Howto create a certificate for multiple domains?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Howto create a certificate for multiple domains?

deblarinteln
Hi,

well I have to create a certificate for our maindomian as well as for some subdomains.

The structure will look pretty much like this:

mydomain.tld
mail.mydomain.tld
owa.mydomain.tld

...

Has anyone of you an idea how to get that done, so that the cert can finally be imported/installed on the exchange 2007 server? What I have found so far is that the Exchange server has to get a .cer file.

All your help is highly appreciated!

Thanks in advance
Niels
Reply | Threaded
Open this post in threaded view
|

Re: Howto create a certificate for multiple domains?

Serge Fonville
Hi,
 
well I have to create a certificate for our maindomian as well as for some
subdomains.
Use a wildcard domain for your CN
Unless each domain had a separate IP
You need to specify *.mydaomin.tld as the CN
 
HTH
 
Regards,
 
Serge Fonville

Has anyone of you an idea how to get that done, so that the cert can finally
be imported/installed on the exchange 2007 server? What I have found so far
is that the Exchange server has to get a .cer file.
To create a .cer from a certificate, google for openssl pem to cer
You would then get http://www.mail-archive.com/openssl-users@.../msg48437.html and the command would be:
openssl x509 -in mykey.pem -inform PEM -out mykey.der -outform DER
 
HTH.
 
Regards,
 
Serge Fonville
Reply | Threaded
Open this post in threaded view
|

Re: Howto create a certificate for multiple domains?

Goetz Babin-Ebell
In reply to this post by deblarinteln
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

deblarinteln schrieb:
| Hi,
|
| well I have to create a certificate for our maindomian as well as for some
| subdomains.
|
| The structure will look pretty much like this:
|
| mydomain.tld
| mail.mydomain.tld
| owa.mydomain.tld

It is called subjectAltName extension.


Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKgsjB2iGqZUF3qPYRAqmqAJ4xPTfv8eo2nw0veOWqth3MkZKTpwCfVOQe
A1ghkR+qRaV8qdyYHQyE0Ck=
=nn2B
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Howto create a certificate for multiple domains?

Emerson Saito
Is needed one certificate for each domain or subdomain.
Uses like *.mydomain.tld is not recomended.

2009/8/12 Goetz Babin-Ebell <[hidden email]>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

deblarinteln schrieb:
| Hi,
|
| well I have to create a certificate for our maindomian as well as for some
| subdomains.
|
| The structure will look pretty much like this:
|
| mydomain.tld
| mail.mydomain.tld
| owa.mydomain.tld

It is called subjectAltName extension.


Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKgsjB2iGqZUF3qPYRAqmqAJ4xPTfv8eo2nw0veOWqth3MkZKTpwCfVOQe
A1ghkR+qRaV8qdyYHQyE0Ck=
=nn2B
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Howto create a certificate for multiple domains?

Goetz Babin-Ebell
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Emerson Saito wrote:
| Is needed one certificate for each domain or subdomain.
| Uses like *.mydomain.tld is not recomended.

???
What do you want to say ?

If you have one system that serves several addresses
(like mydomain.tdl, mail.mydomain.tdl, owa.mydomain.tdl)
you use the subjectAltName extension.

Wildcard certificates (*.mydomain.tdl) are AFAIK deprecated.

| 2009/8/12 Goetz Babin-Ebell <[hidden email]
<mailto:[hidden email]>>
|
| deblarinteln schrieb:
| | Hi,
| |
| | well I have to create a certificate for our maindomian as well as
| for some
| | subdomains.
| |
| | The structure will look pretty much like this:
| |
| | mydomain.tld
| | mail.mydomain.tld
| | owa.mydomain.tld
|
| It is called subjectAltName extension.

Goetz
- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKg1Ap2iGqZUF3qPYRAgw3AJ4s2nK9497RuuvYi5jy7q9X4uZ+/wCfQI2g
lbj3jzVjiKaoXF2GMHFVe4g=
=fvI6
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Howto create a certificate for multiple domains?

Crypto Sal
In reply to this post by Goetz Babin-Ebell
On 08/12/2009 09:50 AM, Goetz Babin-Ebell wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> deblarinteln schrieb:
> | Hi,
> |
> | well I have to create a certificate for our maindomian as well as
> for some
> | subdomains.
> |
> | The structure will look pretty much like this:
> |
> | mydomain.tld
> | mail.mydomain.tld
> | owa.mydomain.tld
>
> It is called subjectAltName extension.
>
>
> Goetz
>
>
On 08/12/2009 03:15 AM, deblarinteln wrote:
 > Hi,
 >
 > well I have to create a certificate for our maindomian as well as for
some
 > subdomains.
 >
 > The structure will look pretty much like this:
 >
 > mydomain.tld
 > mail.mydomain.tld
 > owa.mydomain.tld
 >
 > ...
 >


http://sandbox.rulemaker.net/ngps/m2/howto.ca.html -- To be your own CA.


http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ 
--- What Goetz was getting at.

  subjectAltName=DNS: mydomain.tld
  subjectAltName=DNS: mail.mydomain.tld
  subjectAltName=DNS: owa.mydomain.tld
...
So and so forth. (via OpenSSL)

I do believe that Exchange 2007  you're able to use the
New-ExchangeCertificate cmdlet to create a SAN self-signed certificate,
if you want to go that route. Unless you're looking to be your own CA.

http://technet.microsoft.com/en-us/library/aa998327.aspx







 > Has anyone of you an idea how to get that done, so that the cert can
finally
 > be imported/installed on the exchange 2007 server? What I have found
so far
 > is that the Exchange server has to get a .cer file.
 >
 > All your help is highly appreciated!
 >
 > Thanks in advance
 > Niels


Exchange 2007 will accept either a PKCS7(CER, usually) file -or- a PEM
encoded CRT file.







______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Howto create a certificate for multiple domains?

deblarinteln
In reply to this post by Goetz Babin-Ebell
Hi Goetz,

<quote author="Goetz Babin-Ebell">

| It is called subjectAltName extension.

would you mind telling me how and where I have to define the AltName(s) ?

And still, how will I get my *.pem certificate converted into a .cer certificate?

Thanks a lot
Niels
Reply | Threaded
Open this post in threaded view
|

Re: Howto create a certificate for multiple domains?

deblarinteln
In reply to this post by Serge Fonville
Hi Serge,

<quote author="Serge Fonville">

| Use a wildcard domain for your CN
| Unless each domain had a separate IP
| You need to specify *.mydaomin.tld as the CN

so, my CN entry should look like this, if I get you right:

*.mydomain.tld

and the subdomains would get then kinda automically the certificate or will I have to configure them somehow?

Thanks a lot
Niels
Reply | Threaded
Open this post in threaded view
|

Re: Howto create a certificate for multiple domains?

Goetz Babin-Ebell
In reply to this post by deblarinteln
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

deblarinteln wrote:
| Hi Goetz,
Hello deblarinteln,

| | It is called subjectAltName extension.
|
| would you mind telling me how and where I have to define the AltName(s) ?

There is the man page x509v3_config.
It should contain the info you need.
A hint: x509v3_config describes data found in the openssl.cnf file.
So this data is used on creating a certificate / CSR...

| And still, how will I get my *.pem certificate converted into a .cer
| certificate?

I think .cer is just DER encoded data.
The OpenSSL subcommand x509 has an option to save a certificate
in DER format.


I admit I'm somewhat vague.
This is on purpose, because in the range of
shooting-yourself-in-the-foot opensll and cryptography
is a very big canon.
It is essential to have at least some basic understanding about what you
do.
Giving you a cookbook will not give you this understanding.

Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKg/wo2iGqZUF3qPYRAoMDAJ4sT61SRz/HP5qNWz0JS+ods5XwvQCdHdIQ
9rkSIeIMrBMQ5oElgaHCcJg=
=erui
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Howto create a certificate for multiple domains?

deblarinteln
Hi Goetz, *,

> There is the man page x509v3_config.
> It should contain the info you need.
> A hint: x509v3_config describes data found in the openssl.cnf file.
> So this data is used on creating a certificate / CSR...

well I have created a certificate with all neccessary data. At least I think I've done it right. And yes, as you said, crypto isn't a thing to deal with, if you haven't got at least a minor understanding of what one is doing. Well, I think that I do have at least a minor understanding, but on the other hand I'm not that far, that I know how to deal with some sorts of jobs I need to do. Just as like as the one I'm still working on. A certificate for some subdoimains and the maindomain. All dmians should have the same cerfcate.

C:\ssl>dir
 Datenträger in Laufwerk C: ist System
 Volumeseriennummer: F8B1-B3F8

 Verzeichnis von C:\ssl

19.08.2009  12:47    <DIR>          .
19.08.2009  12:47    <DIR>          ..
19.08.2009  10:01             1.024 .rnd
19.08.2009  10:02             1.407 cacert.pem
19.08.2009  10:02               963 cakey.pem
19.08.2009  12:55             2.013 cert.p12
21.07.2009  09:32    <DIR>          certs
21.07.2009  09:32                 0 database.txt
19.08.2009  10:06               963 key.pem
21.07.2009  09:32    <DIR>          keys
19.08.2009  10:09               822 req.pem
21.07.2009  09:32    <DIR>          requests
21.07.2009  09:32                 0 serial.txt
               8 Datei(en),          7.192 Bytes
               5 Verzeichnis(se), 493.483.315.200 Bytes frei

C:\ssl>openssl x509 -text -in cacert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ab:49:2d:9c:cd:b2:e2:b5
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, ST=Niedersachsen, L=somewhre, O=xxxxx GmbH, OU=Administr
ation, CN=somename/emailAddress=someone@mydomain.tld
        Validity
            Not Before: Aug 19 08:02:58 2009 GMT
            Not After : Aug 18 08:02:58 2012 GMT
        Subject: C=DE, ST=Niedersachsen, L=somewhere, O=xxxxx GmbH, OU=Administ
ration, CN=somename/emailAddress=info@mydomain.tld
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:d6:03:54:4b:b4:13:e8:cd:97:49:6f:ae:11:c4:
                    2b:04:ec:b2:b1:06:4b:8f:71:ba:85:fa:10:14:6d:
                    88:be:7f:37:53:15:3b:39:4e:26:9d:02:ba:3c:bd:
                    6e:3e:db:33:a0:19:f0:b2:cf:ef:42:30:03:7d:9a:
                    2b:04:85:af:3e:03:51:d3:2b:f6:af:56:38:38:93:
                    e4:8a:2d:1f:ed:86:53:a8:33:9a:06:6e:cf:c6:ec:
                    6c:37:d7:90:d6:19:02:69:6f:93:0d:d7:d8:6d:11:
                    96:1b:d2:16:51:09:2a:f5:f3:c3:3a:19:ce:bc:ef:
                    26:b2:77:33:03:a9:eb:6c:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                A8:75:05:9B:F0:02:C7:F5:0E:99:34:97:3D:25:E0:01:9E:29:AA:10
            X509v3 Authority Key Identifier:
                keyid:A8:75:05:9B:F0:02:C7:F5:0E:99:34:97:3D:25:E0:01:9E:29:AA:1
0
                DirName:/C=DE/ST=Niedersachsen/L=Rinteln/O=xxxxx GmbH/OU=Admi
nistration/CN=somename/emailAddress=info@mydomain.tld
                serial:AB:49:2D:9C:CD:B2:E2:B5

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        2e:2f:33:0c:4a:88:df:88:d2:6c:23:93:a7:41:d9:12:14:f4:
        7f:8e:10:a0:d5:d5:d4:7e:d2:d1:02:d3:37:9e:19:b3:e6:48:
        7e:3e:f2:90:8b:3c:b2:d2:e6:90:eb:4d:a3:3d:4f:30:d9:a7:
        12:98:06:6d:02:62:c3:83:41:60:d4:3c:c6:97:03:0c:ec:fc:
        f5:62:94:06:20:5a:cc:f9:e7:c8:e9:bd:90:f4:2b:9d:d6:c7:
        96:53:a5:03:45:b2:04:90:db:5a:f2:b9:23:89:4f:10:e9:29:
        b7:a1:47:60:01:72:42:c5:50:91:19:60:b8:7f:64:7b:98:d7:
        72:f3
-----BEGIN CERTIFICATE-----
MIID4zCCA0ygAwIBAgIJAKtJLZzNsuK1MA0GCSqGSIb3DQEBBQUAMIGoMQswCQYD
VQQGEwJERTEWMBQGA1UECBMNTmllZGVyc2FjaHNlbjEQMA4GA1UEBxMHUmludGVs
bjEWMBQGA1UEChMNRGVCbGFUZWsgR21iSDEXMBUGA1UECxMOQWRtaW5pc3RyYXRp
b24xGDAWBgNVBAMTD0Rlbm5pcyBCbGF1bWFubjEkMCIGCSqGSIb3DQEJARYVZGJs
YXVtYW5uQGRlYmxhdGVrLmRlMB4XDTA5MDgxOTA4MDI1OFoXDTEyMDgxODA4MDI1
OFowgagxCzAJBgNVBAYTAkRFMRYwFAYDVQQIEw1OaWVkZXJzYWNoc2VuMRAwDgYD
VQQHEwdSaW50ZWxuMRYwFAYDVQQKEw1EZUJsYVRlayBHbWJIMRcwFQYDVQQLEw5B
ZG1pbmlzdHJhdGlvbjEYMBYGA1UEAxMPRGVubmlzIEJsYXVtYW5uMSQwIgYJKoZI
hvcNAQkBFhVkYmxhdW1hbm5AZGVibGF0ZWsuZGUwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBANYDVEu0E+jNl0lvrhHEKwTssrEGS49xuoX6EBRtiL5/N1MVOzlO
Jp0Cujy9bj7bM6AZ8LLP70IwA32aKwSFrz4DUdMr9q9WODiT5IotH+2GU6gzmgZu
z8bsbDfXkNYZAmlvkw3X2G0RlhvSFlEJKvXzwzoZzrzvJrJ3MwOp62wxAgMBAAGj
ggERMIIBDTAdBgNVHQ4EFgQUqHUFm/ACx/UOmTSXPSXgAZ4pqhAwgd0GA1UdIwSB
1TCB0oAUqHUFm/ACx/UOmTSXPSXgAZ4pqhChga6kgaswgagxCzAJBgNVBAYTAkRF
MRYwFAYDVQQIEw1OaWVkZXJzYWNoc2VuMRAwDgYDVQQHEwdSaW50ZWxuMRYwFAYD
VQQKEw1EZUJsYVRlayBHbWJIMRcwFQYDVQQLEw5BZG1pbmlzdHJhdGlvbjEYMBYG
A1UEAxMPRGVubmlzIEJsYXVtYW5uMSQwIgYJKoZIhvcNAQkBFhVkYmxhdW1hbm5A
ZGVibGF0ZWsuZGWCCQCrSS2czbLitTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
BQUAA4GBAC4vMwxKiN+I0mwjk6dB2RIU9H+OEKDV1dR+0tEC0zeeGbPmSH4+8pCL
PLLS5pDrTaM9TzDZpxKYBm0CYsODQWDUPMaXAwzs/PVilAYgWsz558jpvZD0K53W
x5ZTpQNFsgSQ21ryuSOJTxDpKbehR2ABckLFUJEZYLh/ZHuY13Lz
-----END CERTIFICATE-----


> I think .cer is just DER encoded data.
> The OpenSSL subcommand x509 has an option to save a certificate
> in DER format.


> I admit I'm somewhat vague.
> This is on purpose, because in the range of
> shooting-yourself-in-the-foot opensll and cryptography
> is a very big canon.
> It is essential to have at least some basic understanding about what you
> do.
> Giving you a cookbook will not give you this understanding.

Well, I know exactly what you're saying and under "normal" circumstances I would agree to your cookbook statement, but sometimes you're facing challenges and for somewhat reasons you're standing since a while on the hose and haven't got a clue, why - and that's where I'm at.

Maybe you or someone else on the list might be so kind to help me out, so that I'll get the thing done.

Thaks a lot to all who might help me!
Greetings
NielsJ

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKg/wo2iGqZUF3qPYRAoMDAJ4sT61SRz/HP5qNWz0JS+ods5XwvQCdHdIQ
9rkSIeIMrBMQ5oElgaHCcJg=
=erui
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org


Reply | Threaded
Open this post in threaded view
|

Re: Howto create a certificate for multiple domains?

Patrick Patterson-3
Hi There:

If you're looking for a cookbook, and want a fairly comprehensive explanation
of how all of the moving parts work:

http://www.carillon.ca/library/openssl_testca_howto_1.2.pdf

Have fun.

Patrick.



On August 19, 2009 07:18:39 am deblarinteln wrote:

> Hi Goetz, *,
>
> > There is the man page x509v3_config.
> > It should contain the info you need.
> > A hint: x509v3_config describes data found in the openssl.cnf file.
> > So this data is used on creating a certificate / CSR...
>
> well I have created a certificate with all neccessary data. At least I
> think I've done it right. And yes, as you said, crypto isn't a thing to
> deal with, if you haven't got at least a minor understanding of what one is
> doing. Well, I think that I do have at least a minor understanding, but on
> the other hand I'm not that far, that I know how to deal with some sorts of
> jobs I need to do. Just as like as the one I'm still working on. A
> certificate for some subdoimains and the maindomain. All dmians should have
> the same cerfcate.
>
> C:\ssl>dir
>  Datenträger in Laufwerk C: ist System
>  Volumeseriennummer: F8B1-B3F8
>
>  Verzeichnis von C:\ssl
>
> 19.08.2009  12:47    <DIR>          .
> 19.08.2009  12:47    <DIR>          ..
> 19.08.2009  10:01             1.024 .rnd
> 19.08.2009  10:02             1.407 cacert.pem
> 19.08.2009  10:02               963 cakey.pem
> 19.08.2009  12:55             2.013 cert.p12
> 21.07.2009  09:32    <DIR>          certs
> 21.07.2009  09:32                 0 database.txt
> 19.08.2009  10:06               963 key.pem
> 21.07.2009  09:32    <DIR>          keys
> 19.08.2009  10:09               822 req.pem
> 21.07.2009  09:32    <DIR>          requests
> 21.07.2009  09:32                 0 serial.txt
>                8 Datei(en),          7.192 Bytes
>                5 Verzeichnis(se), 493.483.315.200 Bytes frei
>
> C:\ssl>openssl x509 -text -in cacert.pem
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             ab:49:2d:9c:cd:b2:e2:b5
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=DE, ST=Niedersachsen, L=somewhre, O=xxxxx GmbH,
> OU=Administr
> ation, CN=somename/emailAddress=[hidden email]
>         Validity
>             Not Before: Aug 19 08:02:58 2009 GMT
>             Not After : Aug 18 08:02:58 2012 GMT
>         Subject: C=DE, ST=Niedersachsen, L=somewhere, O=xxxxx GmbH,
> OU=Administ
> ration, CN=somename/emailAddress=[hidden email]
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (1024 bit)
>                 Modulus (1024 bit):
>                     00:d6:03:54:4b:b4:13:e8:cd:97:49:6f:ae:11:c4:
>                     2b:04:ec:b2:b1:06:4b:8f:71:ba:85:fa:10:14:6d:
>                     88:be:7f:37:53:15:3b:39:4e:26:9d:02:ba:3c:bd:
>                     6e:3e:db:33:a0:19:f0:b2:cf:ef:42:30:03:7d:9a:
>                     2b:04:85:af:3e:03:51:d3:2b:f6:af:56:38:38:93:
>                     e4:8a:2d:1f:ed:86:53:a8:33:9a:06:6e:cf:c6:ec:
>                     6c:37:d7:90:d6:19:02:69:6f:93:0d:d7:d8:6d:11:
>                     96:1b:d2:16:51:09:2a:f5:f3:c3:3a:19:ce:bc:ef:
>                     26:b2:77:33:03:a9:eb:6c:31
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
>                 A8:75:05:9B:F0:02:C7:F5:0E:99:34:97:3D:25:E0:01:9E:29:AA:10
>             X509v3 Authority Key Identifier:
>
> keyid:A8:75:05:9B:F0:02:C7:F5:0E:99:34:97:3D:25:E0:01:9E:29:AA:1
> 0
>                 DirName:/C=DE/ST=Niedersachsen/L=Rinteln/O=xxxxx
> GmbH/OU=Admi
> nistration/CN=somename/emailAddress=[hidden email]
>                 serial:AB:49:2D:9C:CD:B2:E2:B5
>
>             X509v3 Basic Constraints:
>                 CA:TRUE
>     Signature Algorithm: sha1WithRSAEncryption
>         2e:2f:33:0c:4a:88:df:88:d2:6c:23:93:a7:41:d9:12:14:f4:
>         7f:8e:10:a0:d5:d5:d4:7e:d2:d1:02:d3:37:9e:19:b3:e6:48:
>         7e:3e:f2:90:8b:3c:b2:d2:e6:90:eb:4d:a3:3d:4f:30:d9:a7:
>         12:98:06:6d:02:62:c3:83:41:60:d4:3c:c6:97:03:0c:ec:fc:
>         f5:62:94:06:20:5a:cc:f9:e7:c8:e9:bd:90:f4:2b:9d:d6:c7:
>         96:53:a5:03:45:b2:04:90:db:5a:f2:b9:23:89:4f:10:e9:29:
>         b7:a1:47:60:01:72:42:c5:50:91:19:60:b8:7f:64:7b:98:d7:
>         72:f3
> -----BEGIN CERTIFICATE-----
> MIID4zCCA0ygAwIBAgIJAKtJLZzNsuK1MA0GCSqGSIb3DQEBBQUAMIGoMQswCQYD
> VQQGEwJERTEWMBQGA1UECBMNTmllZGVyc2FjaHNlbjEQMA4GA1UEBxMHUmludGVs
> bjEWMBQGA1UEChMNRGVCbGFUZWsgR21iSDEXMBUGA1UECxMOQWRtaW5pc3RyYXRp
> b24xGDAWBgNVBAMTD0Rlbm5pcyBCbGF1bWFubjEkMCIGCSqGSIb3DQEJARYVZGJs
> YXVtYW5uQGRlYmxhdGVrLmRlMB4XDTA5MDgxOTA4MDI1OFoXDTEyMDgxODA4MDI1
> OFowgagxCzAJBgNVBAYTAkRFMRYwFAYDVQQIEw1OaWVkZXJzYWNoc2VuMRAwDgYD
> VQQHEwdSaW50ZWxuMRYwFAYDVQQKEw1EZUJsYVRlayBHbWJIMRcwFQYDVQQLEw5B
> ZG1pbmlzdHJhdGlvbjEYMBYGA1UEAxMPRGVubmlzIEJsYXVtYW5uMSQwIgYJKoZI
> hvcNAQkBFhVkYmxhdW1hbm5AZGVibGF0ZWsuZGUwgZ8wDQYJKoZIhvcNAQEBBQAD
> gY0AMIGJAoGBANYDVEu0E+jNl0lvrhHEKwTssrEGS49xuoX6EBRtiL5/N1MVOzlO
> Jp0Cujy9bj7bM6AZ8LLP70IwA32aKwSFrz4DUdMr9q9WODiT5IotH+2GU6gzmgZu
> z8bsbDfXkNYZAmlvkw3X2G0RlhvSFlEJKvXzwzoZzrzvJrJ3MwOp62wxAgMBAAGj
> ggERMIIBDTAdBgNVHQ4EFgQUqHUFm/ACx/UOmTSXPSXgAZ4pqhAwgd0GA1UdIwSB
> 1TCB0oAUqHUFm/ACx/UOmTSXPSXgAZ4pqhChga6kgaswgagxCzAJBgNVBAYTAkRF
> MRYwFAYDVQQIEw1OaWVkZXJzYWNoc2VuMRAwDgYDVQQHEwdSaW50ZWxuMRYwFAYD
> VQQKEw1EZUJsYVRlayBHbWJIMRcwFQYDVQQLEw5BZG1pbmlzdHJhdGlvbjEYMBYG
> A1UEAxMPRGVubmlzIEJsYXVtYW5uMSQwIgYJKoZIhvcNAQkBFhVkYmxhdW1hbm5A
> ZGVibGF0ZWsuZGWCCQCrSS2czbLitTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
> BQUAA4GBAC4vMwxKiN+I0mwjk6dB2RIU9H+OEKDV1dR+0tEC0zeeGbPmSH4+8pCL
> PLLS5pDrTaM9TzDZpxKYBm0CYsODQWDUPMaXAwzs/PVilAYgWsz558jpvZD0K53W
> x5ZTpQNFsgSQ21ryuSOJTxDpKbehR2ABckLFUJEZYLh/ZHuY13Lz
> -----END CERTIFICATE-----
>
> > I think .cer is just DER encoded data.
> > The OpenSSL subcommand x509 has an option to save a certificate
> > in DER format.
> >
> >
> > I admit I'm somewhat vague.
> > This is on purpose, because in the range of
> > shooting-yourself-in-the-foot opensll and cryptography
> > is a very big canon.
> > It is essential to have at least some basic understanding about what you
> > do.
> > Giving you a cookbook will not give you this understanding.
>
> Well, I know exactly what you're saying and under "normal" circumstances I
> would agree to your cookbook statement, but sometimes you're facing
> challenges and for somewhat reasons you're standing since a while on the
> hose and haven't got a clue, why - and that's where I'm at.
>
> Maybe you or someone else on the list might be so kind to help me out, so
> that I'll get the thing done.
>
> Thaks a lot to all who might help me!
> Greetings
> NielsJ
>
> - --
> DMCA: The greed of the few outweighs the freedom of the many
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFKg/wo2iGqZUF3qPYRAoMDAJ4sT61SRz/HP5qNWz0JS+ods5XwvQCdHdIQ
> 9rkSIeIMrBMQ5oElgaHCcJg=
> =erui
> -----END PGP SIGNATURE-----
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]


--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]