x509

问题 I'm using OpenSSl to encrypt and decrypt files based on CMS/SMIME. Normally I load certificates with rcert = PEM_read_bio_X509(tbio, NULL, 0, NULL); but this is only for PEM formatted files I guess. I haven't found any der.h header or something similar. So is there a way in OpenSSL to load DER formatted certificates? I've found the load function for ASN1 format which uses OpenSSL intern. if (format == FORMAT_ASN1) x=d2i_X509_bio(cert,NULL); But can that be used for DER which is binary? 回答1:

问题 The sample openssl root ca config from the OpenSSL Cookbook defines the following (p40): [req] ... req_extensions = ca_ext [ca_ext] ... Later (p43), the root ca key is generated, then the root ca selfsigned cert. openssl req -new \ -config root-ca.conf \ -out root-ca.csr \ -keyout private/root-ca.key openssl ca -selfsign \ -config root-ca.conf \ -in root-ca.csr \ -out root-ca.crt \ -extensions ca_ext Isn't req_extensions redundant in this specific use case? When is req_extension really needed

问题 Any recommended crypto libraries for Java. What I need is the ability to parse X.509 Certificates to extract the information contained in them. Thanks 回答1: In Java, java.security.cert.CertificateFactory. "A certificate factory for X.509 must return certificates that are an instance of java.security.cert.X509Certificate" 回答2: There's a lot more in most certificates than what's handled by java.security.cert.X509Certificate . If you need to parse extension values, check out the Bouncy Castle

问题 We have a valid PKCS#10 Certificate Request generated on the Client using CertEnroll. Now we need to sign it and return the result to the Client, where CertEnroll will handle the local Certificate Store stuff. This is a B2B application and the root signing certificate will be self-generated or we can use our existing Thawte SSL cert. The Server (2008) does not have Active Directory running and we don't want to create a stand-alone signing infrastructure/service for this unless absolutely

问题 I'm using XMLDSIG to sign a configuration file. I'd like my CA to be able to issue keys that can be used to sign XML. I'd then like to verify that the XML was signed with a key issued by my CA. How do I get the signing certificate out of the SignedXml object? How do I follow the certificate chain back to a specific CA? Note that the public key for my CA will be stored in my executable, rather than the certificate store. 回答1: To attach arbitrary certificates to an XML-DSIG file, add an

问题 I am working on a task which is to get the client certificate when the user sends a request to the server. I have to get the certificate and get the 3 pieces of information from the certificate: user name, user's email address and user's firm name. At first it seems quite simple to just get the "Subject CN" for user name, "Subject E" for email address and "subject OU" for the company name. But later I realise there are a lot of different CA and tools and they issue certificate in different

问题 I went quite a long way to make java sign a CSR and at last I was able to do this, but openssl tells that it's not valid. The same CSR signed with openssl passes verification step. All is the same x509 version (1), no extensions, Subject, Issuer are the same. I suspect the problem is with subject DN (email especially) or dates. Verification: openssl verify -verbose -CAfile src/test/resources/ca.cer.pem o.cer.pem o.cer.pem: OK openssl verify -verbose -CAfile src/test/resources/ca.cer.pem

问题 I tried to generate a self-sign certificate to my server for multiple domains. I used openssl basing in v3_req extension. I used this command line to generate certificate with multiple domain and extended key usage: openssl x509 -req -days 3650 -in san_domain_com.csr -signkey san_domain_com.key -out san_domain_com.crt -extensions v3_req -extensions mysection -extfile openssl.cnf It's result that my certificate contains the multiple domain but not the extended Key Usage for serverauth and the

问题 I need to generate a proof of possession, signing a verification code with my private key. I did not find a question related to this, here in Stack Overflow, and I am not finding some reference on Internet. I am following this tutorial, but I want to use OpenSSL. My verification code is related to a X509 certificate, like this: 7A69A4702DA903A41C3A5BC5575A8E3F49BEC5E5BA2D4CE1 回答1: I got the answer with the Azure support team. I already had my root key and X509 cert, generated with the

问题 I'm trying to create a secure SSL connection to MongoDB using PyMongo. The goal is to use this configuration for a Mongo instance running on EC2 to which I can connect with a Python client. For testing, I'm just trying to get the configuration working locally first. My as yet failing attempt can be found here. Short version of what I think is the problem: My client side certificate authority file ca.pem isn't correct. The way I have it, this file is actually identical to the one I'm using