search for: x509v3

...te hostname finished with exit code 2 Failed: hostname I have done openssl x509 -text -in /var/lib/puppet/ssl/certs/ca.pem and both CA certs are identical. When I do openssl x509 -text -in /var/lib/puppet/ssl/certs/<fqdn>.pem | more I find that they are almost identical. The client show the X509v3 extensions section differently: On the Client: X509v3 extensions: Netscape Comment: Puppet Ruby/OpenSSL Generated Certificate X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: EF:3...

...signed or cerficate authority cannot be verified". When i asked for help at openssl mailinglist i have recieved interesting answer : Just make sure your certificate is actually one "son" of your CA. > > It is right To make one CA cert with the 509 extensions set to CA > X509v3 Basic Constraints: > CA:TRUE > X509v3 Key Usage: > Certificate Sign, CRL Sign > Netscape Cert Type: > SSL CA, S/MIME CA > > But it is a mistake to make the "son" as ANOTHER SELF SIGNED cert with > t...

...:31:cd:8f:31:38:95:16:ba: a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13:3d: 2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d: 0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d: c3:93 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Authority Information Access: OCSP - URI:http://isrg.trustid.ocsp.identrust...

I've seen a variety of patches on the list for supporting the x509v3 certificate authentication. Are there any plans to include any of these in the official openssh? Thanks, Kevin Stefanik

Dear List, Regarding the "X509v3 Certificates" patch ... (See links below) - http://marc.info/?l=openssh-unix-dev&m=110976923021961&w=2 - http://marc.info/?l=openssh-unix-dev&m=110973268111830&w=2 - http://roumenpetrov.info/openssh How would I apply this patch to the OpenSSH currently in FreeBSD(.org...

...otocol version 2.0; client software version OpenSSH_3.8p1 debug1: match: OpenSSH_3.8p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8p1 debug3: privsep user:group 74:74 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: x509v3-sign-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: x509v3-sign-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes...

This (very quick) patch allows you to connect with the commercial ssh.com windows client and use x509 certs for hostkeys. You have to import your CA cert (ca.crt) in the windows client and certify your hostkey: $ cat << 'EOF' > x509v3.cnf CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 [x509v3_CA] basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN keyUsage=$ENV::CERTUSAGE [x509v3_IPAddr] subjectAltName=IP:$ENV::CERTIP [x509v3_DNSName] subjectAltName=DN...

New version "x509e" is out on http://satva.skalasoft.com/~rumen/openssh/ . Now OpenSSH (client and server) can use x509 certificates for hostkeys too. Try it and give to forum (prefered) feedbacks, comments, suggestions, etc.

...is ready. The just published update from "Integration" series offer direct support of X.509 certificates based on RSA keys from PKCS11module. Another integration update is that now you could you use FIPS capable OpenSSL library in FIPS mode. As result of above mentioned features x509v3-sign-rsa public key algorithm now prefer sha1 to md5. This mean that by default option X509KeyAlgorithm is switched from X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 to X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 X509KeyAlgorithm x509v3-sign-rsa,rsa...

...es and certificates. When the Puppet CA generated it''s certificate the PTR record for it''s IP pointed back to it''s domain name ("henson") and it had a CNAME "puppet" and it happily answers to both names because it generated a cert with: X509v3 Subject Alternative Name: DNS:henson.domain.com, DNS:puppet, DNS:puppet.domain.com I''m in development mode so got it in my head I wanted at least two masters (looking to support about 2k systems out of the gate with some bursty coudiness ontop of that) so I lost the CNAME m...

I'm pleased to announce that the version "h"(code-name Validator) of "X.509 certificates support in OpenSSH" is now available for immediate download at http://roumenpetrov.info/openssh. Features: * "x509v3-sign-rsa" and "x509v3-sign-dss" public key algorithms * certificate verification * certificate validation o CRL o OCSP (optional and experimental feature) * "x509v3-sign-rsa" MD5 and SHA-1 signatures * OpenSSH agent with certificates * strong regresion tests * detailed...

Hi All, Diffs of "X.509v3 certificates support for OpenSSH" versions g4(Compatibility) and h(Validator) for OpenSSH-3.9p1 are ready for download. Please visit "http://roumenpetrov.info/openssh" for more information. Features: * "x509v3-sign-rsa" and "x509v3-sign-dss" public key algorithms * certificate verification * certificate validation o CRL o OCSP (optional and experimental feature) * "x509v3-sign-rsa" MD5 and SHA-1 signatures * OpenSSH agent with certificates * strong regresion tests * detailed ma...

Hi, I need to add X.509 Certificate support to OpenSSH. I came across the following post on the openssh-unix-dev mailing list that is very useful: http://marc.info/?l=openssh-unix-dev&m=120298135706959&w=2 <http://marc.info/?l=openssh-unix-dev&m=120298135706959&w=2> And also, http://marc.info/?l=openssh-unix-dev&m=104395024824680&w=2

...:dd: 43:12:f0:8f:5b:4a:cd:74:42:cf:ed:93:e9:94:3b: 58:12:77:8f:3a:d1:b2:46:95:45:56:f5:58:ab:f3: 77:6a:04:be:1d:b8:84:ca:3a:c9:aa:28:e7:4a:6a: cd:75:86:83:ac:b7:bf:5f:d5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 9E:EB:78:6D:50:16:51:05:1E:6C:8A:EA:5B:D0:83:01:35:B1:A5:F6 X509v3 Authority Key Identifi...

Hi All, The version 5.3 of "X.509 certificates support in OpenSSH" is published. This version adds preliminary support for "x509v3-sign-rsa-sha1" and "x509v3-sign-dss-sha1" key type names in conformance with "draft-ietf-secsh-x509-02.txt" and extends "x509v3-sign-dss key type with signatures in "ssh-dss" format. More details on page http://roumenpetrov.info/openssh/#news . Regards, R...

Hi: I''m trying to configure Puppet on Ubuntu, and strangely I am never able to generate a certificate because my server never shows any pending certificate requests. Put differently, on the server I am running puppetmasterd and on the client I am able to connect to the server, but the client continues printing notice: Did not receive certificate warning: peer certificate

...cat server.pem >> ssh_host_key_cert chmod 0600 ssh_host_key_cert ../bin/ssh-keygen -y > ssh_host_key_cert.pub // entering ssh_host_key_cert as key - Changing /opt/ssh/etc/sshd_config: CACertificateFile /opt/ssh/etc/ca/crt/cacert.pem Port 4422 X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 AllowedCertPurpose sslclient PasswordAuthentication no - Customizing server user configuration cat /opt/ssh/etc/ssh_host_key_cert.pub > .ssh/authorized_keys - Now __On client machine__ (after copying, client.pem, cli...

...:dd:10:1e:c8:e8:34:d1: 22:b8:33:95:72:6c:48:75:65:35:e8:6f:17:66:7b: 34:10:d8:b8:2b:8c:ef:70:68:b3:62:b3:62:ac:30: 21:74:49:c6:c1:34:9c:ac:be:e8:da:04:79:e9:d7: 60:44:a7 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Comment: Puppet Ruby/OpenSSL Internal Certificate X509v3 Subject Alternative Name: DNS:10.193.174.38, DNS:puppet, DNS:puppet.cisco.com, DNS:savbu-razor-server.cisco.com X509v3 Key Usage: critical...

Hi Roumen, I discovered that the need of appending the .pub part of id_rsa(client key+cert) on the server can be eliminated by adding the Certificate Blob to authorized_keys which could look something like this: x509v3-sign-rsa subject= /C=FR/ST=PARIS/L=DESEl/O=SSL/OU=VLSI/CN=10.244.82.83/emailAddress=client at company.com This is extracted from the client certificate using openssl as described in the README file provided by you at http://roumenpetrov.info/openssh/x509h/README.x509v3 This system works fine,...

...509 patch for ssh from Roumen, it works great. However, I can't figure out couple of things, and been trying to solve it for couple of days already. I'am using OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g with 6.1 version of your patch. The serverside hostkey is configured correctly, to present x509v3-sign-rsa dynowork / # ssh-keyscan pingo # pingo SSH-2.0-OpenSSH_4.7p1-hpn12v19 pingo x509v3-sign-rsa Subject:CN=pingo.dmz.arhont.com,OU=IT,O=Arhont Ltd,C=GB Hoever, in the situation, when the clients that haven't been patched to support x509, just could not connect giving the following erro...