search for: subjectkeyidentifier

...least one difference, which could be a cause of issue: Samba (in fact, Heimdal) generates PA-PK-AS-REP which violates RFC 3852 (cryptographic message syntax). RFC 3852 says: If the RecipientIdentifier is the CHOICE issuerAndSerialNumber, then the version MUST be 0. If the RecipientIdentifier is subjectKeyIdentifier, then the version MUST be 2. But Heimdal uses subjectKeyIdentifier in response and version number 0. MS uses issuerAndSerialNumber. I tried to force Heimdal use issuerAndSerialNumber in response (simply by commenting if statement in hx509_cms_create_signed function and make sigctx.cmsidflag alwa...

I have a remote server running centos 4.3 and a home desktop running suse 10.1. I have generated an SSL certificate on the server, copied it on the desktop and run on the desktop: >openssl x509 -in mynewcertCert.pem -fingerprint -subject -issuer -serial -hash -noout >c_rehash . getting this warning: > > Doing . > WARNING: mynewcertPrivateKey.pem does not contain a certificate or

...esn't hurt anything. > >The important bit is the extendedKeyUsage line; I'm pretty sure that >an OpenVPN server needs the serverAuth extension. For instance, here >is the X509 extensions configuration for a server used by EasyRSA: > > basicConstraints = CA:FALSE > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid,issuer:always > extendedKeyUsage = serverAuth,clientAuth > keyUsage = digitalSignature,keyEncipherment > >You can ask openssl to tell you the purpose of a certificate: > >[bash]$ openssl x509 -noout -purpose -in cert.pem | grep SSL...

> > >Folks > >I would like to have my windows 7 laptop communicate with my home >server via a VPN, in such a way that it appears to be "inside" my >home network. It should not only let me appear to be at home for >any external query, but also let me access my computers inside my home. > >I already have this working using M$'s PPTP using my home

...keep it around because it doesn't hurt anything. The important bit is the extendedKeyUsage line; I'm pretty sure that an OpenVPN server needs the serverAuth extension. For instance, here is the X509 extensions configuration for a server used by EasyRSA: basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = serverAuth,clientAuth keyUsage = digitalSignature,keyEncipherment You can ask openssl to tell you the purpose of a certificate: [bash]$ openssl x509 -noout -purpose -in cert.pem | grep SSL SSL client : Yes SSL client...

...>> The important bit is the extendedKeyUsage line; I'm pretty sure that an >> OpenVPN server needs the serverAuth extension. For instance, here is the >> X509 extensions configuration for a server used by EasyRSA: >> >> basicConstraints = CA:FALSE >> subjectKeyIdentifier = hash >> authorityKeyIdentifier = keyid,issuer:always >> extendedKeyUsage = serverAuth,clientAuth >> keyUsage = digitalSignature,keyEncipherment >> >> You can ask openssl to tell you the purpose of a certificate: >> >> [bash]$ openssl x509 -noou...

...ith plain and login mechanisms allowed. I tested "few" sets of certificates (for ca, server and user) with configurations ranging from quite specific ones (with basicConstraints, nsCertType, keyUsage, extendedKeyUsage fields set) to very simple ones (basicConstraints + typical stuff like subjectKeyIdentifier). All of them gave the same results with dovecot (postfix didn't complain with any of them either). This is what I get in logs, when trying to pull mail using opera or mozilla: Jul 7 14:33:47 ppgk-wa dovecot: Dovecot v1.0.rc2 starting up Jul 7 14:33:57 ppgk-wa dovecot: pop3-login: Invalid c...