On Thu, Nov 27, 2014 at 02:58:01PM +0800, Jerry OELoo wrote:
> # Create CA
> openssl genrsa -out ca.key 4096
> openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt
Don't forget "umask 077" or use a strong passpharse (no "nodes").
Otherwise, the key is generally world-readable.
On Tue, Nov 03, 2009, Adam Rosenstein wrote:
> I definitely get better results with the latest snapshot. However I still
> don't get my "0 depth lookup:certificate revoked" but instead get a "0 depth
> lookup:CRL path validation error"
>
> Looking at the differences between my application logic
essage-
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of Dr. Stephen Henson
> Sent: Saturday, October 31, 2009 6:54 AM
> To: openssl-users@openssl.org
> Subject: Re: your mail
>
> On Fri, Oct 30, 2009, Adam Rosenstein wrote:
On Fri, Oct 30, 2009, Adam Rosenstein wrote:
> > > Ahh, that explains it. Thanks for looking into it.
> > >
> > > The documentation on iCRLs was a little cryptic to me. It said that no
> > > lookup methods were used (?). Now you say the store is also not used.
> > How
> > > do I get the iCRL in
> > Ahh, that explains it. Thanks for looking into it.
> >
> > The documentation on iCRLs was a little cryptic to me. It said that no
> > lookup methods were used (?). Now you say the store is also not used.
> How
> > do I get the iCRL into the verification process? Also, does the current
> > 1
On Fri, Oct 30, 2009, Adam Rosenstein wrote:
> Ahh, that explains it. Thanks for looking into it.
>
> The documentation on iCRLs was a little cryptic to me. It said that no
> lookup methods were used (?). Now you say the store is also not used. How
> do I get the iCRL into the verification pr
Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Thursday, October 29, 2009 3:42 PM
To: openssl-users@openssl.org
Subject: Re: your mail
On Mon, Oct 26, 2009, Adam Rosenstein wrote:
> You are correct, I made a paste erro
On Mon, Oct 26, 2009, Adam Rosenstein wrote:
> You are correct, I made a paste error in the mail. The certs were correct
> at the time I tested however (my test script just regenerates things each
> time and I pasted an old ee with a new root ca).
>
> I just tried openssl-SNAP-20091026.tar.gz an
-
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Friday, October 23, 2009 5:09 PM
To: openssl-users@openssl.org
Subject: Re: your mail
On Fri, Oct 23, 2009, Dr. Stephen Henson wrote:
> On Wed, Oct
On Fri, Oct 23, 2009, Dr. Stephen Henson wrote:
> On Wed, Oct 21, 2009, Adam Rosenstein wrote:
>
> > I'm using v1.0.0 Beta 3.
> >
> >
>
> Hmm... there seems to be an SKID/AKID issue here:
>
There is also a bug in the verification code which means it was expecting to
find a CRL for the CRL si
On Wed, Oct 21, 2009, Adam Rosenstein wrote:
> I'm using v1.0.0 Beta 3.
>
>
Hmm... there seems to be an SKID/AKID issue here:
>
>
> ROOT (CA0)
>
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: sha1WithRSAEncryption
> Is
I'm using v1.0.0 Beta 3.
My code is perl xs glue but it looks something like this:
purpose= X509_PURPOSE_MIN - 1;
cert_store = X509_STORE_new();
revokes= crl_stack;
X509_STORE_set_flags(cert_store, 0);
vpm= X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(vpm,X
On Wed, Oct 21, 2009, Adam Rosenstein wrote:
> Hi, I'm trying to use indirect CRLs in my application. I cannot figure out
> how to get the CRL signer's cert to be verified though. I keep getting "CRL
> path validation error"
>
> I do something like this:
>
> cs_ctx = X509_STORE_CTX_new
* Liam Whalen wrote on Sun, Sep 30, 2007 at 23:07 -0400:
> How do I make sure that the ODBC username and password file is
> secure? Should I encrypt that file with a public key and hard
> code the private key into the server?
You mean, you want protect some local configuration file, because
you ex
On Sat, May 19, 2007, belguechi rima wrote:
> Hello;
>
> I have compiled the source code from the version OpenSSL 0.9.8e. Now I am
> trying to use the libraries generated in the following program portion :
>
>
> RSA *rsa=NULL;
> RSA *ConstructedRSA = NULL;
>
> unsigned ch
On Mon, Dec 04, 2006 at 12:14:59PM +0100, Olivier Mascia wrote:
> This will probably look like a dumb question, but anyway. Is there
> any provision and way, in SSL and/or HTTP, to establish a SSL link
> without trying to assert anything about the server identity?
TLS includes anonymous ciph
Dr. Stephen Henson wrote:
>
> The X509_ATTRIBUTE type uses an ASN1_TYPE structure to hold the attribute
> data. A SEQUENCE (and other structured types) is contained in an embedded
> ASN1_STRING structure whose contents are the complete encoding of the relevant
> type.
>
> So you pass V_ASN1_SEQUE
On Wed, Dec 14, 2005, Vadim Godunko wrote:
> Hello,
>
> I am tring to use X509_ATTRIBUTE in X.509 attribute certificate, but I am
> not undestand it usage. So, I use X509_ATTRIBUTE_create function for create
> attribute, but this work only for simple ASN.1 types (INTEGER, for
> example). Creatati
On Sat, Sep 04, 2004, Ganesh Godavari wrote:
> hello group
>
> i have generated client certificates using openssl. i instaalled
> certficates in the microsoft internet explorer. I configured the apache
> webserver to authenitcate the client. When i install openssl client
> certificates, i can vie
Hello!
AFAIK this list is about openssl. Openssl is a library for SSL operations,
and some utilities. What you are interested in, is more related
to mod_ssl, and apache in general.
cheers,
m.
p.s. there's a good book from wrox, on how to write apache modules.
On Mon, May 03, 2004 at 08:36:02
I don't sign file in openssl (I sign in windows machine with CAPICOM), I use it
only to verify on linux machine.
I searched a openssl command that return the number of signers.
If it don't exist, I will extract whit smime a file of all certificates and
after I parse it to counter a signers.
thank
On Fri, Nov 14, 2003, [EMAIL PROTECTED] wrote:
> somebody know if openssl manage the "parallel multiple signature" or "the
> cosign".
> thanks
>
For what exactly? It can be done in S/MIME but the low level API is needed to
parallel signature generation. The S/MIME verify code should automatical
On Tue, Oct 07, 2003, [EMAIL PROTECTED] wrote:
> Hello,
>
> I'm a new openssl'user. I able to sign and verify file whit openssl.
> I have the problem, I don't now as read information about the signer form a
> signed file.
If you are using the smime utility to do the signing then he -signer opti
> could someone tell me how to extract the certification path from an ordinary
> certificate (X509 certificate)
The certificate doesn't have a path, it just has the DN of its issuer.
You have to calculate the path yourself by getting the cert of
the issuer, following up the chain, and so on. (I.e
On Thu, Jan 02, 2003, Ed Harty wrote:
> Hi,
>
> I am generating a client cert for Apache using openssl with my own CA as
> follows:
>
> openssl genrsa -out client.key 1024
> openssl req -new -key client.key -out client.csr
> openssl x509 -req -days 365 -CA myCA.cert -CAkey myCA.key -CAcreateseri
On Fri, May 17, 2002 at 10:27:17PM +0200, Geert Van Muylem wrote:
> I want to create a p12 file which holds the secret key and the complete
> certificate chain:
> What is the "Standard CA store"?
>
> I've tried the following:
> openssl pkcs12 -chain -export -in gvm_cert.pem -inkey gvm_sk.pem -out
Gregory Stark wrote:
> Maybe you are confusing DN's with CN's. Phone home to find out
yes -- not used to this AZERTY keyboard.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
ome to find out :)
==
Greg Stark
[EMAIL PROTECTED]
==
- Original Message -
From: "Michael Sierchio" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 05, 2001 7:59 PM
Subject: Re: your mail
> Gregory Sta
Gregory Stark wrote:
>
> A certificate can have multiple common names; many applications support
> this. You need to be comfortable using the openssl configuration file
> syntax; here is a short snippet of one showing multiple common names:
What kind of certificate are you referring to? An X.50
, December 05, 2001 5:11 PM
Subject: Re: your mail
> On Wed, Dec 05, 2001 at 02:47:39PM -0500, Jason Hendriks wrote:
> > I needed an SSL certificate for my POP3-SSL server (ipopd), so I created
a self-signed certificate using the CA.pl tool and openssl. It works fine,
but my question is
On Wed, Dec 05, 2001 at 02:47:39PM -0500, Jason Hendriks wrote:
> I needed an SSL certificate for my POP3-SSL server (ipopd), so I created a
>self-signed certificate using the CA.pl tool and openssl. It works fine, but my
>question is since there are two domains for this machine's IP, how can I
Same here, using self signed. I think IE 5 fer the Mac be broken.
Especially so knowing yers is signed with verisign. Thanks for the confo!
On Mon, 29 Oct 2001 [EMAIL PROTECTED] wrote:
> I am very new to apache.
> With that said.
> I have set up a test key with Verisign and it works fine w
On Thu, Jul 19, 2001 at 01:38:17PM -0400, Sundaram, Mani wrote:
> I am in the process of porting OpenSSL to our platform that does not support
> Unix sockets and does not have a /dev/urandom entropy device.
> I am able to get the prngd daemon(to generate random numbers) to run on the
> localhost a
On Wed, Apr 25, 2001 at 06:05:47PM -, Judy Trent wrote:
> I'm new to openSSL and I have a question. I'm trying to use openSSL with
> visual basic. I want to create a small server/client program. I have been
> successfull in calling some functions from visual basic, however, I ran into
> a p
IMHO you should tell your 3rd party to use SSH and you need to do a little "educating"
in your organisation.
On Wed, Nov 08, 2000 at 02:56:05PM +, Ian Diddams wrote:
>
> I've been tasked into investigating a link a 3rd party may be making to our
> servers shortly over SSL.
>
> I've downloa
From:
"raffa aste" <[EMAIL PROTECTED]>
There has been more than a little spam running through this list. Is
there some way we can block the hosts?
I'm thinking a link to orbs may be in order - or perhaps contact the relay
admin and / or the ISP that these jerks connect to.
I realise this migh
Hi,
On Tue, Jun 13, 2000 at 09:49:38PM -0700, Derek DeMoro wrote:
> Does anybody now how to make openSSL read certificates and keys created =
> by IAIK?
> I think they might implement different OIDs. OpenSSL cannot seem to recognize
> my Iaik Private Key.
>
Are you using DSA keys? If so, I ha
Try Thawte.
On Wed, 2 Feb 2000, Gregory Stark wrote:
> Does anyone know of a commercial CA that will sign
> with DSA a certificate containing a DH public key?
> A similar question would be does there exist a commercial
> CA that will sign PGP DSA/ElGamal public keys?
> How about a CA that will s
> testing
>
> I should not be able to post to the list from this address, as it's not
> subscribed to the list.
I'm sure a million others have already told you, but it did work.
--
Joe Rhett Chief Technology Officer
[EMAIL PROTECTED]
39 matches
Mail list logo
