Commit graph

41 commits

Author SHA1 Message Date
Marek Klein
f0ef20bf38 Added support for ESSCertIDv2
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/771)
2017-05-03 09:04:23 +02:00
Rich Salz
a7be5759cf RT3809: basicConstraints is critical
This is really a security bugfix, not enhancement any more.
Everyone knows critical extensions.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-06-13 09:18:22 -04:00
Dr. Stephen Henson
2cc7acd273 Use better defaults for TSA.
Use SHA256 for TSA and setted permitted digests to a sensible value.

Based on PR#4141

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-20 13:40:53 +00:00
Dr. Stephen Henson
e20b472751 Add support for signer_digest option in TS.
Based on PR#2145

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-20 13:40:53 +00:00
Kurt Roeckx
44e0c2bae4 RT2626: Change default_bits from 1K to 2K
This is a more comprehensive fix.  It changes all
keygen apps to use 2K keys. It also changes the
default to use SHA256 not SHA1.  This is from
Kurt's upstream Debian changes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-09-08 17:21:04 -04:00
Rich Salz
a5a3178728 RT3408; fix some (not all suggested) typo's in openssl.cnf 2014-07-02 23:18:39 -04:00
Veres Lajos
478b50cf67 misspellings fixes by https://github.com/vlajos/misspell_fixer 2013-09-05 21:39:42 +01:00
Dr. Stephen Henson
df0cdf4ceb The default CN prompt message can be confusing when often the CN needs to
be the server FQDN: change it.
[Reported by PSW Group]
2011-12-06 00:00:30 +00:00
Dr. Stephen Henson
06ddf8eb08 Updates from 1.0.0-stable 2009-04-04 19:54:06 +00:00
Dr. Stephen Henson
5456583294 Don't add the TS EKU by default in openssl.cnf because it then
makes certificates genereated by ca, CA.pl etc useless for anything else.
2006-11-07 14:27:55 +00:00
Dr. Stephen Henson
03919683f9 Add support for default public key digest type ctrl. 2006-05-07 17:09:39 +00:00
Ulf Möller
c7235be6e3 RFC 3161 compliant time stamp request creation, response generation
and response verification.

Submitted by: Zoltan Glozik <zglozik@opentsa.org>
Reviewed by: Ulf Moeller
2006-02-12 23:11:56 +00:00
Dr. Stephen Henson
29b9763d9f Change openssl.cnf to use UTF8Strings by default and not always include issuer
and serial versions of AKID.
2005-09-16 11:58:28 +00:00
Nils Larsch
12bdb64375 use SHA-1 as the default digest for the apps/openssl commands 2005-04-02 09:29:15 +00:00
Richard Levitte
6951c23afd Add functionality needed to process proxy certificates. 2004-12-28 00:21:35 +00:00
Richard Levitte
fd4ef69913 Implement CRL numbers.
Contributed in whole by Laurent Genier <Laurent.Genier@intrinsec.com>
PR: 644
2003-06-19 17:40:16 +00:00
Richard Levitte
f85b68cd49 Make it possible to have multiple active certificates with the same
subject.
2003-04-03 16:33:03 +00:00
Richard Levitte
ed2e24d564 Show an example of moving the emailAddress object from the subkect DN
to subjectAltName when signing a certificate.
2001-04-11 13:04:20 +00:00
Dr. Stephen Henson
791bd0cd2b Add copy_extensions option to 'ca' utility. 2001-03-16 02:04:17 +00:00
Dr. Stephen Henson
e890dcdb19 Add 'align' option to nameopt.
Add default values for display by the 'ca' utility
to openssl.cnf

Update docs.
2001-03-15 22:45:20 +00:00
Bodo Möller
d8c2adae57 increase emailAddress_max 2001-03-04 01:33:55 +00:00
Dr. Stephen Henson
b38f9f66c3 Initial automation changes to 'req' and X509_ATTRIBUTE functions. 2000-01-06 01:26:48 +00:00
Dr. Stephen Henson
20432eae41 Fix some of the command line password stuff. New function
that can automatically determine the type of a DER encoded
"traditional" format private key and change some of the
d2i functions to use it instead of requiring the application
to work out the key type.
2000-01-01 16:42:49 +00:00
Dr. Stephen Henson
36217a9424 Allow passwords to be included on command line for a few
more utilities.
1999-12-24 23:53:57 +00:00
Dr. Stephen Henson
74400f7348 Continued multibyte character support.
Add a bunch of functions to simplify the creation of X509_NAME structures.

Change the X509_NAME_entry_add stuff in req/ca so it no longer uses
X509_NAME_entry_count(): passing -1 has the same effect.
1999-10-27 00:15:11 +00:00
Dr. Stephen Henson
c79b16e11d Allow extensions to be added to certificate requests, update the sample
config file (change RAW to DER).
1999-08-25 16:59:26 +00:00
Ralf S. Engelschall
5a97a0b6e4 consistent style 1999-08-08 09:39:43 +00:00
Dr. Stephen Henson
257e206da6 Include some notes on basic extension usage and change openssl.cnf to usually
do sensible things with extensions.
1999-05-19 23:54:58 +00:00
Bodo Möller
3f45ed82dc Rename "openssl x509" option "-config" to "-extfile", because it
doesn't have a default value like the "-config" options of other
openssl subprograms.
1999-05-17 08:28:37 +00:00
Bodo Möller
e186bf96b4 Added a comment pointing out the behaviour of "openssl x509 -conf ...",
which cost me some time to find out about.
1999-05-16 12:17:20 +00:00
Dr. Stephen Henson
1756d405cc Added support for adding extensions to CRLs, also fix a memory leak and
make 'req' check the config file syntax before it adds extensions. Added
info in the documentation as well.
1999-03-06 19:33:29 +00:00
Dr. Stephen Henson
a43aa73e3b Redo the way 'req' and 'ca' add objects: add support for oid_section. 1999-02-23 00:07:46 +00:00
Dr. Stephen Henson
aa066b9e6e Add more functionality to issuer alt name and subject alt name. New options
to include email addresses from DN and copy details from issuer certificate.
Include examples in openssl.cnf, update Win32 ordinals.
1999-02-21 01:46:45 +00:00
Dr. Stephen Henson
0be9747b39 Oops! Remeber to include the other patches this time... 1999-02-17 23:22:57 +00:00
Dr. Stephen Henson
388ff0b076 Add support for raw extensions. This means that you can include the DER encoding
of an arbitrary extension: e.g. 1.3.4.5=critical,RAW:12:34:56 Using this
technique currently unsupported extensions can be generated if you know their
DER encoding. Even if the extension is supported in future the raw extension
will still work: that is the raw version can always be used even if it is a
supported extension.
1999-02-14 16:48:22 +00:00
Dr. Stephen Henson
175b0942ec More extension code. Incomplete support for subject and issuer alt
name, issuer and authority key id. Change the i2v function parameters
and add an extra 'crl' parameter in the X509V3_CTX structure: guess
what that's for :-) Fix to ASN1 macro which messed up
IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED.
1999-02-10 01:12:59 +00:00
Dr. Stephen Henson
b2347661ce Still more X509 V3 stuff. Modify ca.c to work with the new code and modify
openssl.cnf for the new syntax.
1999-01-26 01:19:27 +00:00
Dr. Stephen Henson
f317aa4c9c More X509 V3 stuff. Add support for extensions in the 'req' application
so that: openssl req -x509 -new -out cert.pem
will take extensions from openssl.cnf a sample for a CA is included.
Also change the directory order so pem is nearer the end. Otherwise 'make links'
wont work because pem.h can't be built.
1999-01-25 01:09:21 +00:00
Ralf S. Engelschall
06d5b16225 First cut of a cleanup for apps/. First the `ssleay' program is now named
`openssl' and second, the shortcut symlinks for the `openssl <command>' are no
longer created. This way we have a single and consistent command line
interface `openssl <command>', similar to `cvs <command>'.

Notice, the openssl.cnf, openssl.c and progs.pl files were changed after a
repository copy, i.e. they still contain the complete file history.
1999-01-02 12:59:33 +00:00
Ralf S. Engelschall
dfeab0689f Import of old SSLeay release: SSLeay 0.9.1b (unreleased) 1998-12-21 11:00:56 +00:00
Ralf S. Engelschall
d02b48c63a Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00