I am trying to get the SSL/TLS certificate for one of our load balancers (Netscaler) using:
But it won't show me the certificate:
Using
-servername lb.example.com doesn't help, and our sysadmin told me our load balancers don't use SNI anyway.
Edit: The server is on our intranet and doesn't accept connections from the public internet. This is the output of openssl with
-debug :
And this is the relevant output from
curl -v https://lb.example.com/ :
Any suggestions as to how I can obtain the certificate using
openssl s_client ?
Daniel Serodio
Daniel SerodioDaniel Serodio
53911 gold badge66 silver badges1515 bronze badges
Openssl Create Ca Certificate2 Answers
After a while I figured it out: this particular load balancer was configured to use only TLSv1.2, which the version of openssl included in OS X (0.9.8) does not understand. I installed a newer version of openssl (>= 1.0.1) using homebrew so this works:
Daniel SerodioDaniel Serodio
53911 gold badge66 silver badges1515 bronze badges
If its a modern configuration (some hand waiving on what that means), use:
It looks like there's some extra preamble at byte 0 and 1. At byte 2, there should be a record type. At byte 3 and 4 there should be a version number. Bytes 5 and 6 should be a 16-bit length of the payload.
Here's a working example:
From above, the record type is at position 0, and its value is 0x16. 0x16 is the Handshake type. The record layer version are the next two bytes at positions 2 and 3. Their values are
0x03 0x01 . The length of the payload is 0x007f .
Also see RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2, page 18:
Your problem could be the old SSLv2 compatible record type. Or it could be a down level version of OpenSSL from, say 0.9.5 or 0.9.8. Its hard to say, and we probably need more information.
More information would include OS; OpenSSL version; if you attempted to replace the platform's version of OpenSSL with your own version of OpenSSL; if there's a firewall or 'web inspect' box or other middleware goodness running; and what the server receives.
Using
-servername lb.example.com doesn't help, and our sysadmin told me our load balancers don't use SNI anyway.
This sounds kind of unusual. But its an extension to TLS, so its ignored if its not used (and won't produce a fatal alert).
The rule of thumb in 2016: always use TLS 1.0 or above, and always use SNI.
jwwjww
4,5762525 gold badges8181 silver badges153153 bronze badges
Not the answer you're looking for? Browse other questions tagged sslcertificatehttpsopenssl or ask your own question.
I am configuring my first CA. It purpose will be to issue certificates for our clients, who will use them to access our EDI service over https. So I need to generate ssl client certificates. Whole process of signing certificates works by now, and the certificates can be successfully used to access our service, but I am worried about one thing:
The generated certificate purposes are way to generic:
I feel that there should be no other purposes but SSL client and S/MIME signing in my case. Am I wrong and this should stay as it it?
If I am correct and I should disable other purposes, what should I put in my openssl.cnf config?
Here is my current config (stripped a little bit):
Sure cuts a lot. We are proud to bring you this exclusive version of our 'Sure Cuts A Lot' software which is compatible with the Sizzix eclips! Newly redesigned eclips2 DIY Electronic Cutter built for speed, reduced noise, efficiency, precision cutting and more. Sure Cuts A Lot 2 for Macintosh has been released July 22, 2009 Sure Cuts A Lot 2 for Windows has been released October 10, 2008 Sure Cuts A Lot has been updated to 1.015 March 7 10, 2008 Welding and Shadowing has been added January 30, 2008 Sure Cuts A Lot. Aug 24, 2009 Sure Cuts A Lot for Windows is a program that you can with Cricut Personal and Cricut Expression die cut machines to cut shapes and letters made with True Type.
What am I doing wrong that the certs generated allows for server usage?
Openssl Verify Client CertificateSWilkSWilk
22511 gold badge33 silver badges1212 bronze badges
migrated from security.stackexchange.comJul 12 '13 at 14:31
This question came from our site for information security professionals.
1 Answer
You're right to be concerned about 'CRL signing', 'Any Purpose CA', and 'OCSP Helper', these are usually reserved for CA certificates or certificates specifically issued for signing certificate revocation lists (CRLs, a list of certificates that are invalid), or running an OCSP server (similar to CRLs, but an online service that provides validity status for certificates).
The relevant OpenSSL documentation page is for the x509 command and x509v3_config
If you run Microsoft Office (2003, 2007, 2010, 2013, and 2016) on your computer and you wish to activate it. Microsoft Toolkit 2.6.7 Free Full Version Download the latest version of MS ToolKit which helps you manage, license, deploy, and activate all Microsoft Office programs, as well as Microsoft windows in general. Now you can Activate all edition of Microsoft Windows (windows 7, windows 8, windows 8.1, and windows 10) as well. Microsoft Toolkit will help you make your Microsoft Office packages run better. Microsoft toolkit 2.6.7 kickass.
Here's the OpenSSL configuration I use for generating client certificates:
I'll take you through it line-by-line:
The
basicConstraints is set as critical, which means 'reject this certificate if you don't understand this bit', and specifies that the certificate is not a CA. Even if someone uses software to issue a certificate from this certificate, it won't ever be trusted.
The extended key usage is not essential, but some software requires it be present and have a particular purpose listed. This lists client authentication (what you're talking about) and also S/MIME email signing & encryption; you can safely remove the S/MIME purpose if you don't need it.
subjectAltName allows you to include information about the subject that you can't include in the subject field. It's also used in web server certificates to include domain names that the certificate may be used for other than the domain specified in the subject's common name attribute; these certificates are referred to as SAN (subject alternative name) certificates. It's common practice to include the email address in the subjectAltName rather than in the subject; you don't have to include an email address at all, and can omit the extension.
Skyrim magicka damage.
crlDistributionPoints lists the places that the CRL for the issuing authority is available; it tells software that's trying to validate the certificate 'here's where to go to see if this certificate is still valid.' For Internet use, a http:// URL is probably best (CRLs are digitally signed, so there's no need for https , and it may cause trust loop issues).
authorityKeyIdentifier is usually the SHA-1 hash of the issuing CA's public key (though it may be other values). If you include this extension, the value must match the value of subjectKeyIdentifier in the issuing CA certificate.
authorityInfoAccess is a bit like crlDistributionPoints but it specifies where to get the issuing CA certificate rather than the CRL. This is useful if you have a long chain of trust: e.g. CA-1 issues CA-2, which issues CA-3, which issues the certificate; software attempting to verify the certificate can use this extension to get the CA-3 certificate, then use the value in that certificate to get the CA-2 certificate, etc. Usually, the certificate chain (in this case, the CA-2 certificate and CA-3 certificate) is bundled alongside the subject's certificate (e.g. in an SSL transaction, or S/MIME email). I don't know of any software that uses this extension, but I don't know that it's not commonly used, either. It's commonly included in certificates.
Of all that, you only really need the
basicConstraints and extendedKeyUsage ; basic constraints really, really must be critical (or you've just handed out CA certificates!), and extended key usage generally isn't.
CalrionCalrion
Openssl Create Client Certificate DownloadNot the answer you're looking for? Browse other questions tagged openssl or ask your own question.Comments are closed.
|
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |