Best,
David
On Tue, 2022-09-20 at 09:30 +, A Z wrote:
Dear OpenSSL Users and Programmers,
I tried running the following command in Windows 64 bit Home edition,
and got the error:
>openssl req -nodes -newkey rsa:4096 -keyout pkey.pem -x509 -out cert.pem -days
>36500 -subj -addext
>> creating a CSR first. From the doc, I came up with this command:
>> ```
>> openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out
>> leaf.crt
>> ```
>> However,
>> ```
>> openssl x509 -in leaf.crt -text -noout
>&
On 27/01/2022 06:00, Glen Huang wrote:
Hi,
I’m trying to create a signed certificate from a CA certificate without
creating a CSR first. From the doc, I came up with this command:
```
openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out
leaf.crt
```
However
Hi,
I’m trying to create a signed certificate from a CA certificate without
creating a CSR first. From the doc, I came up with this command:
```
openssl req -CA ca.crt -CAkey ca.key -key leaf.key -subj ‘/CN=leaf’ -out
leaf.crt
```
However,
```
openssl x509 -in leaf.crt -text -noout
On 15/08/2019 00:33, Jordan Brown wrote:
On 8/14/2019 2:11 PM, Robert Moskowitz wrote:
[...]
commonName="/CN=IPv6::2001:24:28:24/64"
[...]
req: Hit end of string before finding the equals.
problems making Certificate Request
Some systems present distinguished names using slashes as separat
On 8/14/2019 2:11 PM, Robert Moskowitz wrote:
> [...]
> commonName="/CN=IPv6::2001:24:28:24/64"
> [...]
> req: Hit end of string before finding the equals.
> problems making Certificate Request
Some systems present distinguished names using slashes as separators. I
assume that that's what you
Developing saga on creating an intermediate CA cert with only CN and
said CN should be:
CN=IPv6::2001:24:28:24/64
Note that / in CN that seems to be a challenge.
commonName="/CN=IPv6::2001:24:28:24/64"
DN=$commonName
echo $DN
openssl req -config $cadir/openss
self using OpenSSL, it's up to you.
You must use 'ca' and configure correctly, not 'x509 -req'.)
> However, when I run a command like this, it does not seem to be
> considering the [client_ext] section but only what is under
> req_extensions. Can someone exp
run a command like this, it does not seem to be
considering the [client_ext] section but only what is under
req_extensions. Can someone explain ?
openssl req -new -newkey rsa:1024 -keyout clientcomp.key -nodes -out
clientcomp.csr -extensions client_ext -config ./openssl.cnf
//cat openssl.cnf
Le 28/04/2013 20:26, redpath a écrit :
When an x509 is created using the openssl command it creates a default serial
number if one not supplied
How is this serial number created (algorithm) in general.
A 64bits random number.
openssl req -x509 etcetera
The default serial number is quite
When an x509 is created using the openssl command it creates a default serial
number if one not supplied
How is this serial number created (algorithm) in general.
openssl req -x509 etcetera
The default serial number is quite long so just using time_t (long) to set
the serial number is not very
I managed to get this to work with a 2048 bit key by using the Aladdin
PKCS#11 library instead of the OpenSC one:
engine dynamic -pre SO_PATH:C:\WINDOWS\SYSTEM32\engine_pkcs11.dll -pre
ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:C:\WINDOWS\SYSTEM32\eTPKCS11.dll
req -engine pkcs11 -new -ke
I'm trying to generate a PKCS#10 CSR using an Aladdin eToken Pro 64k
with a 2048 bit key.
I'm using Windows Vista 32bit, with the Aladdin PKI Client drivers
v5.1, OpenSC 0.12.0, and Win32 OpenSSL 1.0.0d.
I can generate the CSR with a 1024 bit key generated on board with no
problems. When I use a
"Dave Thompson" wrote in
message news:ee558ada74ef4896a656a182b39d9...@prinpay.com...
> > From: owner-openssl-us...@openssl.org On
Behalf Of Jamrock
> > Sent: Sunday, 30 May, 2010 06:35
>
> > In the past I have created my certificates as follows:
> > /etc/p
> From: owner-openssl-us...@openssl.org On Behalf Of Jamrock
> Sent: Sunday, 30 May, 2010 06:35
> In the past I have created my certificates as follows:
> /etc/pki/tls/misc/CA -newca
>
> openssl req -newkey rsa:2048 -nodes -keyout newreq.pem -out newreq.pem
>
> /e
In the past I have created my certificates as follows:
/etc/pki/tls/misc/CA -newca
openssl req -newkey rsa:2048 -nodes -keyout newreq.pem -out newreq.pem
/etc/pki/tls/misc/CA -sign
The /etc/pki/tls/misc/CA script has a -newreq option. $REQ -new -keyout
newkey.pem -out newreq.pem $DAYS.
This
amp;r2=140&p1=openssl/trunk/rand/md_rand
> .c&p2=/openssl/trunk/rand/md_rand.c
>
> does not affect the command line tool when called with
>
> openssl req -config $MY_CONFIG -noout -x509 -newkey rsa:$MY_KEY_LENGTH
> (in contrast to openssl genrsa)
> where in $CONFIG *no* R
md_rand.c&p2=/openssl/trunk/rand/md_rand.c
does not affect the command line tool when called with
openssl req -config $MY_CONFIG -noout -x509 -newkey rsa:$MY_KEY_LENGTH
(in contrast to openssl genrsa)
where in $CONFIG *no* RANDFILE is defined.
AFAIK the method in question is never called from
Hello,
I am developing a program, which uses openssl.
It batches the generation of Certificates/Private Key-Pairs.
Here an example of a (simple) console call:
openssl.exe req -days 3650 -new -keyout example.key -out example.csr -config
config.tmp
First question:
When using the option
I’m sorry to disturb you again,
but isn’t there anybody who knows the answer to my question? I'm thankful
for everything that could help me.
Best regards
domi
domi wrote:
>
> Hello,
>
> I have got a question concerning the command openssl req -newkey rsa:bits
> …. whic
Hello,
I have got a question concerning the command openssl req -newkey rsa:bits ….
which I use for creating a self-signed certificate for my small private CA.
Some time ago I used the command like this with OpenSSL 0.9.7g (on Suse
10.0):
openssl req –x509 –newkey rsa –out cacert.pem –outform
Bonjour,
Hodie pr. Kal. Mar. MMVI est, Mark H. Wood scripsit:
> I think that part of the difficulty here is the words used. Our
> experience in other areas is overwhelmingly in favor of "serial number"
> being a sample from a counter that starts at 0 or 1 and is incremented by
> 1 every time it's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think that part of the difficulty here is the words used. Our
experience in other areas is overwhelmingly in favor of "serial number"
being a sample from a counter that starts at 0 or 1 and is incremented by
1 every time it's consulted. So we see a
On Sun, Feb 26, 2006, Dr. Stephen Henson wrote:
> On Sun, Feb 26, 2006, Erwann ABALEA wrote:
>
> > The CA has the possibility to change the name of the issued
> > certificate, by adding a random element (a kind of serial number), but
> > this isn't usually well percieved (the customer always asks
On Sun, Feb 26, 2006, Erwann ABALEA wrote:
> Bonjour,
>
> Hodie IV Kal. Mar. MMVI est, Dr. Stephen Henson scripsit:
> [... about serial numbers ...]
> > Some CAs choose consecutive values, other what look like random values of
> > hashes.
> >
> > One commercial reason for not using consecutive v
Bonjour,
Hodie IV Kal. Mar. MMVI est, Dr. Stephen Henson scripsit:
[... about serial numbers ...]
> Some CAs choose consecutive values, other what look like random values of
> hashes.
>
> One commercial reason for not using consecutive values is that competitors can
> work out how many certificat
On So, 26 Feb 2006, Dr. Stephen Henson wrote:
[example snipped]
> The fairly large random value for serial numbers is designed to avoid that
> situation but still allow the more knowledgeable user to override that.
>
> If you are sure the issuer name and serial number will be unique then you can
Bonjour,
Hodie IV Kal. Mar. MMVI est, Kyle Hamilton scripsit:
[...]
> Can you give me a pointer to the several standards that reflect and
> enforce the issuer name + serial number uniqueness? A more
The X.509 says it all.
>From this standard, a CA is a name (not a key, really a name). That
allo
On Sun, Feb 26, 2006, Georg Lohrer wrote:
>
> As I have hopefully understood setting the serial number of a CA to a
> distinct number like 1 is good practice. From a technical point of view any
> number should as good as another as long as they are unique (as you mentioned
> in your post to Kyle)
On Sun, Feb 26, 2006, Kyle Hamilton wrote:
> On 2/25/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
>
> >
> > It is the combination of issuer name + serial number which must be unique in
> > general: that's enforced by several standards.
> >
> > Certain pieces of software assumes that issuer n
On 2/25/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> On Sat, Feb 25, 2006, Kyle Hamilton wrote:
>
> > "serialNumber: A unique positive integer." At least I think.
> >
>
> The type of serialNumber that should be accepted doesn't place any limits on
> the sign.
>
> RFC3280 places restrictions
> let's see... you're talking about the authorityKeyIdentifier? I
> thought that that went up 2 steps up the tree and then gave a serial
> number of cert issued by that CA.
No, it identifies the key that is signing the actual cert (or CRL). A CA's
subject key identifier (SKI) gets populated as t
On Sat, Feb 25, 2006, Kyle Hamilton wrote:
> On 2/25/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> > It was introduced as a bug fix to stop OpenSSL producing invalid
> > certificates
> > under certain circumstances.
> >
> > A clarification indicated that zero was considered an invalid seria
On So, 26 Feb 2006, Dr. Stephen Henson wrote:
> On Sun, Feb 26, 2006, Georg Lohrer wrote:
>
> >
> > Even if I create an explicit serial-file it won't be used for the 'req'
> > command (tested with strace).
> >
> > Any ideas what I'm doing wrong? Or is the man-page wrong?
> >
>
> The manual pa
ot;? This suggests that the CA's serial number is imported into
the context of its own signatures' serial numbers, even when it's a
sub-CA?
> If you want to keep the previous behaviour when you use "openssl req -x509"
> you
> have to explicitly use the -set_ser
producing invalid certificates
under certain circumstances.
A clarification indicated that zero was considered an invalid serial number.
Issuing certificates with duplicate issuer and serial numbers is illegal and
can cause strange problems which are difficult to diagnose.
If you want to keep the
Is there a way to specify the old behavior? (I'm collecting as much
information as I can on current practice and putting it all together
-- the overloading of 'authorityKeyIdentifier' is only part of the
problem with current X.509 practice, and that overloading creates a
situation where software m
On Sun, Feb 26, 2006, Georg Lohrer wrote:
>
> Even if I create an explicit serial-file it won't be used for the 'req'
> command (tested with strace).
>
> Any ideas what I'm doing wrong? Or is the man-page wrong?
>
The manual page needs updating. It now uses a random serial number unless a
seri
Hi,
if I use the command:
$ /usr/local/bin/openssl req -x509 -new -days 30 -key ./cacert.key -out
./cacert.pem -outform PEM
to create a self-signed root-certificate the 'man req' page says:
-x509 this option outputs a self signed certificate instead of a
certificate reques
Hi,
I have relevant question in this regard
I have set the value of commonName_max = 5 in openssl.cnf
Generate self signed certificate using -subj option# openssl req -x509 -out cacert.pem -new -keyout cakey.pem -subj /C=INN/ST=TamilNadu/L=CBE/O=test/CN=xx -nodes
Successful
Here the
On Wed, Nov 09, 2005, Ken Campbell wrote:
> I'm trying to get started with SSL. I've installed Win32OpenSSL-v0.9.8a
> on a Windows 2003 Server box with Apache 2.0.55 running. I've got as
> far as:
>
> openssl req -new -key myserver.key -out myserver.csr (where
&
I’m trying to get
started with SSL. I’ve installed Win32OpenSSL-v0.9.8a on a Windows 2003
Server box with Apache 2.0.55 running.
I’ve got as far as:
openssl req –new –key myserver.key –out myserver.csr (where myserver.key exists)
As soon as I get to the
following prompt things
Are there any downstream problems using a cert based
off of a ssh-keygen as opposed to an "openssl genrsa"?
For example:
ssh-keygen -trsa -b1024 -ftestid_rsa -N ""
openssl req -new -key testid_rsa -out
testid_rsa.csr
The above is what I'm currently using base
On Fri, Sep 27, 2002 at 05:42:56PM +0200, Mathieu Arnold wrote:
> I've been going through the list archive, and I can't find out how to
> script certificate creation.
> the ideal thing would be to be able to specify things like :
> openssl req -new -x509 -days 3650 -text
Hi
I've been going through the list archive, and I can't find out how to
script certificate creation.
the ideal thing would be to be able to specify things like :
openssl req -new -x509 -days 3650 -text -out cert.pem -keyout cert.pem
-passphrase "my stupid passphrase" -cou
ssue the following
> command:
>
> /usr/bin/openssl req -x509 -newkey rsa -out cacert.pem -outform PEM
> Using configuration from /home/jose/exampleca/openssl.cnf
> Generating a 1024 bit RSA private key
> .++
> .++
> writing new pr
Hi slim,
use the snapshoots version of openssl.
Bye
Haikel MEJRI
National Digital Certification Agency
Slim CHTOUROU a écrit :
> hi
> could any body tell me how can I find the openssl req -subj option wich version
> should I use to make this option available I must use it f
hi
could any body tell me how can I find the openssl req -subj option wich version
should I use to make this option available I must use it for openca
regards
Dr S N Henson wrote:
> OpenSSL by default will assume the characters presented to it are
> IS08859-1 (Latin 1) strings. It stores these in the ASN1 string type
> known as a T61String: this isn't actually correct but Netscape and MSIE
> can do this too.
It would be correct if the real T61String e
Maxime Dubois wrote:
>
> Hi,
>
> Could someone tell me how the command openssl req deals with accents?
> When i run the command and enter as common name something like Stphane,and
> then generate the certificate and the pkcs12 file to import it into IE, I
> get a strange
Hi,
Could someone tell me how the command openssl req deals with accents?
When i run the command and enter as common name something like Stéphane,and
then generate the certificate and the pkcs12 file to import it into IE, I
get a strange symbol instead of the é in the common name. ...
Regards
Hi there,
Is there anybody out there how could solve the "set serial number option" problem with
the "openssl req x059" command?
What I like to do is to create a self-signed root cert with a supplied serial number
(i.e. not the default 00).
Is the option provided in th
opensslreq
-in pkcs10receivedfromclient.csr
-config configfilewithDN.cnf
-out pkcs10withNewDN.csr
is ignoring the DN in the config file.
The pkcs10receivedfromclient.csr has "DC=COM"
and configfilewithDN.cnf has
[ req ]
...
distinguished_name = req_distingu
On Wed, Mar 08, 2000 at 12:14:31PM +, Dr Stephen Henson wrote:
> OpenSSL 0.9.5 req was modified to specifically allow this and has
> several new config file options, the manual page has an example too.
Absolutely great - just installed and it worked as I wanted :-)
Thanks!
--
Cheers
Jason
Jason Haar wrote:
>
> I'm trying to automate the generation of certs, and I've found that "openssl
> req" under OpenSSL-0.9.4 doesn't like running non-interactively.
>
> There's no "-batch" mode option and if I try to do clever things with
I'm trying to automate the generation of certs, and I've found that "openssl
req" under OpenSSL-0.9.4 doesn't like running non-interactively.
There's no "-batch" mode option and if I try to do clever things with
redirecting stdin, it just doesn't wor
HI!
IMHO it would be very handy...
1. if one could use the command
openssl req -name [CA section]
to specify the CA definition for which the certificate request is
generated.
2. to have a parameter named "req" (similar to "policy") in a CA section
to specify a sect
57 matches
Mail list logo
