpenSSL 3.0 FIPS module configuration file

ns the self tests before generating the > configuration file. If the self tests fail, the module doesn't install. > Copying the configuration file across avoids the self tests and therefore > isn't compliant. > > > Pauli > > > On 15/2/22 02:25, Richard Dymond wr

Re: OpenSSL 3.0 FIPS module configuration file

standards.  I forget which standard it is but the self tests are mandated to be run on each device independently. The fipsinstall process runs the self tests before generating the configuration file.  If the self tests fail, the module doesn't install.  Copying the configuration file a

Re: OpenSSL 3.0 FIPS module configuration file

Yes, this has to do with the FIPS standards.  I forget which standard it is but the self tests are mandated to be run on each device independently. The fipsinstall process runs the self tests before generating the configuration file.  If the self tests fail, the module doesn't in

OpenSSL 3.0 FIPS module configuration file

Hi Probably a dumb question, but why must the FIPS module configuration file for OpenSSL 3.0 be generated on every machine that it is to be used on (i.e. must not be copied from one machine to another)? I just ran 'openssl fipsinstall' on two different machines with the same FIPS mod

[openssl-users] OpenSSL configuration file problems

Hi everyone. My intention is to modify the openssl.cnf file in order to add a new RSA ENGINE, dynamicaly. I have found the /etc/ssl/openssl.cnf file and after my modifications it looks like this: # # OpenSSL example configuration file

[openssl-users] Enable FIPS mode of OpenSSL by changing the configuration file, will it work for Python as well?

Hi All: I tried to enable the FIPS mode by making the following changes in my openssl.cfg config file. After making the changes, I verified that I can no longer run the non FIPS approval algorithm such as MD5 by running openssl command, which is expected: openssl md5 123.txt However, I can sti

Re: openssl-user - UTF8 characters in configuration file

mussen IBM DataPower From: Viktor Dukhovni To: openssl-users@openssl.org, Date: 03/15/2013 12:06 PM Subject: Re: openssl-user - UTF8 characters in configuration file Sent by:owner-openssl-us...@openssl.org On Fri, Mar 15, 2013 at 09:44:13AM +0100, Zbyn?k Krej

Re: openssl-user - UTF8 characters in configuration file

On Fri, Mar 15, 2013 at 09:44:13AM +0100, Zbyn?k Krej??k wrote: > I tried this some 2yrs ago what seemed to work (at least wins showed the > strings in cert correctly) > > in > [ req ] > ... > distinguished_name= req_distinguished_name > attributes= req_attributes > string_mask

RE: openssl-user - UTF8 characters in configuration file

-out utf8req.pem Date: Thu, 14 Mar 2013 15:35:42 -0400 Subject: RE: openssl-user - UTF8 characters in configuration file > Hi Rich! > > Glad to hear from you and hope all is well! > > Thanks for the tip, but I haven't cracked this nut yet. I've tried several > permuta

RE: openssl-user - UTF8 characters in configuration file

rking. Cheers John From: "Salz, Rich" To: "openssl-users@openssl.org" , Cc: "owner-openssl-us...@openssl.org" Date: 03/14/2013 12:53 PM Subject:RE: openssl-user - UTF8 characters in configuration file Sent by:owner-openssl-us...@ope

RE: openssl-user - UTF8 characters in configuration file

Hi John! Looking at apps/req.c, it seems you want to use the -utf8 flag (or put utf8: yes in your conf file [req] section) and not prefix the string with an identifier. -- Principal Security Engineer Akamai Technology Cambridge, MA

Re: openssl-user - UTF8 characters in configuration file

ser - UTF8 characters in configuration file Sent by:owner-openssl-us...@openssl.org Hello John, I had the same problem; the solution is just: UTF8String or UTF8 and not UTF8STRING Walter On 14.03.2013 17:06, rasmu...@us.ibm.com wrote: I'm using the following configuration file section i

Re: openssl-user - UTF8 characters in configuration file

Hello John, I had the same problem; the solution is just: UTF8String or UTF8 and not UTF8STRING Walter On 14.03.2013 17:06, rasmu...@us.ibm.com wrote: I'm using the following configuration file section in an attempt to create a CA with UTF8 characters in subject (and other) f

openssl-user - UTF8 characters in configuration file

I'm using the following configuration file section in an attempt to create a CA with UTF8 characters in subject (and other) fields. string_mask = utf8only prompt = no [ req ] default_bits= 2048 default_keyfile = /opt/rasmussjCa/private/cake

Re: How do I tell openssl where its configuration file is, without a commandline argument?

On Wed, Nov 28, 2012 at 3:54 PM, Wim Lewis wrote: > > On 28 Nov 2012, at 12:31 PM, Ted Byers wrote: >> Is it possible to tell openssl where the configuration file is, e.g. >> by setting an environment variable, without passing a commandline >> argument? > > > If

Re: How do I tell openssl where its configuration file is, without a commandline argument?

On 28 Nov 2012, at 12:31 PM, Ted Byers wrote: > Is it possible to tell openssl where the configuration file is, e.g. > by setting an environment variable, without passing a commandline > argument? If I remember correctly, you can set the OPENSSL_CONF environment variable to the pa

How do I tell openssl where its configuration file is, without a commandline argument?

The simpler variant of this question, vis how to tell openssl where the configuration file is, is a FAQ, and I have seen it countless times over the past few years, as a result of my searches using Google. However, my present situation is a bit different. I am developing perl programs that must

Re: Error signing certificates with my own CA... Configuration file?

Hi Chris: Although it sounds a bit overkill for what you are looking for, as part of our "CertiPath Test CA using OpenSSL" Howto, a goodly portion of the various settings and possible configurations of the parameters are explained, and scripts are also provided for generation of a number of dif

Re: Error signing certificates with my own CA... Configuration file?

Not discouraged at all (just short on time trying to meet a deadline). I'll check out TinyCA (and the like) in the meantime, but actually do hope to delve into the source and figure out those directives when I get some time. I do appreciate your time and attention!! On 09/28/2010 09:41 AM,

Re: Error signing certificates with my own CA... Configuration file?

I don't want to discourage you from learning the details yourself, but you may want to look at some wrapper software that is already worked out and takes care of these things for you. For example, I usually find TinyCA adequate to my minuscule certificate-processing needs. Even if you decide not

Error signing certificates with my own CA... Configuration file?

I've found the alternative to self-signing (namely signing with your own CA) to be a potentially great path for the web application that we develop; however I can't quite figure out how exactly to tweak the configuration file to get what I want. It is hard (impossible?) to find an

Re: OpenSSL, relative paths of configuration file

Hello Michael, [...] $HOME = . # [active directorey, from which I call openssl] You better check that one - it may have been a typo here, but *nix systems __never__ specify the "current working directory" as the $HOME directory. *nix and nearly all other "single tree" file system OS have an

Re: OpenSSL, relative paths of configuration file

Hello Michael, [...] $HOME = . # [active directorey, from which I call openssl] You better check that one - it may have been a typo here, but *nix systems __never__ specify the "current working directory" as the $HOME directory. *nix and nearly all other "single tree" file system OS have an

Re: OpenSSL, relative paths of configuration file

On Sat April 3 2010, Thomas Steinbach wrote: > Hello, > > in the openssl.cnf file are three path settings wich can be > set relative. But relative to what? > > My problem is, that I don't know and dont't find > an answer from which point this relative paths are starting > > 1.) The active direct

OpenSSL, relative paths of configuration file

Hello, in the openssl.cnf file are three path settings wich can be set relative. But relative to what? My problem is, that I don't know and dont't find an answer from which point this relative paths are starting 1.) The active directory? 2.) The directory where openssl (executable) resides or 3

OpenSSL, relative paths of configuration file

Hello, in the openssl.cnf file are three path settings wich can be set relative. But relative to what? My problem is, that I don't know and dont't find an answer from which point this relative paths are starting 1.) The active directory? 2.) The directory where openssl (executable) resides or 3

Re: Openssl Configuration File

In a command window type: set OPENSSL_CONF=c:\openssl\openssl.conf change "c:\openssl\openssl.conf" to the path of your configuration file. Or open up the control panel and open the system dialog. Click on the environment button and add new system variable. Reboot the computer and

Re: Openssl Configuration File

; into random state - done > Generating RSA private key, 1024 bit long modulus > ..++ > ..++ > e is 65537 (0x10001) > > although I have Windows, the Openssl seems to see linux > (/usr/local/ssl/openssl.cnf) > > I tried many ways in order to set the path of the conf file, but

Openssl Configuration File

Hello I installed OpenSSL on Windows I have Apache 2.2 WebServer I need to generate a certificate, in order to purchase certificate license from CA when I use the openssl generate command: openssl genrsa -out mykey.key 1024 I also tried: openssl genrsa -config openssl.cnf -out mykey.key 1024

Re: Configuration file for subjectAltName

My Apologies. I was forwarding this to another email for archiving and I was sloppy with addressing before I hit send. Back to your program already in progress Lee Elia, Leonard F. wrote: On Tue, Sep 18, 2007 at 01:46:42PM -0500, Murphy, David F wrote: Exchange 2007 certificates and th

Re: Configuration file for subjectAltName

there done this already? If so, would you please share the openssl.cnf that you used and the commands you executed to utilize the configuration file? Config file: [ req ] default_bits= 1024 default_md = sha1 default_keyfile = key.pem di

Re: Configuration file for subjectAltName

On Wed, Sep 19, 2007 at 04:09:29PM -0500, Murphy, David F wrote: > From what I can tell the extensions are just not being added to my > certificate. > > I see no indication the extensions were added in the output of the > following command ... > > [EMAIL PROTECTED]:Active] ssl.crt # openssl x509

RE: Configuration file for subjectAltName

537 (0x10001) Signature Algorithm: sha1WithRSAEncryption ... Here is my configuration file. [ req ] default_bits= 1024 default_md = sha1 #default_keyfile = key1 distinguished_name = req_distinguished_name prompt = no string_m

RE: Configuration file for subjectAltName

= blah002.mysite.com <><><> Thanks, David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Wednesday, September 19, 2007 10:04 AM To: openssl-users@openssl.org Subject: RE: Configuration file for subjectAltName >

RE: Configuration file for subjectAltName

> Once I purchase a trusted certificate, I was assuming both of these > warnings would be removed; I thought a SAN-certificate would allow me to > connect to the website using alternative names without getting the > "invalid or does not match" warning. > > Thanks, > > David What error are you get

RE: Configuration file for subjectAltName

PM To: openssl-users@openssl.org Subject: RE: Configuration file for subjectAltName > Below are my cnf file and the commands I tried. The key and the > crt were both created, however when I render the test website > using blah002.mysite.com I get a security warning message anyway. > I must h

RE: Configuration file for subjectAltName

> Below are my cnf file and the commands I tried. The key and the > crt were both created, however when I render the test website > using blah002.mysite.com I get a security warning message anyway. > I must have done something wrong or left off a step ... It's not clear what you are trying to d

RE: Configuration file for subjectAltName

] [mailto:[EMAIL PROTECTED] Im Auftrag von Victor Duchovni Gesendet: Dienstag, 18. September 2007 21:27 An: openssl-users@openssl.org Betreff: Re: Configuration file for subjectAltName On Tue, Sep 18, 2007 at 09:17:23PM +0200, Buddy Butterfly wrote: > # subjectAltName = @alt_na

Re: Configuration file for subjectAltName

On Tue, Sep 18, 2007 at 03:20:16PM -0500, Murphy, David F wrote: > Thanks Viktor and Buddy, > > Below is my cnf file and the commands I tried. The key and the > crt were both created, however when I render the test website using > blah002.mysite.com I get a security warning message anyway. I mu

RE: Configuration file for subjectAltName

- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Victor Duchovni Gesendet: Dienstag, 18. September 2007 21:27 An: openssl-users@openssl.org Betreff: Re: Configuration file for subjectAltName On Tue, Sep 18, 2007 at 09:17:23PM +0200, Buddy Butterfly wrote: > # subjectAltN

AW: Configuration file for subjectAltName

: Configuration file for subjectAltName On Tue, Sep 18, 2007 at 09:17:23PM +0200, Buddy Butterfly wrote: > # subjectAltName = @alt_names > > should be uncommented :-) Did you read the comment above that line. > # Verisign managed PKI, does not yet support subjectAlt

Re: Configuration file for subjectAltName

On Tue, Sep 18, 2007 at 09:17:23PM +0200, Buddy Butterfly wrote: > # subjectAltName = @alt_names > > should be uncommented :-) Did you read the comment above that line. > # Verisign managed PKI, does not yet support subjectAltName in CSRs, > # instead they prompt for these in t

AW: Configuration file for subjectAltName

# subjectAltName = @alt_names should be uncommented :-) -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Victor Duchovni Gesendet: Dienstag, 18. September 2007 21:06 An: openssl-users@openssl.org Betreff: Re: Configuration file for

Re: Configuration file for subjectAltName

.com > mysite.com > autodiscover.mysite.com > > Has anyone out there done this already? If so, would you please share > the openssl.cnf that you used and the commands you executed to utilize > the configuration file? Config file: [ req ] default_bits= 1024

Configuration file for subjectAltName

hat you used and the commands you executed to utilize the configuration file? Thanks, David Murphy

Re: Openssl Configuration file

t; Try the same command. There are chances that it would return some non-existent path, like /usr/local/ssl, but, if so - it is that very place where your build of OpenSSL searches for its configuration file, unless environment or command line option -config said something else. If nothing there,

Re: Openssl Configuration file

Hello, > Thanks Marek...but I want the location in Windows ...WindowsXP. Do you > have any idea? When I execute "openssl ca" on windows in first line I have: Using configuration from C:\OpenSSL\bin\openssl.cnf When you use openssl binary some subcommands (such ca) has -config option and you m

Re: Openssl Configuration file

Thanks Marek...but I want the location in Windows ...WindowsXP. Do you have any idea? - Ramya Marek Marcola <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/09/2007 01:40 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Openssl Configu

Re: Openssl Configuration file

Hello, > I am trying to locate the openssl.cnf file for a long time...Iam using > Windows XP client and openssl is installed in it. > > Can anyone please help me find it? On UNIX: $ openssl version -d OPENSSLDIR: "/etc/pki/tls" and config file is: /etc/pki/tls/openssl.cnf Best regards, -- Ma

Openssl Configuration file

Hi I am trying to locate the openssl.cnf file for a long time...Iam using Windows XP client and openssl is installed in it. Can anyone please help me find it? Thanks, Ramya =-=-= Notice: The information contained in this e-mail message and/or attachments to it may contain

Re: configuration file

On 19/07/06, Basel Katt <[EMAIL PROTECTED]> wrote: Hi, In fact I had the same problem, where the validity duration should be 365 days according to the config. file , but it is acctually one month. Is this a bug then? The config file value for 'days' being ignored? regards -- Dave Pawson

AW: configuration file

Hi,In fact I had  the same problem, where the validity duration should be 365 days according to the config. file , but it is acctually one month. I couldn't figure out what's the problem but I used the command line, as you mentioned, to get the one year.Any explanation for this case will be appreci

configuration file

I have [ ca ] default_ca = exampleca [ exampleca ] dir = /temp/ca certificate = $dir/private/cacert.pem database = $dir/index.txt new_certs_dir= $dir/certs private_key = $dir/private/ca1key.pem serial = $dir/serial default_crl_days = 7 default_days

Configuration file error

Hi, I want to have no email address in the DN and so I used the email_in_dn configuration file directive, but when triying to sign a csr, I get the following error: Using configuration from /home/tc/Test-Server-CA.cnf DEBUG[load_index]: unique_subject = "no" Error Loading extensi

Re: configuration file seems to have priority over command line?

tried commenting out the CN and emailAddress lines in the (B> > configuration file, but now verifying gives me the following: (B> > (B> > The commonName field needed to be supplied and was missing (B (BAnd if I changed the common name to optional, their were no complaints, (Bbut t

RE: configuration file seems to have priority over command line?

openssl.org (B> Subject: configuration file seems to have priority over command line? (B> (B> (B> I have the following in the coniguration file: (B> (B> [ req ] (B> {...} (B> prompt = no (B> {...} (B> [ req_distinguished_name ] (B> C =

configuration file seems to have priority over command line?

e -subj on the command line override the (Bcontents of the configuration file? (B (B-- (BJoel Rees <[EMAIL PROTECTED]> (Bdigitcom, inc. $B3t<02qhttp://www.ddcom.co.jp> ** (B (B__ (BOpenSSL Project

Need Documentation or Details about openssl configuration file

Hi,       I need the detail documentation or helping material about openssl.cnf (Configuration file) which describe use of each directives in that file.      Thanks in Advance   Regards, Kathir Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it!

Re: Configuration file for a CRL

On Thu, Jul 03, 2003, Oliver Foden wrote: > What sections are needed in a .cnf file to work with > this command: > > ca -gencrl -config root.cnf -out CRLfile.pem > > im trying to create a CRL file to work with the code > included but keep getting this error: > > Using configuration from root.cn

Configuration file for a CRL

What sections are needed in a .cnf file to work with this command: ca -gencrl -config root.cnf -out CRLfile.pem im trying to create a CRL file to work with the code included but keep getting this error: Using configuration from root.cnf .//index.txt: No such file or directory unable to open './/

OpenLDAP configuration file for X.509 structure

Dear Sir, can you send me eny OpenLDAP onfiguration file for X.509 structure (for store client certificate)? Thank you very much Ivo MACHULDA __ OpenSSL Project http://www.openssl.org User Supp

openSSL Configuration file correspondances

I'm toying with the idea of writing a more user-friendly CA management tool. In the process of analysing what's already there, I have had to deal with the cryptic interface between ca and req and the configuration file (variously ssleay.cnf) This file is only ever used by ca and re