Windows 2000 Professional does not consider valid certificates from Openssl 0.9.8

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Windows 2000 Professional does not consider valid certificates from Openssl 0.9.8

José Luis Gómez
Hello,
I have installed Openssl 0.9.8 in a Linux box. Then I've created my own
CA (CA.sh -newca).
Then, I create a certificate for a Windows machine, with CA.sh -newreq,
then CA.sh -sign to sign it. Then I convert them into PKCS12 format to
export to a Windows 2000 Professional machine. This p12 contains the
personal key and the server certificate:
/usr/local/ssl/misc# openssl pkcs12 -export -in newcert.pem -inkey
newkey.pem -certfile demoCA/cacert.pem -out /tmp/client.p12

(some howtos explain that the key is in newreq.pem, but I've checked
they are actually, at least for this version, in newkey.pem; actually if
I try the former command with newreq.pem it complains about the missing
private key).

Once under Windows, I import the file p12 under Root Certificate
Authorities; Windows 2000 considers valid such CA certificate for all
purposes.

Then, I import the p12 again as it contains the client key, under
Personal certificates. But when I double click in it, it says that the
certificate is invalid or the CA does not have authority to issue
certificates. Hence I cannot  use IPSEC with this certificate, as IPSEC
complains of not having any valid certificate.

I've installed previously the High Encription package in Windows 2000
Professional box, so I don't understand the problem. The service pack is
SP4, which, I think, it's the last available version.

Any help?

Thanks,
JL

jlgomez.vcf (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Windows 2000 Professional does not consider valid certificates from Openssl 0.9.8

Dr. Stephen Henson
On Mon, Nov 28, 2005, Jos Luis Gmez wrote:

> Hello,
> I have installed Openssl 0.9.8 in a Linux box. Then I've created my own
> CA (CA.sh -newca).
> Then, I create a certificate for a Windows machine, with CA.sh -newreq,
> then CA.sh -sign to sign it. Then I convert them into PKCS12 format to
> export to a Windows 2000 Professional machine. This p12 contains the
> personal key and the server certificate:
> /usr/local/ssl/misc# openssl pkcs12 -export -in newcert.pem -inkey
> newkey.pem -certfile demoCA/cacert.pem -out /tmp/client.p12
>
> (some howtos explain that the key is in newreq.pem, but I've checked
> they are actually, at least for this version, in newkey.pem; actually if
> I try the former command with newreq.pem it complains about the missing
> private key).
>
> Once under Windows, I import the file p12 under Root Certificate
> Authorities; Windows 2000 considers valid such CA certificate for all
> purposes.
>
> Then, I import the p12 again as it contains the client key, under
> Personal certificates. But when I double click in it, it says that the
> certificate is invalid or the CA does not have authority to issue
> certificates. Hence I cannot  use IPSEC with this certificate, as IPSEC
> complains of not having any valid certificate.
>
> I've installed previously the High Encription package in Windows 2000
> Professional box, so I don't understand the problem. The service pack is
> SP4, which, I think, it's the last available version.
>
> Any help?
>

Don't use CA.sh use CA.pl instead.

Don't import the PKCS#12 file under root authorities. Instead import
cacert.pem and it should be added as a trusted root.

Then when you later import the PKCS#12 file it should verify correctly.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Windows 2000 Professional does not consider valid certificates from Openssl 0.9.8

José Luis Gómez
Hello,
unfortunately it did not work. But I think it's not a problem but a
misconfiguration: I've checked my openssl.cnf and I've noticed a
property called nsCertType, which, if not set, means every purpose but
object signing. I think this could be the problem with my user certificates.

Could it be that my problem? From the screenshots (not included), I see
that the CA certificate is, as explained, taken as valid, but the
personal certificates although linked to the CA, are invalid: "This
certificate issuer entity seems not authorized to issue certificates or
it can not be used as a certificate for a final entity" (sorry, message
actually is in Spanish, that's only a translation).

In the openssl.cnf file I've also seen other property: CA: which can be
FALSE or TRUE. I've understood that FALSE is for certificates and TRUE
for CA's. But it's under X509v3 properties. Should I convert the
cacert.pem file into x509 format as some howto's suggest?

Kind regards
Jose

Dr. Stephen Henson wrote:

>On Mon, Nov 28, 2005, Jos Luis Gmez wrote:
>
>  
>
>>Hello,
>>I have installed Openssl 0.9.8 in a Linux box. Then I've created my own
>>CA (CA.sh -newca).
>>Then, I create a certificate for a Windows machine, with CA.sh -newreq,
>>then CA.sh -sign to sign it. Then I convert them into PKCS12 format to
>>export to a Windows 2000 Professional machine. This p12 contains the
>>personal key and the server certificate:
>>/usr/local/ssl/misc# openssl pkcs12 -export -in newcert.pem -inkey
>>newkey.pem -certfile demoCA/cacert.pem -out /tmp/client.p12
>>
>>(some howtos explain that the key is in newreq.pem, but I've checked
>>they are actually, at least for this version, in newkey.pem; actually if
>>I try the former command with newreq.pem it complains about the missing
>>private key).
>>
>>Once under Windows, I import the file p12 under Root Certificate
>>Authorities; Windows 2000 considers valid such CA certificate for all
>>purposes.
>>
>>Then, I import the p12 again as it contains the client key, under
>>Personal certificates. But when I double click in it, it says that the
>>certificate is invalid or the CA does not have authority to issue
>>certificates. Hence I cannot  use IPSEC with this certificate, as IPSEC
>>complains of not having any valid certificate.
>>
>>I've installed previously the High Encription package in Windows 2000
>>Professional box, so I don't understand the problem. The service pack is
>>SP4, which, I think, it's the last available version.
>>
>>Any help?
>>
>>    
>>
>
>Don't use CA.sh use CA.pl instead.
>
>Don't import the PKCS#12 file under root authorities. Instead import
>cacert.pem and it should be added as a trusted root.
>
>Then when you later import the PKCS#12 file it should verify correctly.
>
>Steve.
>--
>Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
>OpenSSL project core developer and freelance consultant.
>Funding needed! Details on homepage.
>Homepage: http://www.drh-consultancy.demon.co.uk
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]
>
>
>  
>


jlgomez.vcf (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Windows 2000 Professional does not consider valid certificates from Openssl 0.9.8

Dr. Stephen Henson
On Tue, Nov 29, 2005, Jos Luis Gmez wrote:

> Hello,
> unfortunately it did not work. But I think it's not a problem but a
> misconfiguration: I've checked my openssl.cnf and I've noticed a
> property called nsCertType, which, if not set, means every purpose but
> object signing. I think this could be the problem with my user certificates.
>

nsCertType is ignored by applications that use windows for its cryptography.

> Could it be that my problem? From the screenshots (not included), I see
> that the CA certificate is, as explained, taken as valid, but the
> personal certificates although linked to the CA, are invalid: "This
> certificate issuer entity seems not authorized to issue certificates or
> it can not be used as a certificate for a final entity" (sorry, message
> actually is in Spanish, that's only a translation).
>

If you used CA.pl to create the certificates, correctly installed
cacert.pem in the trusted root store and imported the PKCS#12 file that
shouldn't happen. If there are some invalid certificates in the root store
(e.g. a client certificate from a previous attempt) that could cause problems.


> In the openssl.cnf file I've also seen other property: CA: which can be
> FALSE or TRUE. I've understood that FALSE is for certificates and TRUE
> for CA's. But it's under X509v3 properties. Should I convert the
> cacert.pem file into x509 format as some howto's suggest?
>

If cacert.pem is imported into the root store and visible then there's no
point in converting it to DER format.

Any howto that suggests converting to "x509 format" is more than a little
confused.

If you still can't get this to work can you send a test PKCS#12 file and its
password to me?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]