search for: basicconstraints

...certificates are in the right place. > >Here's how I managed that in my openssl.cnf file. Lots of bits >ellided for clarity's sake: > >### start ### >[ ca ] >default_ca = CA_default > >[ CA_default ] >x509_extensions = server_cert > >[ server_cert ] >basicConstraints=CA:FALSE >keyUsage = nonRepudiation, dataEncipherment, digitalSignature, keyEncipherment >extendedKeyUsage = serverAuth, clientAuth >nsCertType = server, client >### end ### > >I think the nsCertType directive may be unnecessary these days, but >I keep it around because it doe...

> > >Folks > >I would like to have my windows 7 laptop communicate with my home >server via a VPN, in such a way that it appears to be "inside" my >home network. It should not only let me appear to be at home for >any external query, but also let me access my computers inside my home. > >I already have this working using M$'s PPTP using my home

...I checked the server and really > think that the certificates are in the right place. Here's how I managed that in my openssl.cnf file. Lots of bits ellided for clarity's sake: ### start ### [ ca ] default_ca = CA_default [ CA_default ] x509_extensions = server_cert [ server_cert ] basicConstraints=CA:FALSE keyUsage = nonRepudiation, dataEncipherment, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth nsCertType = server, client ### end ### I think the nsCertType directive may be unnecessary these days, but I keep it around because it doesn't hurt anything. The...

...t. The problem is that the SSL certs result in "TLS handshaking: SSL_accept() syscall failed: Connection reset by peer" errors *if the certificate granted is not granted for client use*. For servers, I normally generate SSL certificates specifically for servers: [ server_ca_extensions ] basicConstraints = CA:false keyUsage = keyEncipherment extendedKeyUsage = 1.3.6.1.5.5.7.3.1 If you just do that, then the SSL certificate doesn't work in dovecot (it will work fine in Apache, or Postfix etc etc). You also need the certificate to be valide for client side work: [ client_and_server_ca_extension...

...;s how I managed that in my openssl.cnf file. Lots of bits ellided for >> clarity's sake: >> >> ### start ### >> [ ca ] >> default_ca = CA_default >> >> [ CA_default ] >> x509_extensions = server_cert >> >> [ server_cert ] >> basicConstraints=CA:FALSE >> keyUsage = nonRepudiation, dataEncipherment, digitalSignature, >> keyEncipherment >> extendedKeyUsage = serverAuth, clientAuth >> nsCertType = server, client >> ### end ### >> >> I think the nsCertType directive may be unnecessary these days,...

...51.331:15): user pid=2172 uid=81 auid=4294967295 subj=system_u:system_r:system_dbu sd_t:s0 msg='avc: received policyload notice (seqno=6) Also, in the /var/log/httpd/ssl_error_log the following messages appear too: [Sun Oct 05 19:58:19 2008] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Sun Oct 05 19:58:19 2008] [warn] RSA server certificate CommonName (CN) `orion.ciget.cienfuegos.cu' does NOT match server nam e!? Really rare to me because that name `orion.ciget.cienfuegos.cu' is the actual server hostname. When try to connect to the webmail through https...

...oth as username at domain or as bare username) The rest is just pretty standard, using passwd for both user auth and userdb, with plain and login mechanisms allowed. I tested "few" sets of certificates (for ca, server and user) with configurations ranging from quite specific ones (with basicConstraints, nsCertType, keyUsage, extendedKeyUsage fields set) to very simple ones (basicConstraints + typical stuff like subjectKeyIdentifier). All of them gave the same results with dovecot (postfix didn't complain with any of them either). This is what I get in logs, when trying to pull mail using ope...

...t and use x509 certs for hostkeys. You have to import your CA cert (ca.crt) in the windows client and certify your hostkey: $ cat << 'EOF' > x509v3.cnf CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 [x509v3_CA] basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN keyUsage=$ENV::CERTUSAGE [x509v3_IPAddr] subjectAltName=IP:$ENV::CERTIP [x509v3_DNSName] subjectAltName=DNS:$ENV::CERTDNS EOF $ CERTDNS=myipaddr; export CERTDNS $ openssl req -new -key /etc/ssh_host_rsa_key -out HOSTKEY.csr $ openssl x509 -req -days 365 -...

...tc/asterisk/keys/integration/certificate.pem tlsprivatekey=/etc/asterisk/keys/integration/webserver.key # cat /etc/asterisk/keys/ca.cfg [req] distinguished_name = req_distinguished_name prompt = no default_md = sha256 [ca] default_md = sha256 [req_distinguished_name] CN=localhost O=localhost [ext] basicConstraints=CA:TRUE Is there a way to find how FreePBX generated the /etc/asterisk/keys tree ? Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200108/65c854ea/attachment.html>

I am building a mail server on Centos 6.3 and working with OpenSSL to create a self-signed certificate for mail use. Along the line of learning the 'best' options to use for OpenSSL and dealing with the default SSL virtual host for Apache, I discovered that the localhost cert created (I believe) during firstboot has the X509v3 extensions set as a CA cert (eg basicConstraint CA:TRUE).

...d to debug all I get is an immediate failure with the following errors the logs: /var/log/httpd/error_log: [Sun Jul 22 13:00:31 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) /var/log/ssl_error.log: [Sun Jul 22 13:04:32 2007] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Sun Jul 22 13:04:32 2007] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Sun Jul 22 13:04:32 2007] [error] Unable to configure RSA server private key [Sun Jul 22 13:04:32 2007] [error] SSL Library Error: 185073780 error:0B080...

...asterisk/keys/integration/webserver.key > > # cat /etc/asterisk/keys/ca.cfg > [req] > distinguished_name = req_distinguished_name > prompt = no > default_md = sha256 > [ca] > default_md = sha256 > [req_distinguished_name] > CN=localhost > O=localhost > [ext] > basicConstraints=CA:TRUE > > > Is there a way to find how FreePBX generated the /etc/asterisk/keys tree ? > > Best regards > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200417/0d6badec/attachment...

Hello, On a newly re-installed Asterisk 16.7.0 on Debian Buster, I can't find a way to enable HTTPS. Asterisk is running as asterisk:asterisk: asterisk 11097 0.3 6.7 741352 67984 ? Ssl 17:53 0:06 /usr/sbin/asterisk -g -f -p -U asterisk # cat /etc/asterisk/http.conf [general] servername=Asterisk enabled=yes bindaddr=0.0.0.0 bindport=8088 tlsenable=yes tlsbindaddr=0.0.0.0:8089