search for: digitalsignature

...t in my openssl.cnf file. Lots of bits >ellided for clarity's sake: > >### start ### >[ ca ] >default_ca = CA_default > >[ CA_default ] >x509_extensions = server_cert > >[ server_cert ] >basicConstraints=CA:FALSE >keyUsage = nonRepudiation, dataEncipherment, digitalSignature, keyEncipherment >extendedKeyUsage = serverAuth, clientAuth >nsCertType = server, client >### end ### > >I think the nsCertType directive may be unnecessary these days, but >I keep it around because it doesn't hurt anything. > >The important bit is the extendedKeyUsage...

...sistent:%{uid} [realms] CUSTOMER.TLD = { kdc = ad.customer.tld admin_server = ad.customer.tld default_domain = customer.tld pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem pkinit_cert_match = <KU>digitalSignature pkinit_kdc_hostname = ad.customer.tld } CORPORATE.TLD = { kdc = ad.corporate.tld admin_server = ad.corporate.tld default_domain = corporate.tld pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem...

> > >Folks > >I would like to have my windows 7 laptop communicate with my home >server via a VPN, in such a way that it appears to be "inside" my >home network. It should not only let me appear to be at home for >any external query, but also let me access my computers inside my home. > >I already have this working using M$'s PPTP using my home

...n the right place. Here's how I managed that in my openssl.cnf file. Lots of bits ellided for clarity's sake: ### start ### [ ca ] default_ca = CA_default [ CA_default ] x509_extensions = server_cert [ server_cert ] basicConstraints=CA:FALSE keyUsage = nonRepudiation, dataEncipherment, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth nsCertType = server, client ### end ### I think the nsCertType directive may be unnecessary these days, but I keep it around because it doesn't hurt anything. The important bit is the extendedKeyUsage line; I'm pretty sure that...

...ndedKeyUsage = 1.3.6.1.5.5.7.3.1 If you just do that, then the SSL certificate doesn't work in dovecot (it will work fine in Apache, or Postfix etc etc). You also need the certificate to be valide for client side work: [ client_and_server_ca_extensions ] basicConstraints = CA:false keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1 I believe this is a fault with Dovecot. This is with the Debian package for Dovecot 1.2.11 (Version: 1:1.2.11-1). The default self-signed certificate the Debian post-install script generates pops out a certificate that is val...

Hi, I followed the TLS/SRTP tutorial on the wiki [0] using Asterisk 11.8.1 on CentOS 6.5 x86_64 and CSipSimple on a Nexus with Android 4.4.x local wifi. The phone seems to register but directly after that things fall apart (turning SELinux off made no difference): *CLI> -- Registered SIP 'encrypted' at 10.0.0.137:58079 > Saved useragent

...clarity's sake: >> >> ### start ### >> [ ca ] >> default_ca = CA_default >> >> [ CA_default ] >> x509_extensions = server_cert >> >> [ server_cert ] >> basicConstraints=CA:FALSE >> keyUsage = nonRepudiation, dataEncipherment, digitalSignature, >> keyEncipherment >> extendedKeyUsage = serverAuth, clientAuth >> nsCertType = server, client >> ### end ### >> >> I think the nsCertType directive may be unnecessary these days, but I keep >> it around because it doesn't hurt anything. >> &...

...uick) patch allows you to connect with the commercial ssh.com windows client and use x509 certs for hostkeys. You have to import your CA cert (ca.crt) in the windows client and certify your hostkey: $ cat << 'EOF' > x509v3.cnf CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 [x509v3_CA] basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN keyUsage=$ENV::CERTUSAGE [x509v3_IPAddr] subjectAltName=IP:$ENV::CERTIP [x509v3_DNSName] subjectAltName=DNS:$ENV::CERTDNS EOF $ CERTDNS=myipaddr; export CERTDNS $ openssl req -new -...

...inbind doesn't support smart card auth. To my surprise, I was able to authenticate without pam_pkcs11 or pam_krb5 in my PAM stack, using only pam_winbind, after I've added config like this into /etc/krb5.conf: ``` EXAMPLE.COM = { pkinit_cert_match = &&<EKU>msScLogin,<KU>digitalSignature pkinit_eku_checking = kpServerAuth pkinit_identities = PKCS11:/usr/lib64/pkcs11/opensc-pkcs11.so pkinit_kdc_hostname = example.com } [appdefaults] pam = { mappings = ^EXAMPLE\\(.*)$ $1 at EXAMPLE.COM } ``` >From what I understand, that works because I have `krb5_auth = yes` in pam_winbind.conf...