Machine certificate

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Machine certificate

waeltima

Hi
I just started to try gererating certificates for machine authentication
with openssl.
But im not so successful. I can generate client certificates but im not
sure about the difference between client and machine certificates.
Do i have to change the x509_extensions in the openssl.cnf file? How can
i be sure to get a machine certificate.
Do you have somthing like a how to configure opoenssl for machine
certificates.

Marcel

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Machine certificate

Babak Nasri
Yes you should edit the x509_extensions in the openssl.cnf

I think the following will be minimal set for a ssl server host cert:

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
nsCertType            = server
extendedKeyUsage        = serverAuth,msSGC, nsSGC



On 7/20/05, [hidden email] <[hidden email]> wrote:

>
> Hi
> I just started to try gererating certificates for machine authentication
> with openssl.
> But im not so successful. I can generate client certificates but im not
> sure about the difference between client and machine certificates.
> Do i have to change the x509_extensions in the openssl.cnf file? How can
> i be sure to get a machine certificate.
> Do you have somthing like a how to configure opoenssl for machine
> certificates.
>
> Marcel
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

AW: Machine certificate

waeltima
In reply to this post by waeltima
Do you have an example of a openssl.cnf file.
Do i have to consider something else instead of the openssl.cnf file

Marcel


-----Urspr√ľngliche Nachricht-----
Von: [hidden email] [mailto:[hidden email]] Im Auftrag von Babak Nasri
Gesendet: Mittwoch, 20. Juli 2005 11:49
An: [hidden email]
Betreff: Re: Machine certificate


Yes you should edit the x509_extensions in the openssl.cnf

I think the following will be minimal set for a ssl server host cert:

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
nsCertType            = server
extendedKeyUsage        = serverAuth,msSGC, nsSGC



On 7/20/05, [hidden email] <[hidden email]> wrote:

>
> Hi
> I just started to try gererating certificates for machine authentication
> with openssl.
> But im not so successful. I can generate client certificates but im not
> sure about the difference between client and machine certificates.
> Do i have to change the x509_extensions in the openssl.cnf file? How can
> i be sure to get a machine certificate.
> Do you have somthing like a how to configure opoenssl for machine
> certificates.
>
> Marcel
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Machine certificate

Babak Nasri
No actually notthing more than the opnessl.cnf and the usual way you
take to generate the cert-req (and resp. the certificate) should be
needed.


after using something like the attached config file you can take this
steps(or an altenative  that makes the most sense for you):


openssl genrsa -des3 -out mykey.key 2048   #this will be the rsa
private key with the given length encrypted with des3

openssl req -new -x509 -days 3650 -key mykey.key -out ssl.crt
-set_serial 1353  #generate the self signed certificate

openssl pkcs12 -export -in ssl.crt -inkey myca.key -certfile smime.crt
 -name "sslserver" -out ssl.p12 #to maintain the key in a pbe guarded
alias in the pkcs12 container





On 7/20/05, [hidden email] <[hidden email]> wrote:
> Do you have an example of a openssl.cnf file.
> Do i have to consider something else instead of the openssl.cnf file
>
> Marcel
>
>

openssl.cnf (6K) Download Attachment