ca-fix program description.

ca-fix program description. certificate patcher program description. please note: ca-fix is no longer needed in all but the oldest versions of openssl or ssleay  (earlier than 0.9.2) this is because it is no longer needed: v3 extensions can now be added with the satandard utilities, ca, x509 and req. check out the file doc/openssl.txt for more information. as a result most of this information is no longer relevant but it is retained for historical reasons... the program ca-fix is a certificate patching program. it was originally designed to patch ssleay generated v1 ca certificates but it can be used to patch end user certificates as well and as a test utility. you can download version (0.41) of the program here. the only changed from 0.4 is that the setkey option is now supported. the code got accidentally removed in the last version. the original motivation was to allow ssleay v1 ca certificates to be properly recognized as ca certificates by netscape. for more details of why this is a good idea see: netscape ca handling: when is a ca not a ca? compiling the program. for most unix systems you should just need to edit the makefile and type make. for windows you will need visual c++ and you need to compile the program as a normal ssleay program. this means including the ssleay include and library directories and linking the result with ssleay32.lib. be sure to set the runtime library to multithreaded dll (under code generation) or the program will not work properly (it will most likely crash). program usage. -in cert.pem      input certificate. -out cert.pem     output certificate. -caset            set ca flag, add basic constraints -caunset          don't set ca flag, add basic constraints -caclr            delete basic constraints -pathlen n        set path length to 'n' -bscrit           make basic constraints critical -nscrit           make nscertype critical (not recommended) -nscertype num    set nscertype to num -nsclr            delete nscertype -inkey pkey.pem   private key of signer -nosign                         don't sign the certificate. -noout                          don't output certificate. -print                            print the certificate in text form. e.g. for a typical ca: ca-fix -in cacert.pem -inkey pkey.pem -caset -nscertype 6 -out newca.pem most of the arguments should be self explanatory. a few need further explanation. with inkey you must sign with the issuers private key or the certificate signature will fail. for the usual self signed ca this is the certificates own private key. for other kinds it is the private key of the issuing ca. the pathlen parameter specifies the maximum ca chain length. for example if this is set to zero then any certificates signed by this ca cannot themselves be ca certificates. setting this to one would allow this ca to sign subordinate ca certificates but the subordinate cas would not be allowed to sign ca certificates. if the software you are using interprets this parameter correctly then it allows some control over what subordinate cas are allowed to do. the bscrit option sets the critical flag for basic constraints: it is not set by default. basic constraints is a standard certificate extension it should be interpreted correctly by any reasonable software: making this extension to critical is acceptable (and advisable). unfortunately microsoft outlook 98 chokes on critical extensions so its now off by default. the nscrit flag sets the critical flag of netscape-certificate-type. it is strongly recommended that this option is not used because any implementation that does not interpret this non standard extension will reject the certificate as invalid. for example outlook 98 does this. if you don't mind or want this behaviour then feel free to use the option... try using the verify program on the new certificate after using the program to check the signature. you can also use this program to mess around with user certificates to e.g. change the value of nscerttype. naturally you should use the issuing cas private key to sign the certificate. here are the currently used values for nscerttype or netscape-certificate-type: number may be decimal or hex with the 0x prefix. add together the options you need.     value meaning 0x80 ssl client authentication. 0x40 ssl server 0x20 s/mime mail. 0x10 object signing. 0x04 ssl client ca. 0x02 s/mime ca. 0x01 object signing ca. the extension is only really mandatory for object signing certificates (and cas according to the documentation but this is not enforced). it is also useful if you want to restrict the uses of a certificate. if you check the netscape documentation you will find that the above values seem to be wrong. they aren't: it's just due to the way the bit strings work. you need to reverse the order of the bits of each byte. in actual fact the above value for nscerttype are those specified in the netscape documentation. netscape communicator for example is somewhat more "generous" in its interpretation, for example it will allow certificates without the s/mime bit set to be used for s/mime. check my document netscape certificate type behaviour  for a fuller description of how netscape communicator actually interprets this extension. if in doubt check to see if the restrictions you place on a certificate are actually enforced. advanced options. warning: if you don't have a pretty good knowledge of certificate structure and related issues then you should probably skip this section. you'll probably never need to use any of these options. they are strictly "hackers only". firstly a bit of backround. ca-fix was originally intended just to fix up ca certificates. i found though that i would occasionally come across a certificate with unusual behaviour and i wanted to track down the cause. you can't just use someone elses certificate because you don't know the private key. similarly you can't just paste in you own public key because that would break the signature. similarly i wanted a way to delete and add various certificate extensions to see what they did. add all these requirements together and you get the advanced options. here is a list of these options followed by a brief explanation. -setkey           change certificate public key to match signer -delext ext       delete extension (can use oid) -ext genopt  val  add several extensions -cext genopt val  add several critical extensions genopt can be:    keyusage, nscerttype, nsbaseurl, nsrevocationurl,                   nscarevocationurl, nsrenewalurl, nscapolicyurl,                   nssslservername, nscomment -rawext opt hex   add raw extension (can use oid) -crawext opt hex  add critical raw extension (can use oid) -rawfile opt fn   add raw extension from file. -crawfile opt fn  add critical raw extension from file. -extusage oid     add extended key usage oid (can be used more than once). -extcrit          make extended key usage critical. -extparse         asn1 parse extensions. -exthex           hexdump extensions.   to see why setkey is useful suppose you have two certificates ca.pem (a root ca certificate) and user.pem (an end user certificate) which do something odd. you can't use them directly but you can use two almost identical certificates for diagnostic purposes. firstly you would create two privake key files (with, for example, genrsa -out key.pem 1024) call these cakey.pem and userkey.pem. first you need to set the ca public key and resign the certificate: ca-fix -in ca.pem -setkey -inkey cakey.pem -out myca.pem the ca public key now matches the generated key in cakey.pem. now you need to do the same with the end user certificate: ca-fix -in user.pem -setkey -inkey userkey.pem -out usertmp.pem -nosign finally you need to sign the new user certificate with the ca key, since you have already set the public key you don't use the setkey option here: ca-fix -in usertmp.pem -inkey cakey.pem -out myuser.pem you would then want to check it worked using verify: verify myca.pem verify -cafile myca.pem myuser.pem you can now use the certificates because you have the referenced private keys. you should note this is not a security problem because you can't just forge the use of these certificates in a trusted environment because the keys have changed. its only useful for test and diagnostic purposes. now suppose these new certificates exhibit the same unusual behaviour. maybe it's caused by some weird extension? that's where the delext option comes in. suppose you suspect an extension with oid 1.2.3.4 then you can delete it with: ca-fix -in myuser.pem -out myuser2.pem -delext 1.2.3.4 -inkey cakey.pem a note about the ext and cext options. using these you can set the standard extensions keyusage, nscerttype, nsbaseurl, nsrevocationurl, nscarevocationurl, nsrenewalurl, nscapolicyurl, nssslservername, nscomment. keyusage is a standard extension referenced in, for example the pkix documentation. the others are netscape specific extensions that are described here, it also describes how netscape products handle keyusage. keyusage and nscerttype both take an integer argument (with 0x prefix for hex) all the others take a string argument. as is usual with integer bit string arguments you should reverse the bit order of each byte. finally the really advanced options: rawext and crawext. these allow you to add any extension you want, but unfortunately you need to give it the full der encoding of the extension. suppose for example you saw a certificate with an extension with oid 2.5.29.19 and its contents were: 30030101ff (in hex). you could do this with: ca-fix -in myca.pem -out myca2.pem -rawext 2.5.29.19 30030101ff -inkey cakey.pem this isn't the best example in the world because it's just basic constraints which you can more easily add with just the caset option. the rawfile and crawfile do the same but take extensions from a file. the extparse option gives and asn1 dump of the certificate extensions. to use it try: ca-fix -in cert.pem -nosign -noout -extparse the exthex option is similar except it gives a hex dump of the extensions. this make it possible to use the output in a rawext or crawext option. this can be used to print out a hex dump of an extension which can then be used to add the der encoding of the extension manually in another product (e.g. ns certificate server). for example if you want the der encoding of basicconstraints with a path length of 10: ca-fix -in cert.pem -nosign -caset -pathlen 10 -exthex will print it out. all comments see my contact page.  

Acceuil

suivante

ca-fix program description.  macosxhints.com - Twenty steps to help diagnose and fix system issues  Federal 'fix' knocks ca.gov for a loop NetworkWorld.com Community  DriverAgent.com Fix Your Driver Problems Instantly with Driver Agent  Cafe Hayek: Just Fix It  Fix for securityd hogging RAM when reauthorizing apps' Keychain ...  VCOM: V Communications. Security, Web, OS Management, Partitioning ...  What To Fix  Gallery 2.2.3 Security Fix Release Gallery  The Simple Dollar » 31 Days To Fix Your Finances: A Wrapup  Dura Fix Aluminum Welding Aluminum Brazing Aluminum Soldering ...  Fixit Guide Series - DIY Mac & iPod Repair  Pierre Fix-Masseau affiches sur AllPosters.fr  Nail Fungus Onychomycosis - Fix My Fungus  Oral Fixation Mints / Get Your Fix  Fix for COM Surrogate Has Stopped Working Error in Vista :: the ...  adaptive path » 8 quick ways to fix your search engine  Solar shield could be quick fix for global warming - earth - 05 ...  Free Registry Fix 3.9 for Windows  Video Coldplay - Fix You - coldplay, fix, you, clip ...  FIX: Update to enable DirectX Video Acceleration (DXVA) of Windows ...  You receive an access violation error and the system may appear to ...  GRC CIH Virus Recovery  How to Fix CGI - majordojo  serious fix 4.1  Why Blog Post Frequency Does Not Matter Anymore Marketing Profs ...  FOSSwire » Fix a Frozen System with the Magic SysRq Keys  Windows Vista Team Blog : Partners helping fix Vista Software ...  Objet Publicitaire : Magnet Magic fix - ALB01.com  Indonesia's three divas fix the nation's finances International ...  Rob Galbraith DPI: EOS-1D Mark III sub-mirror fix announced in USA ...  Fix your Exposé keys - WOW Insider  IndieHIG » Blog Archive » Fix the Leopard Folders (FTLF or FTFLF)  Blogger Buzz: A Layout Solution  M·A·C Cosmetics Studio Fix Powder Plus Foundation  The Right Way To Fix Inaccurate Wikipedia Articles  The Daily Fix - WSJ.com  The Art of Colin Fix  Berkshire Computer Repairs And Servicing - 1-Fix Computer Services  OpenBSD 3.4 errata  Rob Galbraith DPI: Canon EOS-1D Mark III autofocus fix may be two ...  The Hotfix - Vista SP1, XP SP3, IE8, Home Server, and more! - Home  Tricia Fix Originals. Florida born fashion designer  Opinion Fix public education Seattle Times Newspaper  Can Architects Fix Construction’s “Busted Budgets”? News ...  Macrovision: Updating the Macrovision SECDRV.SYS Driver  Apple Releases Fix For iMacs That Freeze Up -- Apple ...  PINBALL: Pinball Repair Guides. Collector buys pinball, arcade ...  How to Fix a Scratched CD - wikiHow  Fix290  Simple "ntldr is missing" fix with boot floppy, CD-R, or USB flash  [Profil de Fix] OverBlog - Le blog des blogs  We Can Fix That with Data  A race to fix a 30-year-old 'solution' csmonitor.com  Eye Fix Photos: Photo Restoration and Retouching  FIX définition FIX  The new urgency to fix online privacy Perspectives CNET News.com  Finding a Fix  À propos de votre fix « Le Blogue d’Ironica  Congress Pushes 'Band-Aid Fix' to Gas Price Woes, Analyst Says ...  Nukefix, To Fix the Nuclear Weapons Problem