A little help would be appreicated

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

A little help would be appreicated

Stuart Halliday
Hi folks,

I've entered the big complex world of Certificates and I need a little help.

I've got a Windows XP network and a Linux server.

We wish to use certs to sign electronic forms with MS Infopath 2003.

I've read up on how to make a CA cert using openssl and I can make on the
Linux Server the user certs for our employees and I put these on a secure
shared folder for them.

I have to make .p12 certs as Infopath needs a private key seemingly.

But after I import a user's cert into their MMC into the Personal store,
and look in the General tab, the user cert says its not trusted.
It says "This CA Root certficate is not trusted".


Ok, so I put into the Trusted Root CA store, the Server's cert.

Still the Personal cert says its not trusted.

So at this point I'm stuck.

I thought it would trust the user cert because it would look in the
Trusted Root CA store and see the Server's cert in there.

Can someone point out the 'obvious thing' I'm not seeing. :-)




If it helps, here is how I generated the certs.

1st, the CA.

openssl req -config openssl.cnf -new -x509 -keyout
ECS_CA/private/cakey.pem -out ECS_CA/cacert.pem -days 3650


Then I used the following commands to generate the users certs on the Server:

openssl req -new -key ECS_CA\private\cakey.pem -out stuarth.csr
openssl ca -policy policy_anything -out stuarth.cer -infiles stuarth.csr

Infopath needs a cert with a private key so the .p12 format is required.

openssl x509 -in stuarth.cer -out stuarth_certx509.pem
openssl pkcs12 -export -in stuarth_certx509.pem -inkey
ECS_CA\private\cakey.pem -out stuarth.p12

and it is stuarth.p12 which I import into mmc - Personal.

--  
Stuart Halliday
ECS Technology ltd
Registered in Scotland - #212513


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: A little help would be appreicated

David C. Partridge
Its not the server cert you need in the trusted certs store - it's the CA
root cert.

And you'll need any intermediate CA certs in the regular CA store

D.

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Stuart Halliday

Ok, so I put into the Trusted Root CA store, the Server's cert.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: A little help would be appreicated

Stuart Halliday
> Its not the server cert you need in the trusted certs store - it's the
> CA root cert.

Surely that's what I've got?

I created a CA cert I thought.
 


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: A little help would be appreicated

Ambarish Mitra
See the certificate subject (owner) and issuer: For a CA, these 2 fields
will be same. For server cert, the issuer field will contain the DN of the
signing authority - this CA, or any intermediate CA.


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]]On Behalf Of Stuart Halliday
Sent: Wednesday, March 08, 2006 5:06 PM
To: [hidden email]
Subject: RE: A little help would be appreicated


> Its not the server cert you need in the trusted certs store - it's the
> CA root cert.

Surely that's what I've got?

I created a CA cert I thought.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: A little help would be appreicated

Stuart Halliday
In reply to this post by Stuart Halliday
> When you create the user .P12 files, then include the CA certificate
> into it, i.e.
> use a certfile that contains the user cert and the self signed CA
> certificate.
> The p12 file contain thus the private key of a user, the user's X509
> certificate
> and the X509 certificate of the CA.

Thanks for that.
But how?

What openssl command merges 2 certfificates?

I can't find one.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: A little help would be appreicated

Stuart Halliday
In reply to this post by Ambarish Mitra
> See the certificate subject (owner) and issuer: For a CA, these 2
> fields
> will be same. For server cert, the issuer field will contain the DN of
> the
> signing authority - this CA, or any intermediate CA.

Then I do have a CA type.

The 'Issued to' and Issued from' fields are the same.
ie: 'MyServer Root Certificate Authority'.

This cert is in my Trusted Root CA store.

In my Personal store in MMC I have a cert which is labelled:

Issued by 'MyServer Root Certificate Authority' and Issued to 'Stuart
Halliday'.

So why doesn't it work?

I'm really confused.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: A little help would be appreicated

Brian Candler
In reply to this post by Stuart Halliday
On Wed, Mar 08, 2006 at 01:20:15PM +0000, Stuart Halliday wrote:

> > When you create the user .P12 files, then include the CA certificate
> > into it, i.e.
> > use a certfile that contains the user cert and the self signed CA
> > certificate.
> > The p12 file contain thus the private key of a user, the user's X509
> > certificate
> > and the X509 certificate of the CA.
>
> Thanks for that.
> But how?
>
> What openssl command merges 2 certfificates?
>
> I can't find one.

man pkcs12
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: A little help would be appreicated

Dr. Stephen Henson
In reply to this post by Stuart Halliday
On Wed, Mar 08, 2006, Stuart Halliday wrote:

>
> If it helps, here is how I generated the certs.
>
> 1st, the CA.
>
> openssl req -config openssl.cnf -new -x509 -keyout
> ECS_CA/private/cakey.pem -out ECS_CA/cacert.pem -days 3650
>
>
> Then I used the following commands to generate the users certs on the Server:
>
> openssl req -new -key ECS_CA\private\cakey.pem -out stuarth.csr
> openssl ca -policy policy_anything -out stuarth.cer -infiles stuarth.csr
>
> Infopath needs a cert with a private key so the .p12 format is required.
>
> openssl x509 -in stuarth.cer -out stuarth_certx509.pem
> openssl pkcs12 -export -in stuarth_certx509.pem -inkey
> ECS_CA\private\cakey.pem -out stuarth.p12
>
> and it is stuarth.p12 which I import into mmc - Personal.
>

It looks like you are using the same key for the user certificates and the CA!

Instead of manually entering commands use the CA.pl script instead. That is
intended to just "do the right thing" when given some simple options. Don't
use the CA.pl in the release version of 0.9.8 though: pick a recent snapshot
or use 0.9.7.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: A little help would be appreicated

Randy Turner
In reply to this post by Stuart Halliday

Hi Stephen,

There have been a few email messages on the list recently concerning
negative attributes of 0.9.8, with recommendations of using 0.9.7.x
versions. Are we to assume that later versions of 0.9.7.x are really
preferred for creating robust solutions with OpenSSL, instead of
0.9.8-based versions? (at least for now). Let me know if I have
interpreted the email incorrectly.

Thanks!
Randy

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, March 08, 2006 5:33 AM
To: [hidden email]
Subject: Re: A little help would be appreicated

On Wed, Mar 08, 2006, Stuart Halliday wrote:

>
> If it helps, here is how I generated the certs.
>
> 1st, the CA.
>
> openssl req -config openssl.cnf -new -x509 -keyout
> ECS_CA/private/cakey.pem -out ECS_CA/cacert.pem -days 3650
>
>
> Then I used the following commands to generate the users certs on the
Server:
>
> openssl req -new -key ECS_CA\private\cakey.pem -out stuarth.csr
> openssl ca -policy policy_anything -out stuarth.cer -infiles
stuarth.csr
>
> Infopath needs a cert with a private key so the .p12 format is
required.
>
> openssl x509 -in stuarth.cer -out stuarth_certx509.pem
> openssl pkcs12 -export -in stuarth_certx509.pem -inkey
> ECS_CA\private\cakey.pem -out stuarth.p12
>
> and it is stuarth.p12 which I import into mmc - Personal.
>

It looks like you are using the same key for the user certificates and
the CA!

Instead of manually entering commands use the CA.pl script instead. That
is
intended to just "do the right thing" when given some simple options.
Don't
use the CA.pl in the release version of 0.9.8 though: pick a recent
snapshot
or use 0.9.7.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: A little help would be appreicated

Stuart Halliday
In reply to this post by Dr. Stephen Henson

> It looks like you are using the same key for the user certificates and
> the CA!

Oops. Sorry, I typed in the wrong key in the example.

 
> Instead of manually entering commands use the CA.pl script instead.
> That is
> intended to just "do the right thing" when given some simple options.
> Don't
> use the CA.pl in the release version of 0.9.8 though: pick a recent
> snapshot or use 0.9.7.

I've downloaded
openssl-0.9.8-stable-SNAP-20060308.tar.gz
and only found a 'CA.pl.in' file.

There is no CA.pl file.

But judging by its version number inside, its not been updated since 1998!

Have I got the wrong file?

--
Stuart Halliday
ECS Technology ltd
Registered in Scotland - #212513




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: A little help would be appreicated

Dr. Stephen Henson
On Wed, Mar 08, 2006, Stuart Halliday wrote:

>
> > Instead of manually entering commands use the CA.pl script instead.
> > That is
> > intended to just "do the right thing" when given some simple options.
> > Don't
> > use the CA.pl in the release version of 0.9.8 though: pick a recent
> > snapshot or use 0.9.7.
>
> I've downloaded
> openssl-0.9.8-stable-SNAP-20060308.tar.gz
> and only found a 'CA.pl.in' file.
>
> There is no CA.pl file.
>
> But judging by its version number inside, its not been updated since 1998!
>
> Have I got the wrong file?
>

It isn't installed by default on Windows. Copy CA.pl.in from the snapshot to
somewhere convenient on your path.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]