Problem W/ Cert

classic Classic list List threaded Threaded
38 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Problem W/ Cert

beno-4
Hi;
I sent this over the weekend and it probably got overlooked. I really
need help here, so I'm hoping someone can do that. I'm

trying to install a cert and I get this error:

2006-11-10 16:45:17: (network.c.377) SSL: Private key does not match
the certificate public key, reason: error:0906D06C:PEM
routines:PEM_read_bio:no start line /etc/ssl/certs/mrtablecloth.com.pem

So, I deleted everything and tried again. Got the _same_ error. I know
darn well I entered the information in everything _exactly_the_same_
the second time in all certs, etc. I'm running LightTPD for the server
on FreeBSD 6.1.
TIA,
beno

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,
> 2006-11-10 16:45:17: (network.c.377) SSL: Private key does not match
> the certificate public key, reason: error:0906D06C:PEM
> routines:PEM_read_bio:no start line /etc/ssl/certs/mrtablecloth.com.pem
>
> So, I deleted everything and tried again. Got the _same_ error. I know
> darn well I entered the information in everything _exactly_the_same_
> the second time in all certs, etc. I'm running LightTPD for the server
> on FreeBSD 6.1.
I suggest:
 - check that certificate is readable with:
        $ openssl x509 -in cert.pem -text -noout
 - remove all text up to "-----BEGIN CERT ..." line
        (some libraries do not like this human readable info)
 - check if you have compatible cert and key:
        $ openssl x509 -in cert.pem -modulus -noout
        $ openssl rsa -in key.pem -modulus -noout
        (output should be the same).

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:

First up...

server167# ls
mrtablecloth-vi.com.crt mrtablecloth-vi.com.csr mrtablecloth-vi.com.pem
private.key

> I suggest:
>  - check that certificate is readable with:
> $ openssl x509 -in cert.pem -text -noout
>  
server167# openssl x509 -in mrtablecloth-vi.com.pem -text -noout
unable to load certificate
67298:error:0906D06C:PEM routines:PEM_read_bio:no start
line:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:637:Expecting:
TRUSTED CERTIFICATE

>  - remove all text up to "-----BEGIN CERT ..." line
> (some libraries do not like this human readable info)
>  
Did that and got the same above results
>  - check if you have compatible cert and key:
> $ openssl x509 -in cert.pem -modulus -noout
> $ openssl rsa -in key.pem -modulus -noout
>  
server167# openssl rsa -in key.pem -modulus -noout
Error opening Private Key key.pem
67421:error:02001002:system library:fopen:No such file or
directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:278:fopen('key.pem','r')
67421:error:20074002:BIO routines:FILE_CTRL:system
lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:280:
unable to load Private Key

Looks like I have a number of problems ;) Thanks for this excellent
help. Please help me understand what to do about the trusted cert and
why the private key won't load.
TIA,
beno
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,

> server167# ls
> mrtablecloth-vi.com.crt mrtablecloth-vi.com.csr mrtablecloth-vi.com.pem
> private.key
>
> > I suggest:
> >  - check that certificate is readable with:
> > $ openssl x509 -in cert.pem -text -noout
> >  
> server167# openssl x509 -in mrtablecloth-vi.com.pem -text -noout
> unable to load certificate
> 67298:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:637:Expecting:
> TRUSTED CERTIFICATE
Maybe your certificate was issued on Windows and there is
end-of-line problem. You may try something like dos2ux tools.

> >  - remove all text up to "-----BEGIN CERT ..." line
> > (some libraries do not like this human readable info)
> >  
> Did that and got the same above results
> >  - check if you have compatible cert and key:
> > $ openssl x509 -in cert.pem -modulus -noout
> > $ openssl rsa -in key.pem -modulus -noout
> >  
> server167# openssl rsa -in key.pem -modulus -noout
> Error opening Private Key key.pem
> 67421:error:02001002:system library:fopen:No such file or
> directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:278:fopen('key.pem','r')
> 67421:error:20074002:BIO routines:FILE_CTRL:system
> lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:280:
> unable to load Private Key
Of course you should change example file key.pem to your real
file private.key.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:
>> server167# openssl x509 -in mrtablecloth-vi.com.pem -text -noout
>> unable to load certificate
>> 67298:error:0906D06C:PEM routines:PEM_read_bio:no start
>> line:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:637:Expecting:
>> TRUSTED CERTIFICATE
>>    
> Maybe your certificate was issued on Windows and there is
> end-of-line problem. You may try something like dos2ux/dos2unix tools.
>  
I found a tool online which I created on the server. The "active
ingredient" is this:

        while(<INPUT>) {
                if ( s/\r\n/\n/ ) {
 
It returned that it didn't change any line in any of the files.

>>>  - check if you have compatible cert and key:
>>> $ openssl x509 -in mrtablecloth-vi.com.pem -modulus -noout
>>>      
This gives same as above.
> Of course you should change example file key.pem to your real
> file private.key.
>  
I wasn't sure, because what you used as an example looked like some kind
of pem file, and I only had one of those, and that was tied to the cert.
(You can tell I'm new.)

server167# openssl rsa -in private.key -modulus -noout
Modulus=E186578C9DC070364BCFABAF834D4FF85385E0F03B1398136361704E4359E5ABC97A2C8AB00580E9E2E6EA8EF8828009F46E5FD1331B90F8828373B3AC77B47FA4AAEAA50BF56AE721A92ED3A62E51F3ABB593099FA077845D38DDF1FB4FA52ADA06618CDD8AF7F739AEE3313522B651ACAD3F75E12ACD4392508FEC2105F193

That looks good, I presume? So, the only problem is with the trusted
certificate? More ideas?
TIA,
beno

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,

> >>>  - check if you have compatible cert and key:
> >>> $ openssl x509 -in mrtablecloth-vi.com.pem -modulus -noout
> >>>      
> This gives same as above.
> > Of course you should change example file key.pem to your real
> > file private.key.
> >  
> I wasn't sure, because what you used as an example looked like some kind
> of pem file, and I only had one of those, and that was tied to the cert.
> (You can tell I'm new.)
>
> server167# openssl rsa -in private.key -modulus -noout
> Modulus=E186578C9DC070364BCFABAF834D4FF85385E0F03B1398136361704E4359E5ABC97A2C8AB00580E9E2E6EA8EF8828009F46E5FD1331B90F8828373B3AC77B47FA4AAEAA50BF56AE721A92ED3A62E51F3ABB593099FA077845D38DDF1FB4FA52ADA06618CDD8AF7F739AEE3313522B651ACAD3F75E12ACD4392508FEC2105F193
This looks good and from your certificate you should see the same output.
Maybe you can post such certificate ?

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:
>> server167# openssl rsa -in private.key -modulus -noout
>> Modulus=E186578C9DC070364BCFABAF834D4FF85385E0F03B1398136361704E4359E5ABC97A2C8AB00580E9E2E6EA8EF8828009F46E5FD1331B90F8828373B3AC77B47FA4AAEAA50BF56AE721A92ED3A62E51F3ABB593099FA077845D38DDF1FB4FA52ADA06618CDD8AF7F739AEE3313522B651ACAD3F75E12ACD4392508FEC2105F193
>>    
> This looks good and from your certificate you should see the same output.
> Maybe you can post such certificate ?
>  
mrtablecloth-vi.com.crt

MIIFYjCCBEqgAwIBAgIQMeTbOGnXDQBrpcItOicQhDANBgkqhkiG9w0BAQUFADCB
yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL
EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV
BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz
L3Rlc3RjYSAoYykwNTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl
cnZlciBUZXN0IENBMB4XDTA2MTExMDAwMDAwMFoXDTA2MTEyNDIzNTk1OVowgbcx
CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTEZMBcGA1UEBxQQQ2hhcmxv
dHRlIEFtYWxpZTEaMBgGA1UEChQRTWlzdGVyIFRhYmxlY2xvdGgxDjAMBgNVBAsU
BXNhbGVzMTowOAYDVQQLFDFUZXJtcyBvZiB1c2UgYXQgd3d3LnZlcmlzaWduLmNv
bS9jcHMvdGVzdGNhIChjKTA1MRIwEAYDVQQDFAlLYXRocnlubmUwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAOGGV4ydwHA2S8+rr4NNT/hTheDwOxOYE2NhcE5D
WeWryXosirAFgOni5uqO+IKACfRuX9EzG5D4goNzs6x3tH+kquqlC/Vq5yGpLtOm
LlHzq7WTCZ+gd4RdON3x+0+lKtoGYYzdivf3Oa7jMTUitlGsrT914SrNQ5JQj+wh
BfGTAgMBAAGjggHWMIIB0jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBDBgNVHR8E
PDA6MDigNqA0hjJodHRwOi8vU1ZSU2VjdXJlLWNybC52ZXJpc2lnbi5jb20vU1ZS
VHJpYWwyMDA1LmNybDBKBgNVHSAEQzBBMD8GCmCGSAGG+EUBBxUwMTAvBggrBgEF
BQcCARYjaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nwcy90ZXN0Y2EwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFGYijoHgMVndKn+r
RsU2AgZwJ4daMHgGCCsGAQUFBwEBBGwwajAkBggrBgEFBQcwAYYYaHR0cDovL29j
c3AudmVyaXNpZ24uY29tMEIGCCsGAQUFBzAChjZodHRwOi8vU1ZSU2VjdXJlLWFp
YS52ZXJpc2lnbi5jb20vU1ZSVHJpYWwyMDA1LWFpYS5jZXIwbQYIKwYBBQUHAQwE
YTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5r
w8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5n
aWYwDQYJKoZIhvcNAQEFBQADggEBAG5vsM81TJu9njvEw4H1fOFBD0PArlqUOGGX
Up2otkrhmK+aeI5e43kb9mwKHg5IHmEEwChdQp0+dM2djmfrp6E9C7vM900lqvB5
TGwSRuJ+f73MJNfmQgrP8oISRlV74Hm/lMDkI4OF/aDrinqWnR2E3IdgIYD26VG+
9KBzVa87P3FcEAp8noTJUPbTTzn5/Mwl2ANEBylaffd/N532RFb210xp1bsTyA+F
XeuEjgkgN18TT61wwKQo1PqJds74xGU1VTMhir29YGqDPOa4+CQ3nM3MH6JsyARx
Tofzs0K4PtYcby9epepI10mcpcP15gA+vC80MI4/N7xmfMaWS7M=

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,
> >> server167# openssl rsa -in private.key -modulus -noout
> >> Modulus=E186578C9DC070364BCFABAF834D4FF85385E0F03B1398136361704E4359E5ABC97A2C8AB00580E9E2E6EA8EF8828009F46E5FD1331B90F8828373B3AC77B47FA4AAEAA50BF56AE721A92ED3A62E51F3ABB593099FA077845D38DDF1FB4FA52ADA06618CDD8AF7F739AEE3313522B651ACAD3F75E12ACD4392508FEC2105F193
> >>    
> > This looks good and from your certificate you should see the same output.
> > Maybe you can post such certificate ?
> >  
> mrtablecloth-vi.com.crt
This file is not PEM format, after exporting certificate (under Windows)
from this file to PEM encoded certificate this looks redable under
Linux.

Best regards,
--
Marek Marcola <[hidden email]>

cert.pem (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:
> This file is not PEM format, after exporting certificate (under Windows)
> from this file to PEM encoded certificate this looks redable under
> Linux.
>  
I'm afraid I don't understand what you mean. The file I sent was a *.crt
file. What am I to do to get the file to work? Here's the *.pem file, if
that helps:

MIICXQIBAAKBgQDhhleMncBwNkvPq6+DTU/4U4Xg8DsTmBNjYXBOQ1nlq8l6LIqw
BYDp4ubqjviCgAn0bl/RMxuQ+IKDc7Osd7R/pKrqpQv1auchqS7Tpi5R86u1kwmf
oHeEXTjd8ftPpSraBmGM3Yr39zmu4zE1IrZRrK0/deEqzUOSUI/sIQXxkwIDAQAB
AoGBANITykn6SOA+M7BnRT8SLYQsiXFXVjCSYL0abvr4Ui1XMH7WLvp4pfU4n9Gv
DF7D1oISrr641NzeIPVCOgRWHZNplpXR1jRu2WpNVvowTAv7S6rM7gSzEV7oFLjd
dlvABkofHJRJwgx1mBeNZrUAir2DWLeMC9TegUqxucEzA09BAkEA9Z6RClSGk0hB
uhBvifFSrgIXb0vg9vTssaWwvluzaWfETjay5n0AoigIDlfn577I3jcpX/r4jZeJ
ERavIRZ6FwJBAOsOXYcTDuAmkaxapOSw89XRLZXu2e592p/rM26rjE4jMGaEvn8p
yM24QokKAJx9f0l8pkCOqtd7SWlScfwO/eUCQFSN1r5opL9VE5NbDxq8ocrXW3vr
8jDx1f293V9asCOsHi8Ss3mXNL2d7FALwQDNc9bTxIGPIzuTHBNu7LEGTNcCQGgw
COLLXseaMO29i+NWT+5RdqxDn9Onc1V5EmYWoe0sidKXOjzxT3FoIA3QIi87LUVs
e+CXnEBBBGwrwBxipMUCQQDHqK+ykHFu6B/r93jWdgon+qNB/DJ7ZOHdNa0mZ3P/
7lAix8UlL1jUltvMUGJF0F66+maHSJTKO2pGHUnfNPuz

TIA,
beno
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,
> > This file is not PEM format, after exporting certificate (under Windows)
> > from this file to PEM encoded certificate this looks redable under
> > Linux.
> >  
> I'm afraid I don't understand what you mean. The file I sent was a *.crt
> file. What am I to do to get the file to work? Here's the *.pem file, if
> that helps:
In your first mail with certificate you send base64 encoded X509
certificate, this is not PEM format and this format must be converted
to PEM.
Lets say that this data was saved to file cert.b64, then you may
display this data with command:

$ openssl base64 -d -in cert.b64 | openssl x509 -inform der -text -noout

and you may convert this file to PEM format with command:

$ openssl base64 -d -in cert.b64 | openssl x509 -inform der > cert.pem

and then you may display this PEM file with:

$ openssl x509 -in cert.pem -text -noout

In your second mail you send base64 encoded private key.
Of course this is only acceptable if this is only test key,
from now this key was "compromised" and should be used only
for test purpose which means that for production environment
you should generated new key and request new certificate.
Againg, lets say that this key was saved to file key.b64, then you may
display this key with command:

$ openssl base64 -d -in key.b64 | openssl rsa -inform der -text -noout

and you may convert this key to PEM format with command:

$ openssl base64 -d -in key.b64 | openssl rsa -inform der > key.pem

end then you may display this PEM key with:

$ openssl rsa -in key.pem -text -noout

Again, this files was DER files with base64 encoding, PEM files
have additional header files.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:

Okay, I did everything you told me to do.  First of all, the crt is a
test crt and has been all along. That's how Verisign works these days.
They give you a test cert until you pay them money.

When I displayed the key, then converted it to pem format and displayed
the converted key, they looked pretty much the same to me. I've included
them below.

The instructions that I'm following <
http://trac.lighttpd.net/trac/wiki/Docs%3ASSL > state I should cat the
crt and the key into a pem file:
    $ cat host.key host.crt > host.pem

I tried that with the old key (since they looked identical and since the
new one was a pem file already) and got this error from the server:

server167# /usr/local/sbin/lighttpd -f
/usr/ports/www/lighttpd/doc/lighttpd.conf
Duplicate config variable in conditional 2
global/SERVERsocket==202.71.106.119:443: ssl.pemfile
2006-11-14 11:50:52: (configfile.c.827) source:
/usr/ports/www/lighttpd/doc/lighttpd.conf line: 228 pos: 13 parser
failed somehow near here: (EOL)

The line it chokes on is the server.name:

#### SSL engine
$SERVER["socket"] == "202.71.106.119:443" {
        ssl.engine                 = "enable"
        ssl.pemfile                = "/etc/ssl/certs/2012.vi.pem"
        ssl.pemfile                =
"/etc/ssl/certs/mrtablecloth-vi.com.pem"
        ssl.ca-file                =
"/etc/ssl/certs/mrtablecloth-vi.com.crt"
        server.name                = "www.2012.vi"
        server.document-root       = "/usr/htdocs/"
}

I tried it with the new key/pem file with the same result. What doesn't
it like about the server name? Why is it getting a duplicate
configuration? Because of the cat?
TIA,
beno


server167# openssl base64 -d -in private.key | openssl rsa -inform der
-text -noout
Private-Key: (1024 bit)
modulus:
    00:e1:86:57:8c:9d:c0:70:36:4b:cf:ab:af:83:4d:
    4f:f8:53:85:e0:f0:3b:13:98:13:63:61:70:4e:43:
    59:e5:ab:c9:7a:2c:8a:b0:05:80:e9:e2:e6:ea:8e:
    f8:82:80:09:f4:6e:5f:d1:33:1b:90:f8:82:83:73:
    b3:ac:77:b4:7f:a4:aa:ea:a5:0b:f5:6a:e7:21:a9:
    2e:d3:a6:2e:51:f3:ab:b5:93:09:9f:a0:77:84:5d:
    38:dd:f1:fb:4f:a5:2a:da:06:61:8c:dd:8a:f7:f7:
    39:ae:e3:31:35:22:b6:51:ac:ad:3f:75:e1:2a:cd:
    43:92:50:8f:ec:21:05:f1:93
publicExponent: 65537 (0x10001)
privateExponent:
    00:d2:13:ca:49:fa:48:e0:3e:33:b0:67:45:3f:12:
    2d:84:2c:89:71:57:56:30:92:60:bd:1a:6e:fa:f8:
    52:2d:57:30:7e:d6:2e:fa:78:a5:f5:38:9f:d1:af:
    0c:5e:c3:d6:82:12:ae:be:b8:d4:dc:de:20:f5:42:
    3a:04:56:1d:93:69:96:95:d1:d6:34:6e:d9:6a:4d:
    56:fa:30:4c:0b:fb:4b:aa:cc:ee:04:b3:11:5e:e8:
    14:b8:dd:76:5b:c0:06:4a:1f:1c:94:49:c2:0c:75:
    98:17:8d:66:b5:00:8a:bd:83:58:b7:8c:0b:d4:de:
    81:4a:b1:b9:c1:33:03:4f:41
prime1:
    00:f5:9e:91:0a:54:86:93:48:41:ba:10:6f:89:f1:
    52:ae:02:17:6f:4b:e0:f6:f4:ec:b1:a5:b0:be:5b:
    b3:69:67:c4:4e:36:b2:e6:7d:00:a2:28:08:0e:57:
    e7:e7:be:c8:de:37:29:5f:fa:f8:8d:97:89:11:16:
    af:21:16:7a:17
prime2:
    00:eb:0e:5d:87:13:0e:e0:26:91:ac:5a:a4:e4:b0:
    f3:d5:d1:2d:95:ee:d9:ee:7d:da:9f:eb:33:6e:ab:
    8c:4e:23:30:66:84:be:7f:29:c8:cd:b8:42:89:0a:
    00:9c:7d:7f:49:7c:a6:40:8e:aa:d7:7b:49:69:52:
    71:fc:0e:fd:e5
exponent1:
    54:8d:d6:be:68:a4:bf:55:13:93:5b:0f:1a:bc:a1:
    ca:d7:5b:7b:eb:f2:30:f1:d5:fd:bd:dd:5f:5a:b0:
    23:ac:1e:2f:12:b3:79:97:34:bd:9d:ec:50:0b:c1:
    00:cd:73:d6:d3:c4:81:8f:23:3b:93:1c:13:6e:ec:
    b1:06:4c:d7
exponent2:
    68:30:08:e2:cb:5e:c7:9a:30:ed:bd:8b:e3:56:4f:
    ee:51:76:ac:43:9f:d3:a7:73:55:79:12:66:16:a1:
    ed:2c:89:d2:97:3a:3c:f1:4f:71:68:20:0d:d0:22:
    2f:3b:2d:45:6c:7b:e0:97:9c:40:41:04:6c:2b:c0:
    1c:62:a4:c5
coefficient:
    00:c7:a8:af:b2:90:71:6e:e8:1f:eb:f7:78:d6:76:
    0a:27:fa:a3:41:fc:32:7b:64:e1:dd:35:ad:26:67:
    73:ff:ee:50:22:c7:c5:25:2f:58:d4:96:db:cc:50:
    62:45:d0:5e:ba:fa:66:87:48:94:ca:3b:6a:46:1d:
    49:df:34:fb:b3
server167# openssl base64 -d -in private.key | openssl rsa -inform der >
private.key.pem
writing RSA key
server167# openssl rsa -in private.key.pem -text -noout
Private-Key: (1024 bit)
modulus:
    00:e1:86:57:8c:9d:c0:70:36:4b:cf:ab:af:83:4d:
    4f:f8:53:85:e0:f0:3b:13:98:13:63:61:70:4e:43:
    59:e5:ab:c9:7a:2c:8a:b0:05:80:e9:e2:e6:ea:8e:
    f8:82:80:09:f4:6e:5f:d1:33:1b:90:f8:82:83:73:
    b3:ac:77:b4:7f:a4:aa:ea:a5:0b:f5:6a:e7:21:a9:
    2e:d3:a6:2e:51:f3:ab:b5:93:09:9f:a0:77:84:5d:
    38:dd:f1:fb:4f:a5:2a:da:06:61:8c:dd:8a:f7:f7:
    39:ae:e3:31:35:22:b6:51:ac:ad:3f:75:e1:2a:cd:
    43:92:50:8f:ec:21:05:f1:93
publicExponent: 65537 (0x10001)
privateExponent:
    00:d2:13:ca:49:fa:48:e0:3e:33:b0:67:45:3f:12:
    2d:84:2c:89:71:57:56:30:92:60:bd:1a:6e:fa:f8:
    52:2d:57:30:7e:d6:2e:fa:78:a5:f5:38:9f:d1:af:
    0c:5e:c3:d6:82:12:ae:be:b8:d4:dc:de:20:f5:42:
    3a:04:56:1d:93:69:96:95:d1:d6:34:6e:d9:6a:4d:
    56:fa:30:4c:0b:fb:4b:aa:cc:ee:04:b3:11:5e:e8:
    14:b8:dd:76:5b:c0:06:4a:1f:1c:94:49:c2:0c:75:
    98:17:8d:66:b5:00:8a:bd:83:58:b7:8c:0b:d4:de:
    81:4a:b1:b9:c1:33:03:4f:41
prime1:
    00:f5:9e:91:0a:54:86:93:48:41:ba:10:6f:89:f1:
    52:ae:02:17:6f:4b:e0:f6:f4:ec:b1:a5:b0:be:5b:
    b3:69:67:c4:4e:36:b2:e6:7d:00:a2:28:08:0e:57:
    e7:e7:be:c8:de:37:29:5f:fa:f8:8d:97:89:11:16:
    af:21:16:7a:17
prime2:
    00:eb:0e:5d:87:13:0e:e0:26:91:ac:5a:a4:e4:b0:
    f3:d5:d1:2d:95:ee:d9:ee:7d:da:9f:eb:33:6e:ab:
    8c:4e:23:30:66:84:be:7f:29:c8:cd:b8:42:89:0a:
    00:9c:7d:7f:49:7c:a6:40:8e:aa:d7:7b:49:69:52:
    71:fc:0e:fd:e5
exponent1:
    54:8d:d6:be:68:a4:bf:55:13:93:5b:0f:1a:bc:a1:
    ca:d7:5b:7b:eb:f2:30:f1:d5:fd:bd:dd:5f:5a:b0:
    23:ac:1e:2f:12:b3:79:97:34:bd:9d:ec:50:0b:c1:
    00:cd:73:d6:d3:c4:81:8f:23:3b:93:1c:13:6e:ec:
    b1:06:4c:d7
exponent2:
    68:30:08:e2:cb:5e:c7:9a:30:ed:bd:8b:e3:56:4f:
    ee:51:76:ac:43:9f:d3:a7:73:55:79:12:66:16:a1:
    ed:2c:89:d2:97:3a:3c:f1:4f:71:68:20:0d:d0:22:
    2f:3b:2d:45:6c:7b:e0:97:9c:40:41:04:6c:2b:c0:
    1c:62:a4:c5
coefficient:
    00:c7:a8:af:b2:90:71:6e:e8:1f:eb:f7:78:d6:76:
    0a:27:fa:a3:41:fc:32:7b:64:e1:dd:35:ad:26:67:
    73:ff:ee:50:22:c7:c5:25:2f:58:d4:96:db:cc:50:
    62:45:d0:5e:ba:fa:66:87:48:94:ca:3b:6a:46:1d:
    49:df:34:fb:b3

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,

> Okay, I did everything you told me to do.  First of all, the crt is a
> test crt and has been all along. That's how Verisign works these days.
> They give you a test cert until you pay them money.
>
> When I displayed the key, then converted it to pem format and displayed
> the converted key, they looked pretty much the same to me. I've included
> them below.
>
> The instructions that I'm following <
> http://trac.lighttpd.net/trac/wiki/Docs%3ASSL > state I should cat the
> crt and the key into a pem file:
>     $ cat host.key host.crt > host.pem
>
> I tried that with the old key (since they looked identical and since the
> new one was a pem file already) and got this error from the server:
You should cat real PEM encoded cert and key.
PEM encoded private key has the following structure:
-----BEGIN RSA PRIVATE KEY-----
header (sometimes) and base64 data
-----END RSA PRIVATE KEY-----

PEM encoded cert has the following structure:
-----BEGIN CERTIFICATE-----
base64 data
-----END CERTIFICATE-----

and this two files you should put in one file.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:
> You should cat real PEM encoded cert and key.
>  
I assume from what you write I should create a pem file out of the crt file:

server167# openssl base64 -d -in mrtablecloth-vi.com.crt | openssl rsa
-inform der > mrtablecloth-vi.com.crt.pem

However, when I try that, I get this error:

unable to load Private Key
93906:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:946:
93906:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested
asn1
error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:628:
93906:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
asn1
error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:566:Field=version,
Type=RSA
93906:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/d2i_pr.c:96:

Why can't it load the key? Here's a list of what's in the dir:

server167# ls
mrtablecloth-vi.com.cat.pem     mrtablecloth-vi.com.csr.bak    
private.key.bak
mrtablecloth-vi.com.crt         mrtablecloth-vi.com.pem        
private.key.pem
mrtablecloth-vi.com.crt.bak     mrtablecloth-vi.com.pem.bak     test
mrtablecloth-vi.com.crt.pem     mrtablecloth-vi.com.pem_BAK
mrtablecloth-vi.com.csr         private.key

and that private.key fit the description you gave.
After I successfully run the above command, assuming that's what I'm
supposed to do, I presume I then run a command like this:

server167# cat private.key.pem mrtablecloth-vi.com.crt.pem >
mrtablecloth-vi.com.cat.pem

TIA,
beno
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,

> > You should cat real PEM encoded cert and key.
> >  
> I assume from what you write I should create a pem file out of the crt file:
>
> server167# openssl base64 -d -in mrtablecloth-vi.com.crt | openssl rsa
> -inform der > mrtablecloth-vi.com.crt.pem
>
> However, when I try that, I get this error:
>
> unable to load Private Key
> 93906:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:946:
> 93906:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested
> asn1
> error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:628:
> 93906:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
> asn1
> error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:566:Field=version,
> Type=RSA
> 93906:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/d2i_pr.c:96:
>
> Why can't it load the key? Here's a list of what's in the dir:
You should convert your private key to PEM format too.
This error is probably because certificate is read as RSA key.
Convert both files to PEM (files with ---- BEGIN header),
cat both files to one file and use in your configuration.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:
> You should convert your private key to PEM format too.
> This error is probably because certificate is read as RSA key.
> Convert both files to PEM (files with ---- BEGIN header),
> cat both files to one file and use in your configuration.
>  
Same thing:

server167# ls
mrtablecloth-vi.com.cat.pem     mrtablecloth-vi.com.csr.bak    
private.key.bak
mrtablecloth-vi.com.crt         mrtablecloth-vi.com.pem        
private.key.pem
mrtablecloth-vi.com.crt.bak     mrtablecloth-vi.com.pem.bak     test
mrtablecloth-vi.com.crt.pem     mrtablecloth-vi.com.pem_BAK
mrtablecloth-vi.com.csr         private.key
server167# mv private.key private.key_BAK
server167# cp private.key.pem private.key
server167# openssl base64 -d -in mrtablecloth-vi.com.crt | openssl rsa
-inform der > mrtablecloth-vi.com.crt.pem
unable to load Private Key
95108:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:946:
95108:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested
asn1
error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:628:
95108:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
asn1
error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:566:Field=version,
Type=RSA
95108:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/d2i_pr.c:96:

TIA,
beno
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
In reply to this post by Marek.Marcola
Marek Marcola wrote:
> You should convert your private key to PEM format too.
> This error is probably because certificate is read as RSA key.
> Convert both files to PEM (files with ---- BEGIN header),
> cat both files to one file and use in your configuration.
>  
Same thing:

server167# ls
mrtablecloth-vi.com.cat.pem     mrtablecloth-vi.com.csr.bak    
private.key.bak
mrtablecloth-vi.com.crt         mrtablecloth-vi.com.pem        
private.key.pem
mrtablecloth-vi.com.crt.bak     mrtablecloth-vi.com.pem.bak     test
mrtablecloth-vi.com.crt.pem     mrtablecloth-vi.com.pem_BAK
mrtablecloth-vi.com.csr         private.key
server167# mv private.key private.key_BAK
server167# openssl base64 -d -in private.key_BAK | openssl rsa -inform
der > private.key
writing RSA key
server167# openssl base64 -d -in mrtablecloth-vi.com.crt | openssl rsa
-inform der > mrtablecloth-vi.com.crt.pem
unable to load Private Key
95108:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:946:
95108:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested
asn1
error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:628:
95108:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
asn1
error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:566:Field=version,
Type=RSA
95108:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/d2i_pr.c:96:

TIA,
beno
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,

> > You should convert your private key to PEM format too.
> > This error is probably because certificate is read as RSA key.
> > Convert both files to PEM (files with ---- BEGIN header),
> > cat both files to one file and use in your configuration.
> >  
> Same thing:
>
> server167# ls
> mrtablecloth-vi.com.cat.pem     mrtablecloth-vi.com.csr.bak    
> private.key.bak
> mrtablecloth-vi.com.crt         mrtablecloth-vi.com.pem        
> private.key.pem
> mrtablecloth-vi.com.crt.bak     mrtablecloth-vi.com.pem.bak     test
> mrtablecloth-vi.com.crt.pem     mrtablecloth-vi.com.pem_BAK
> mrtablecloth-vi.com.csr         private.key
> server167# mv private.key private.key_BAK
> server167# openssl base64 -d -in private.key_BAK | openssl rsa -inform
> der > private.key
> writing RSA key
> server167# openssl base64 -d -in mrtablecloth-vi.com.crt | openssl rsa
> -inform der > mrtablecloth-vi.com.crt.pem
> unable to load Private Key
x509 parameter, not rsa.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

(3,5) Shamir Secret Sharing

Rafael Cividanes
In reply to this post by Marek.Marcola
  Hi,
 
    I've implemented (in C++) a simple form of shamir secret sharing for the particular case (3,5). One function receives a BIGNUM A0 an generates the 5 secrets. Another function, receives 3 secrets and generates the recover BIGNUM A0. It's working fine.
 
    The problem is that I need to convert a RSA private key into a BIGNUM A0, and I'm having trouble with this.
 
     I was trying to do this (part of my code):
 
        RSA *Ch_Ap
        unsigned char *buffer, *next;
        BIGNUM *sec_BN = BN_new();
        Ch_Ap = RSA_generate_key(2048, RSA_F4, NULL, 0);
        int size = i2d_RSAPrivateKey(Ch_Ap, 0);
        buffer = next =(unsigned char *)malloc(size);
        i2d_RSAPrivateKey(Ch_Ap, &next);
        BN_bin2bn(buffer, size, sec_BN); 
 
     However, when I use sec_BN in my functions, the recovered BIGNUM is not the same as sec_BN. When I pass another BIGNUM, for example using the function BN_rand_range(), then the recovered BIGNUM is equal (proving that my secret sharing functions is ok).
 
      I think it can be something about Big-Endian conversion in sec_BN, but I didn't find a way to do this conversion and I don't know if it is necessary too.
 
 
       Thanks in advance,
 
 
                Rafael Cividanes.
 
 


O Yahoo! está de cara nova. Venha conferir!
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
In reply to this post by Marek.Marcola
Marek Marcola wrote:

..

server167# openssl base64 -d -in mrtablecloth-vi.com.crt | openssl x509
-inform der > mrtablecloth-vi.com.crt.pem

Clean, no complaints :)
However...

server167# /usr/local/sbin/lighttpd -f
/usr/ports/www/lighttpd/doc/lighttpd.conf
2006-11-14 14:56:44: (network.c.377) SSL: Private key does not match the
certificate public key, reason: error:0906D06C:PEM
routines:PEM_read_bio:no start line
/etc/ssl/certs/mrtablecloth-vi.com.crt.pem

TIA,
beno
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,

>
> server167# openssl base64 -d -in mrtablecloth-vi.com.crt | openssl x509
> -inform der > mrtablecloth-vi.com.crt.pem
>
> Clean, no complaints :)
> However...
>
> server167# /usr/local/sbin/lighttpd -f
> /usr/ports/www/lighttpd/doc/lighttpd.conf
> 2006-11-14 14:56:44: (network.c.377) SSL: Private key does not match the
> certificate public key, reason: error:0906D06C:PEM
> routines:PEM_read_bio:no start line
> /etc/ssl/certs/mrtablecloth-vi.com.crt.pem
Because mrtablecloth-vi.com.crt.pem contains only certificate.
When you use ">" file is overwritten.

Use something like:
$ openssl base64 -d -in private.key_BAK | openssl rsa -inform
  der > mrtablecloth-vi.com.crt
$ openssl base64 -d -in mrtablecloth-vi.com.crt | openssl x509
-inform der >> mrtablecloth-vi.com.crt.pem

And then use this file as argument to ssl.pemfile directive.
But ssl.ca-file directive should contain file with (probably)
Verisign temporary CA certificate (not certificates above).

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
12