ECC Self-Signed Certificate

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

ECC Self-Signed Certificate

Nabil Ghadiali

Can someone help me with the command to generate a self-signed certificate using openssl?

 

I have used the following steps and when I get a certificate and open up it says “the signature is invalid”. Am I missing something?

 

I have created an ECC key pair using the following:

openssl ecparam -out key.pem -name prime256v1 –genkey

 

I create the request using the following

openssl req -new -key key.pem -out req.pem

 

I create the self-signed certificate using the following

openssl req -x509 -in req.pem -days 365 -key key.pem

 

I cannot tell why the certificate that is generated doesn’t work. I am pasting the generated certificate as well

-----BEGIN CERTIFICATE-----

MIICJzCCAc6gAwIBAgIJANJO0K9iY9obMAkGByqGSM49BAEwRTELMAkGA1UEBhMC

VVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdp

dHMgUHR5IEx0ZDAeFw0wODAyMTMwNTM3MzlaFw0wOTAyMTIwNTM3MzlaMEUxCzAJ

BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5l

dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATzJjKX

0dv55hhAU5X3Z/erUiWWqljSjtxt06XlXRGV53P5syTfXk+xXlVJZj6kOTzFpHTw

o2I1lCOq5duDZwc1o4GnMIGkMB0GA1UdDgQWBBTmmxgUf1KI68WGvrNonr4586Yr

4jB1BgNVHSMEbjBsgBTmmxgUf1KI68WGvrNonr4586Yr4qFJpEcwRTELMAkGA1UE

BhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp

ZGdpdHMgUHR5IEx0ZIIJANJO0K9iY9obMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0E

AQNIADBFAiEAp1igUmK+Qt1Tg21MxE/dliRW9fhrduw/z/oLQYxsS4UCICQArqf7

GzfPd/Y+Lkci7bohC3kyMToHKy8yDoFPjOuw

-----END CERTIFICATE-----

 

Thanks,

Nabil

 

 

 

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: ECC Self-Signed Certificate

Victor Duchovni
On Wed, Feb 13, 2008 at 12:40:18AM -0500, Nabil Ghadiali wrote:

> Can someone help me with the command to generate a self-signed certificate
> using openssl?
>
>  
>
> I have used the following steps and when I get a certificate and open up it
> says "the signature is invalid". Am I missing something?

What does "open it up" mean? The self-signed EC cert you posted looks
fine.

$ openssl verify -CAfile foo.pem -purpose crlsign foo.pem
foo.pem: OK

$ openssl x509 -text -in foo.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d2:4e:d0:af:62:63:da:1b
        Signature Algorithm: ecdsa-with-SHA1
        Issuer: C=US, ST=Some-State, O=Internet Widgits Pty Ltd
        Validity
            Not Before: Feb 13 05:37:39 2008 GMT
            Not After : Feb 12 05:37:39 2009 GMT
        Subject: C=US, ST=Some-State, O=Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:f3:26:32:97:d1:db:f9:e6:18:40:53:95:f7:67:
                    f7:ab:52:25:96:aa:58:d2:8e:dc:6d:d3:a5:e5:5d:
                    11:95:e7:73:f9:b3:24:df:5e:4f:b1:5e:55:49:66:
                    3e:a4:39:3c:c5:a4:74:f0:a3:62:35:94:23:aa:e5:
                    db:83:67:07:35
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                E6:9B:18:14:7F:52:88:EB:C5:86:BE:B3:68:9E:BE:39:F3:A6:2B:E2
            X509v3 Authority Key Identifier:
                keyid:E6:9B:18:14:7F:52:88:EB:C5:86:BE:B3:68:9E:BE:39:F3:A6:2B:E2
                DirName:/C=US/ST=Some-State/O=Internet Widgits Pty Ltd
                serial:D2:4E:D0:AF:62:63:DA:1B

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: ecdsa-with-SHA1
        30:45:02:21:00:a7:58:a0:52:62:be:42:dd:53:83:6d:4c:c4:
        4f:dd:96:24:56:f5:f8:6b:76:ec:3f:cf:fa:0b:41:8c:6c:4b:
        85:02:20:24:00:ae:a7:fb:1b:37:cf:77:f6:3e:2e:47:22:ed:
        ba:21:0b:79:32:31:3a:07:2b:2f:32:0e:81:4f:8c:eb:b0
-----BEGIN CERTIFICATE-----
MIICJzCCAc6gAwIBAgIJANJO0K9iY9obMAkGByqGSM49BAEwRTELMAkGA1UEBhMC
VVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdp
dHMgUHR5IEx0ZDAeFw0wODAyMTMwNTM3MzlaFw0wOTAyMTIwNTM3MzlaMEUxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5l
dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATzJjKX
0dv55hhAU5X3Z/erUiWWqljSjtxt06XlXRGV53P5syTfXk+xXlVJZj6kOTzFpHTw
o2I1lCOq5duDZwc1o4GnMIGkMB0GA1UdDgQWBBTmmxgUf1KI68WGvrNonr4586Yr
4jB1BgNVHSMEbjBsgBTmmxgUf1KI68WGvrNonr4586Yr4qFJpEcwRTELMAkGA1UE
BhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp
ZGdpdHMgUHR5IEx0ZIIJANJO0K9iY9obMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0E
AQNIADBFAiEAp1igUmK+Qt1Tg21MxE/dliRW9fhrduw/z/oLQYxsS4UCICQArqf7
GzfPd/Y+Lkci7bohC3kyMToHKy8yDoFPjOuw
-----END CERTIFICATE-----

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: ECC Self-Signed Certificate

Nabil Ghadiali
I saved the base64 encoded text in a file with an extension ".cer" and then
double-clicked it. Microsoft recognizes it is a certificate and opens it up
in a certificate viewer.

Over here it says "The integrity of the certificate cannot be guaranteed.
The certificate may be corrupted or may have been altered"

Thanks,

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Victor Duchovni
Sent: Wednesday, February 13, 2008 8:00 AM
To: [hidden email]
Subject: Re: ECC Self-Signed Certificate

On Wed, Feb 13, 2008 at 12:40:18AM -0500, Nabil Ghadiali wrote:

> Can someone help me with the command to generate a self-signed certificate
> using openssl?
>
>  
>
> I have used the following steps and when I get a certificate and open up
it
> says "the signature is invalid". Am I missing something?

What does "open it up" mean? The self-signed EC cert you posted looks
fine.

$ openssl verify -CAfile foo.pem -purpose crlsign foo.pem
foo.pem: OK

$ openssl x509 -text -in foo.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d2:4e:d0:af:62:63:da:1b
        Signature Algorithm: ecdsa-with-SHA1
        Issuer: C=US, ST=Some-State, O=Internet Widgits Pty Ltd
        Validity
            Not Before: Feb 13 05:37:39 2008 GMT
            Not After : Feb 12 05:37:39 2009 GMT
        Subject: C=US, ST=Some-State, O=Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:f3:26:32:97:d1:db:f9:e6:18:40:53:95:f7:67:
                    f7:ab:52:25:96:aa:58:d2:8e:dc:6d:d3:a5:e5:5d:
                    11:95:e7:73:f9:b3:24:df:5e:4f:b1:5e:55:49:66:
                    3e:a4:39:3c:c5:a4:74:f0:a3:62:35:94:23:aa:e5:
                    db:83:67:07:35
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                E6:9B:18:14:7F:52:88:EB:C5:86:BE:B3:68:9E:BE:39:F3:A6:2B:E2
            X509v3 Authority Key Identifier:
 
keyid:E6:9B:18:14:7F:52:88:EB:C5:86:BE:B3:68:9E:BE:39:F3:A6:2B:E2
                DirName:/C=US/ST=Some-State/O=Internet Widgits Pty Ltd
                serial:D2:4E:D0:AF:62:63:DA:1B

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: ecdsa-with-SHA1
        30:45:02:21:00:a7:58:a0:52:62:be:42:dd:53:83:6d:4c:c4:
        4f:dd:96:24:56:f5:f8:6b:76:ec:3f:cf:fa:0b:41:8c:6c:4b:
        85:02:20:24:00:ae:a7:fb:1b:37:cf:77:f6:3e:2e:47:22:ed:
        ba:21:0b:79:32:31:3a:07:2b:2f:32:0e:81:4f:8c:eb:b0
-----BEGIN CERTIFICATE-----
MIICJzCCAc6gAwIBAgIJANJO0K9iY9obMAkGByqGSM49BAEwRTELMAkGA1UEBhMC
VVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdp
dHMgUHR5IEx0ZDAeFw0wODAyMTMwNTM3MzlaFw0wOTAyMTIwNTM3MzlaMEUxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5l
dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATzJjKX
0dv55hhAU5X3Z/erUiWWqljSjtxt06XlXRGV53P5syTfXk+xXlVJZj6kOTzFpHTw
o2I1lCOq5duDZwc1o4GnMIGkMB0GA1UdDgQWBBTmmxgUf1KI68WGvrNonr4586Yr
4jB1BgNVHSMEbjBsgBTmmxgUf1KI68WGvrNonr4586Yr4qFJpEcwRTELMAkGA1UE
BhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp
ZGdpdHMgUHR5IEx0ZIIJANJO0K9iY9obMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0E
AQNIADBFAiEAp1igUmK+Qt1Tg21MxE/dliRW9fhrduw/z/oLQYxsS4UCICQArqf7
GzfPd/Y+Lkci7bohC3kyMToHKy8yDoFPjOuw
-----END CERTIFICATE-----

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECC Self-Signed Certificate

Patrick Patterson-3
On Wednesday 13 February 2008 09:58:08 Nabil Ghadiali wrote:
> I saved the base64 encoded text in a file with an extension ".cer" and then
> double-clicked it. Microsoft recognizes it is a certificate and opens it up
> in a certificate viewer.
>
> Over here it says "The integrity of the certificate cannot be guaranteed.
> The certificate may be corrupted or may have been altered"
>
Unless you are using Vista, Microsoft CAPI doesn't support ECC.

Have fun.

Patrick.

> Thanks,
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Victor Duchovni
> Sent: Wednesday, February 13, 2008 8:00 AM
> To: [hidden email]
> Subject: Re: ECC Self-Signed Certificate
>
> On Wed, Feb 13, 2008 at 12:40:18AM -0500, Nabil Ghadiali wrote:
> > Can someone help me with the command to generate a self-signed
> > certificate using openssl?
> >
> >
> >
> > I have used the following steps and when I get a certificate and open up
>
> it
>
> > says "the signature is invalid". Am I missing something?
>
> What does "open it up" mean? The self-signed EC cert you posted looks
> fine.
>
> $ openssl verify -CAfile foo.pem -purpose crlsign foo.pem
> foo.pem: OK
>
> $ openssl x509 -text -in foo.pem
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             d2:4e:d0:af:62:63:da:1b
>         Signature Algorithm: ecdsa-with-SHA1
>         Issuer: C=US, ST=Some-State, O=Internet Widgits Pty Ltd
>         Validity
>             Not Before: Feb 13 05:37:39 2008 GMT
>             Not After : Feb 12 05:37:39 2009 GMT
>         Subject: C=US, ST=Some-State, O=Internet Widgits Pty Ltd
>         Subject Public Key Info:
>             Public Key Algorithm: id-ecPublicKey
>                 Public-Key: (256 bit)
>                 pub:
>                     04:f3:26:32:97:d1:db:f9:e6:18:40:53:95:f7:67:
>                     f7:ab:52:25:96:aa:58:d2:8e:dc:6d:d3:a5:e5:5d:
>                     11:95:e7:73:f9:b3:24:df:5e:4f:b1:5e:55:49:66:
>                     3e:a4:39:3c:c5:a4:74:f0:a3:62:35:94:23:aa:e5:
>                     db:83:67:07:35
>                 ASN1 OID: prime256v1
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
>                 E6:9B:18:14:7F:52:88:EB:C5:86:BE:B3:68:9E:BE:39:F3:A6:2B:E2
>             X509v3 Authority Key Identifier:
>
> keyid:E6:9B:18:14:7F:52:88:EB:C5:86:BE:B3:68:9E:BE:39:F3:A6:2B:E2
>                 DirName:/C=US/ST=Some-State/O=Internet Widgits Pty Ltd
>                 serial:D2:4E:D0:AF:62:63:DA:1B
>
>             X509v3 Basic Constraints:
>                 CA:TRUE
>     Signature Algorithm: ecdsa-with-SHA1
>         30:45:02:21:00:a7:58:a0:52:62:be:42:dd:53:83:6d:4c:c4:
>         4f:dd:96:24:56:f5:f8:6b:76:ec:3f:cf:fa:0b:41:8c:6c:4b:
>         85:02:20:24:00:ae:a7:fb:1b:37:cf:77:f6:3e:2e:47:22:ed:
>         ba:21:0b:79:32:31:3a:07:2b:2f:32:0e:81:4f:8c:eb:b0
> -----BEGIN CERTIFICATE-----
> MIICJzCCAc6gAwIBAgIJANJO0K9iY9obMAkGByqGSM49BAEwRTELMAkGA1UEBhMC
> VVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdp
> dHMgUHR5IEx0ZDAeFw0wODAyMTMwNTM3MzlaFw0wOTAyMTIwNTM3MzlaMEUxCzAJ
> BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5l
> dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATzJjKX
> 0dv55hhAU5X3Z/erUiWWqljSjtxt06XlXRGV53P5syTfXk+xXlVJZj6kOTzFpHTw
> o2I1lCOq5duDZwc1o4GnMIGkMB0GA1UdDgQWBBTmmxgUf1KI68WGvrNonr4586Yr
> 4jB1BgNVHSMEbjBsgBTmmxgUf1KI68WGvrNonr4586Yr4qFJpEcwRTELMAkGA1UE
> BhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp
> ZGdpdHMgUHR5IEx0ZIIJANJO0K9iY9obMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0E
> AQNIADBFAiEAp1igUmK+Qt1Tg21MxE/dliRW9fhrduw/z/oLQYxsS4UCICQArqf7
> GzfPd/Y+Lkci7bohC3kyMToHKy8yDoFPjOuw
> -----END CERTIFICATE-----



--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: ECC Self-Signed Certificate

Bill Colvin
In reply to this post by Nabil Ghadiali

Can you be more specific about what your problem is?  The cert appears to be a self-signed cert.

 

The command “openssl x509 -in test.pem -noout –text” generates:

 

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            d2:4e:d0:af:62:63:da:1b

        Signature Algorithm: ecdsa-with-SHA1

        Issuer: C=US, ST=Some-State, O=Internet Widgits Pty Ltd

        Validity

            Not Before: Feb 13 05:37:39 2008 GMT

            Not After : Feb 12 05:37:39 2009 GMT

        Subject: C=US, ST=Some-State, O=Internet Widgits Pty Ltd

        Subject Public Key Info:

            Public Key Algorithm: id-ecPublicKey

            EC Public Key:

                pub:

                    04:f3:26:32:97:d1:db:f9:e6:18:40:53:95:f7:67:

                    f7:ab:52:25:96:aa:58:d2:8e:dc:6d:d3:a5:e5:5d:

                    11:95:e7:73:f9:b3:24:df:5e:4f:b1:5e:55:49:66:

                    3e:a4:39:3c:c5:a4:74:f0:a3:62:35:94:23:aa:e5:

                    db:83:67:07:35

                ASN1 OID: prime256v1

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                E6:9B:18:14:7F:52:88:EB:C5:86:BE:B3:68:9E:BE:39:F3:A6:2B:E2

            X509v3 Authority Key Identifier:

                keyid:E6:9B:18:14:7F:52:88:EB:C5:86:BE:B3:68:9E:BE:39:F3:A6:2B:E2

                DirName:/C=US/ST=Some-State/O=Internet Widgits Pty Ltd

                serial:D2:4E:D0:AF:62:63:DA:1B

 

            X509v3 Basic Constraints:

                CA:TRUE

    Signature Algorithm: ecdsa-with-SHA1

        30:45:02:21:00:a7:58:a0:52:62:be:42:dd:53:83:6d:4c:c4:

        4f:dd:96:24:56:f5:f8:6b:76:ec:3f:cf:fa:0b:41:8c:6c:4b:

        85:02:20:24:00:ae:a7:fb:1b:37:cf:77:f6:3e:2e:47:22:ed:

        ba:21:0b:79:32:31:3a:07:2b:2f:32:0e:81:4f:8c:eb:b0

 

 

Bill


From: owner-[hidden email] [mailto:owner-[hidden email]] On Behalf Of Nabil Ghadiali
Sent: February 13, 2008 12:40 AM
To: [hidden email]
Subject: ECC Self-Signed Certificate

 

Can someone help me with the command to generate a self-signed certificate using openssl?

 

I have used the following steps and when I get a certificate and open up it says “the signature is invalid”. Am I missing something?

 

I have created an ECC key pair using the following:

openssl ecparam -out key.pem -name prime256v1 –genkey

 

I create the request using the following

openssl req -new -key key.pem -out req.pem

 

I create the self-signed certificate using the following

openssl req -x509 -in req.pem -days 365 -key key.pem

 

I cannot tell why the certificate that is generated doesn’t work. I am pasting the generated certificate as well

-----BEGIN CERTIFICATE-----

MIICJzCCAc6gAwIBAgIJANJO0K9iY9obMAkGByqGSM49BAEwRTELMAkGA1UEBhMC

VVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdp

dHMgUHR5IEx0ZDAeFw0wODAyMTMwNTM3MzlaFw0wOTAyMTIwNTM3MzlaMEUxCzAJ

BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5l

dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATzJjKX

0dv55hhAU5X3Z/erUiWWqljSjtxt06XlXRGV53P5syTfXk+xXlVJZj6kOTzFpHTw

o2I1lCOq5duDZwc1o4GnMIGkMB0GA1UdDgQWBBTmmxgUf1KI68WGvrNonr4586Yr

4jB1BgNVHSMEbjBsgBTmmxgUf1KI68WGvrNonr4586Yr4qFJpEcwRTELMAkGA1UE

BhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp

ZGdpdHMgUHR5IEx0ZIIJANJO0K9iY9obMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0E

AQNIADBFAiEAp1igUmK+Qt1Tg21MxE/dliRW9fhrduw/z/oLQYxsS4UCICQArqf7

GzfPd/Y+Lkci7bohC3kyMToHKy8yDoFPjOuw

-----END CERTIFICATE-----

 

Thanks,

Nabil

 

 

 

 

 

 

Reply | Threaded
Open this post in threaded view
|

RE: ECC Self-Signed Certificate

Nabil Ghadiali
In reply to this post by Patrick Patterson-3
Ahh ok. That means that even if the signature is valid, it will show up like
that.

Thanks,

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Patrick Patterson
Sent: Wednesday, February 13, 2008 10:07 AM
To: [hidden email]
Subject: Re: ECC Self-Signed Certificate

On Wednesday 13 February 2008 09:58:08 Nabil Ghadiali wrote:
> I saved the base64 encoded text in a file with an extension ".cer" and
then
> double-clicked it. Microsoft recognizes it is a certificate and opens it
up
> in a certificate viewer.
>
> Over here it says "The integrity of the certificate cannot be guaranteed.
> The certificate may be corrupted or may have been altered"
>
Unless you are using Vista, Microsoft CAPI doesn't support ECC.

Have fun.

Patrick.

> Thanks,
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Victor Duchovni
> Sent: Wednesday, February 13, 2008 8:00 AM
> To: [hidden email]
> Subject: Re: ECC Self-Signed Certificate
>
> On Wed, Feb 13, 2008 at 12:40:18AM -0500, Nabil Ghadiali wrote:
> > Can someone help me with the command to generate a self-signed
> > certificate using openssl?
> >
> >
> >
> > I have used the following steps and when I get a certificate and open up
>
> it
>
> > says "the signature is invalid". Am I missing something?
>
> What does "open it up" mean? The self-signed EC cert you posted looks
> fine.
>
> $ openssl verify -CAfile foo.pem -purpose crlsign foo.pem
> foo.pem: OK
>
> $ openssl x509 -text -in foo.pem
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             d2:4e:d0:af:62:63:da:1b
>         Signature Algorithm: ecdsa-with-SHA1
>         Issuer: C=US, ST=Some-State, O=Internet Widgits Pty Ltd
>         Validity
>             Not Before: Feb 13 05:37:39 2008 GMT
>             Not After : Feb 12 05:37:39 2009 GMT
>         Subject: C=US, ST=Some-State, O=Internet Widgits Pty Ltd
>         Subject Public Key Info:
>             Public Key Algorithm: id-ecPublicKey
>                 Public-Key: (256 bit)
>                 pub:
>                     04:f3:26:32:97:d1:db:f9:e6:18:40:53:95:f7:67:
>                     f7:ab:52:25:96:aa:58:d2:8e:dc:6d:d3:a5:e5:5d:
>                     11:95:e7:73:f9:b3:24:df:5e:4f:b1:5e:55:49:66:
>                     3e:a4:39:3c:c5:a4:74:f0:a3:62:35:94:23:aa:e5:
>                     db:83:67:07:35
>                 ASN1 OID: prime256v1
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
>
E6:9B:18:14:7F:52:88:EB:C5:86:BE:B3:68:9E:BE:39:F3:A6:2B:E2

>             X509v3 Authority Key Identifier:
>
> keyid:E6:9B:18:14:7F:52:88:EB:C5:86:BE:B3:68:9E:BE:39:F3:A6:2B:E2
>                 DirName:/C=US/ST=Some-State/O=Internet Widgits Pty Ltd
>                 serial:D2:4E:D0:AF:62:63:DA:1B
>
>             X509v3 Basic Constraints:
>                 CA:TRUE
>     Signature Algorithm: ecdsa-with-SHA1
>         30:45:02:21:00:a7:58:a0:52:62:be:42:dd:53:83:6d:4c:c4:
>         4f:dd:96:24:56:f5:f8:6b:76:ec:3f:cf:fa:0b:41:8c:6c:4b:
>         85:02:20:24:00:ae:a7:fb:1b:37:cf:77:f6:3e:2e:47:22:ed:
>         ba:21:0b:79:32:31:3a:07:2b:2f:32:0e:81:4f:8c:eb:b0
> -----BEGIN CERTIFICATE-----
> MIICJzCCAc6gAwIBAgIJANJO0K9iY9obMAkGByqGSM49BAEwRTELMAkGA1UEBhMC
> VVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdp
> dHMgUHR5IEx0ZDAeFw0wODAyMTMwNTM3MzlaFw0wOTAyMTIwNTM3MzlaMEUxCzAJ
> BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5l
> dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATzJjKX
> 0dv55hhAU5X3Z/erUiWWqljSjtxt06XlXRGV53P5syTfXk+xXlVJZj6kOTzFpHTw
> o2I1lCOq5duDZwc1o4GnMIGkMB0GA1UdDgQWBBTmmxgUf1KI68WGvrNonr4586Yr
> 4jB1BgNVHSMEbjBsgBTmmxgUf1KI68WGvrNonr4586Yr4qFJpEcwRTELMAkGA1UE
> BhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp
> ZGdpdHMgUHR5IEx0ZIIJANJO0K9iY9obMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0E
> AQNIADBFAiEAp1igUmK+Qt1Tg21MxE/dliRW9fhrduw/z/oLQYxsS4UCICQArqf7
> GzfPd/Y+Lkci7bohC3kyMToHKy8yDoFPjOuw
> -----END CERTIFICATE-----



--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECC Self-Signed Certificate

Larry Bugbee-2

I've signed and consumed ECC certs just fine.  My only problem is that  
when I specify a hash algorithm like SHA-256, OpenSSL falls back to  
the default SHA-1 for self-signed certs only.



On Feb 13, 2008, at 7:13 AM, Nabil Ghadiali wrote:

> Ahh ok. That means that even if the signature is valid, it will show  
> up like
> that.
>
> Thanks,
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Patrick  
> Patterson
> Sent: Wednesday, February 13, 2008 10:07 AM
> To: [hidden email]
> Subject: Re: ECC Self-Signed Certificate
>
> On Wednesday 13 February 2008 09:58:08 Nabil Ghadiali wrote:
>> I saved the base64 encoded text in a file with an extension ".cer"  
>> and
> then
>> double-clicked it. Microsoft recognizes it is a certificate and  
>> opens it
> up
>> in a certificate viewer.
>>
>> Over here it says "The integrity of the certificate cannot be  
>> guaranteed.
>> The certificate may be corrupted or may have been altered"
>>
> Unless you are using Vista, Microsoft CAPI doesn't support ECC.
>
> Have fun.
>
> Patrick.
>
>> Thanks,
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Victor Duchovni
>> Sent: Wednesday, February 13, 2008 8:00 AM
>> To: [hidden email]
>> Subject: Re: ECC Self-Signed Certificate
>>
>> On Wed, Feb 13, 2008 at 12:40:18AM -0500, Nabil Ghadiali wrote:
>>> Can someone help me with the command to generate a self-signed
>>> certificate using openssl?
>>>
>>>
>>>
>>> I have used the following steps and when I get a certificate and  
>>> open up
>>
>> it
>>
>>> says "the signature is invalid". Am I missing something?
>>
>> What does "open it up" mean? The self-signed EC cert you posted looks
>> fine.
>>
>> $ openssl verify -CAfile foo.pem -purpose crlsign foo.pem
>> foo.pem: OK
>>
>> $ openssl x509 -text -in foo.pem
>> Certificate:
>>    Data:
>>        Version: 3 (0x2)
>>        Serial Number:
>>            d2:4e:d0:af:62:63:da:1b
>>        Signature Algorithm: ecdsa-with-SHA1
>>        Issuer: C=US, ST=Some-State, O=Internet Widgits Pty Ltd
>>        Validity
>>            Not Before: Feb 13 05:37:39 2008 GMT
>>            Not After : Feb 12 05:37:39 2009 GMT
>>        Subject: C=US, ST=Some-State, O=Internet Widgits Pty Ltd
>>        Subject Public Key Info:
>>            Public Key Algorithm: id-ecPublicKey
>>                Public-Key: (256 bit)
>>                pub:
>>                    04:f3:26:32:97:d1:db:f9:e6:18:40:53:95:f7:67:
>>                    f7:ab:52:25:96:aa:58:d2:8e:dc:6d:d3:a5:e5:5d:
>>                    11:95:e7:73:f9:b3:24:df:5e:4f:b1:5e:55:49:66:
>>                    3e:a4:39:3c:c5:a4:74:f0:a3:62:35:94:23:aa:e5:
>>                    db:83:67:07:35
>>                ASN1 OID: prime256v1
>>        X509v3 extensions:
>>            X509v3 Subject Key Identifier:
>>
> E6:9B:18:14:7F:52:88:EB:C5:86:BE:B3:68:9E:BE:39:F3:A6:2B:E2
>>            X509v3 Authority Key Identifier:
>>
>> keyid:E6:9B:18:14:7F:52:88:EB:C5:86:BE:B3:68:9E:BE:39:F3:A6:2B:E2
>>                DirName:/C=US/ST=Some-State/O=Internet Widgits Pty Ltd
>>                serial:D2:4E:D0:AF:62:63:DA:1B
>>
>>            X509v3 Basic Constraints:
>>                CA:TRUE
>>    Signature Algorithm: ecdsa-with-SHA1
>>        30:45:02:21:00:a7:58:a0:52:62:be:42:dd:53:83:6d:4c:c4:
>>        4f:dd:96:24:56:f5:f8:6b:76:ec:3f:cf:fa:0b:41:8c:6c:4b:
>>        85:02:20:24:00:ae:a7:fb:1b:37:cf:77:f6:3e:2e:47:22:ed:
>>        ba:21:0b:79:32:31:3a:07:2b:2f:32:0e:81:4f:8c:eb:b0
>> -----BEGIN CERTIFICATE-----
>> MIICJzCCAc6gAwIBAgIJANJO0K9iY9obMAkGByqGSM49BAEwRTELMAkGA1UEBhMC
>> VVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdp
>> dHMgUHR5IEx0ZDAeFw0wODAyMTMwNTM3MzlaFw0wOTAyMTIwNTM3MzlaMEUxCzAJ
>> BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5l
>> dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATzJjKX
>> 0dv55hhAU5X3Z/erUiWWqljSjtxt06XlXRGV53P5syTfXk+xXlVJZj6kOTzFpHTw
>> o2I1lCOq5duDZwc1o4GnMIGkMB0GA1UdDgQWBBTmmxgUf1KI68WGvrNonr4586Yr
>> 4jB1BgNVHSMEbjBsgBTmmxgUf1KI68WGvrNonr4586Yr4qFJpEcwRTELMAkGA1UE
>> BhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp
>> ZGdpdHMgUHR5IEx0ZIIJANJO0K9iY9obMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0E
>> AQNIADBFAiEAp1igUmK+Qt1Tg21MxE/dliRW9fhrduw/z/oLQYxsS4UCICQArqf7
>> GzfPd/Y+Lkci7bohC3kyMToHKy8yDoFPjOuw
>> -----END CERTIFICATE-----
>
>
>
> --
> Patrick Patterson
> President and Chief PKI Architect,
> Carillon Information Security Inc.
> http://www.carillon.ca
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: ECC Self-Signed Certificate

Bill Colvin
I have noticed this as well.  I believe it operates correctly in the
0.9.9 snapshot.



-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Larry Bugbee
Sent: February 13, 2008 8:41 PM
To: [hidden email]
Subject: Re: ECC Self-Signed Certificate


I've signed and consumed ECC certs just fine.  My only problem is that  
when I specify a hash algorithm like SHA-256, OpenSSL falls back to  
the default SHA-1 for self-signed certs only.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECC Self-Signed Certificate

Larry Bugbee-2
> I have noticed this as well.  I believe it operates correctly in the
> 0.9.9 snapshot.

Indeed, the change log indicates a fix.  Thanks.  At the moment I'm  
unable to get a good build with the 3/10 SNAP.  ...a problem  
linking .dylib.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]