Newbie Questions

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Newbie Questions

Rocky S
I am a newbie with both openssl & security in general. So excuse me if my
questions are naive.

1) I have installed openssl sources. In the certs directory,
there are various certificates. I looked at a couple of
them - aol1.pem & vsign1.pem.

The vsign1.pem starts with
subject=/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
notBefore=Jan 29 00:00:00 1996 GMT
notAfter=Jan  7 23:59:59 2020 GMT
& then BEGIN_CERTIFICATE - the certificate itself &
then END_CERTIFICATE.

The aol1.pem directly starts with BEGIN_CERTIFICATE - i.e. it doesn't
have the subject field & the notBefore/notAfter.

Why this difference between aol1.pem & vsign1.pem?

2) I can run the command
"openssl x509 -hash -in [pem filename] on either of the pem files & I
get a hash (for eg. bda4cc84) for aol1.pem

What exactly is being hashed here - is it the part between
BEGIN_CERTIFICATE & END_CERTIFICATE?
What hashing algorithm in being used?

3) I have firefox installed on my machine. I go to tools -> options ->
advanced-> Encryption Tab. Then I click on
view certificates.
I get the certificate manager dialog with 4 tabs -
"Your certs", "other people's certs", "web sites" "authorites".

All these 4 tabs have the Import Button.

I am able to import aol1.pem etc using the import button
on the last 2 tabs, but not the first 2 tabs.
Trying to import it using the "Your certs" & "Other people's certs"
asks me for the password?

Why this difference? i.e. are people's certificates different
from authorities & website's certs?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Newbie Questions

Goetz Babin-Ebell
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rocky S schrieb:

> 1) I have installed openssl sources. In the certs directory,
> there are various certificates. I looked at a couple of
> them - aol1.pem & vsign1.pem.
>
> The vsign1.pem starts with
[...]
> The aol1.pem directly starts with BEGIN_CERTIFICATE - i.e. it doesn't
> have the subject field & the notBefore/notAfter.
>
> Why this difference between aol1.pem & vsign1.pem?

The differences are only cosmetically.
The important part is between the -----BEGIN CERTIFICATE----- and
- -----END CERTIFICATE----- lines.
The other data is for humans to see what is between these lines...

>
> 2) I can run the command
> "openssl x509 -hash -in [pem filename] on either of the pem files & I
> get a hash (for eg. bda4cc84) for aol1.pem
>
> What exactly is being hashed here - is it the part between
> BEGIN_CERTIFICATE & END_CERTIFICATE?
The subject name of the certificate stored between the BEGIN... / END...
lines.

> What hashing algorithm in being used?
It is the first 4 bytes of the MD5 hash of the certificate subject name.

> 3) I have firefox installed on my machine. I go to tools -> options ->
> advanced-> Encryption Tab. Then I click on
> view certificates.
> I get the certificate manager dialog with 4 tabs -
> "Your certs", "other people's certs", "web sites" "authorites".
>
> All these 4 tabs have the Import Button.
>
> I am able to import aol1.pem etc using the import button
> on the last 2 tabs, but not the first 2 tabs.

This indicates that firefox still has some issues handling certificates.
These certificates are CA certificates (and for example aol1.pem clearly
marked as one) so it should only be possible to import it in the
"authorities" tab.

Bye

Goetz

- --
DMCA: The greed of the few outweights the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE4W12iGqZUF3qPYRAkPoAJ4g+FaXz63dkL6DlzXW9kwW4hpEqQCbB0Qf
l+raxPF/NCktluLTFYf/B9Y=
=Sr8E
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]