Can a site certificate issued from Verisign be used with Pound?

Michael St. Laurent wrote:
> Can a site certificate issued from Verisign be used with Pound?
> 

Yes.  Certs are certs - they are not issuer-specific in any way.

Now, you might need intermediate certificates to establish the chain to 
something installed in the viewing computer, but that's a different 
issue (and generally a non-issue for Verisign).

Regards,
-- 
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/

The text I got from them is a bit different than what was created when I
used OpenSSL to generate my own.

Theirs starts with -----BEGIN CERTIFICATE----- and ends with -----END
CERTIFICATE-----.

The one I created with OpenSSL also has an RSA PRIVATE KEY section and a
DH PARAMETERS section.

I've tried using the Verisign cert as provided but pound will not start.
It reports a config error and terminates.

-----Original Message-----
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: Thursday, December 21, 2006 8:54 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Using Verisign site cert with pound

Michael St. Laurent wrote:
> Can a site certificate issued from Verisign be used with Pound?
> 

Yes.  Certs are certs - they are not issuer-specific in any way.

Now, you might need intermediate certificates to establish the chain to 
something installed in the viewing computer, but that's a different 
issue (and generally a non-issue for Verisign).

Regards,
-- 
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/

-- 
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2006/2006-12/1166718839000/
1166720052000

Michael St. Laurent wrote:
> The text I got from them is a bit different than what was created when I
> used OpenSSL to generate my own.
> 
> Theirs starts with -----BEGIN CERTIFICATE----- and ends with -----END
> CERTIFICATE-----.

That's the actual cert.

> The one I created with OpenSSL also has an RSA PRIVATE KEY section and a
> DH PARAMETERS section.

That's a "pem format" cert.  It's exactly as you describe, key + dh 
params + cert.

> I've tried using the Verisign cert as provided but pound will not start.
> It reports a config error and terminates.

You'll need to use the cert verisign gave you to build a pem-format cert 
for use with pound.  Just follow the structure of the one you generated 
yourself (you can literally copy / paste the relevent private key in 
place).  Google for 'pem format' and similar for more details.

Note that DH params aren't specific to your cert / key, they can be 
generated on their own (in fact, you're supposed to change them 
periodically).

-- 
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/

We're using several certs for different sites all through the same pound
process from GoDaddy.  Work like a charm, were easy to setup, and a heck
of a lot less expensive than VeriSign. 

I can't figure this out.  We took this same text and used it to create a
.cer file and it worked on the IIS server.  On the linux system I opened
VI and pasted the text into the window.  The line count matches and it
looks like everything went in.  I save that and try to verify it:

[root(at)guardian certs]# openssl verify verisign.cer
unable to load certificate
28362:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c
:946:
28362:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:t
asn_dec.c:304:Type=X509_CINF
28362:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
asn1 error:
tasn_dec.c:566:Field=cert_info, Type=X509
28362:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
lib:pem_oth.c:82:
[root(at)guardian certs]#

-----Original Message-----
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: Thursday, December 21, 2006 10:38 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Using Verisign site cert with pound

Michael St. Laurent wrote:
> The text I got from them is a bit different than what was created when
I
> used OpenSSL to generate my own.
> 
> Theirs starts with -----BEGIN CERTIFICATE----- and ends with -----END
> CERTIFICATE-----.

That's the actual cert.

> The one I created with OpenSSL also has an RSA PRIVATE KEY section and
a
> DH PARAMETERS section.

That's a "pem format" cert.  It's exactly as you describe, key + dh 
params + cert.

> I've tried using the Verisign cert as provided but pound will not
start.
> It reports a config error and terminates.

You'll need to use the cert verisign gave you to build a pem-format cert

for use with pound.  Just follow the structure of the one you generated 
yourself (you can literally copy / paste the relevent private key in 
place).  Google for 'pem format' and similar for more details.

Note that DH params aren't specific to your cert / key, they can be 
generated on their own (in fact, you're supposed to change them 
periodically).

-- 
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/

-- 
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2006/2006-12/1166718839000/
1166726267000

IIS/IE usually use DER format.

Try openssl x509 -inform DER -in verisign.cer -noout -text

And see if you get results

If you don't, try openssl x509 -inform PEM -in versign.cer -noout -text

You did include the --- BEGIN CERTIFICATE lines too, right?  They need to be
included.


You need a pem file that has the KEY and the CERT in it to work.  So something
like this:

pound.pem:
------BEGIN RSA PRIVATE KEY-----
(whole bunch of Base64 letters/numbers/symbols)
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
(whole bunch of Base64 letters/numbers/symbols)
------END CERTIFICATE-----


If you've done it right, openssl x509 -inform PEM -in pound.pem -noout -text
will return your certificate information.

Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540


> -----Original Message-----
> From: Michael St. Laurent [mailto:mikes(at)hartwellcorp.com]
> Sent: Thursday, December 21, 2006 5:33 PM
> To: pound(at)apsis.ch
> Subject: RE: [Pound Mailing List] Using Verisign site cert with pound
> 
> I can't figure this out.  We took this same text and used it to create a
> .cer file and it worked on the IIS server.  On the linux system I opened
> VI and pasted the text into the window.  The line count matches and it
> looks like everything went in.  I save that and try to verify it:
> 
> [root(at)guardian certs]# openssl verify verisign.cer
> unable to load certificate
> 28362:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c
> :946:
> 28362:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:t
> asn_dec.c:304:Type=09_CINF
> 28362:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
> asn1 error:
> tasn_dec.c:566:FieldĪrt_info, Type=09
> 28362:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> lib:pem_oth.c:82:
> [root(at)guardian certs]#
> 
> -----Original Message-----
> From: Dave Steinberg [mailto:dave(at)redterror.net]
> Sent: Thursday, December 21, 2006 10:38 AM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Using Verisign site cert with pound
> 
> Michael St. Laurent wrote:
> > The text I got from them is a bit different than what was created when
> I
> > used OpenSSL to generate my own.
> >
> > Theirs starts with -----BEGIN CERTIFICATE----- and ends with -----END
> > CERTIFICATE-----.
> 
> That's the actual cert.
> 
> > The one I created with OpenSSL also has an RSA PRIVATE KEY section and
> a
> > DH PARAMETERS section.
> 
> That's a "pem format" cert.  It's exactly as you describe, key + dh
> params + cert.
> 
> > I've tried using the Verisign cert as provided but pound will not
> start.
> > It reports a config error and terminates.
> 
> You'll need to use the cert verisign gave you to build a pem-format cert
> 
> for use with pound.  Just follow the structure of the one you generated
> yourself (you can literally copy / paste the relevent private key in
> place).  Google for 'pem format' and similar for more details.
> 
> Note that DH params aren't specific to your cert / key, they can be
> generated on their own (in fact, you're supposed to change them
> periodically).
> 
> --
> Dave Steinberg
> http://www.geekisp.com/
> http://www.steinbergcomputing.com/
> 
> --
> To unsubscribe send an email with subject 'unsubscribe' to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> http://www.apsis.ch/pound/pound_list/archive/2006/2006-12/1166718839000/
> 1166726267000
> 
> --
> To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> http://www.apsis.ch/pound/pound_list/archive/2006/2006-
> 12/1166718839000/1166740359000

Okay, I've requested a new certificate from GoDaddy hoping that I would be able
to manipulate it more easily as the cert request was issued by myself. 
However, when I generated the RSA key to issue the csr I used a key phrase on
it.  Will that interfere with creating the PEM file when the certificate info
arrives (should be in the next few minutes according to their representative)?

-----Original Message-----
From: Joe Gooch [mailto:mrwizard(at)k12system.com] 
Sent: Thursday, December 21, 2006 3:50 PM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Using Verisign site cert with pound

IIS/IE usually use DER format.

Try openssl x509 -inform DER -in verisign.cer -noout -text

And see if you get results

If you don't, try openssl x509 -inform PEM -in versign.cer -noout -text

You did include the --- BEGIN CERTIFICATE lines too, right?  They need to be
included.


You need a pem file that has the KEY and the CERT in it to work.  So something
like this:

pound.pem:
------BEGIN RSA PRIVATE KEY-----
(whole bunch of Base64 letters/numbers/symbols)
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
(whole bunch of Base64 letters/numbers/symbols)
------END CERTIFICATE-----


If you've done it right, openssl x509 -inform PEM -in pound.pem -noout -text
will return your certificate information.

Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540


> -----Original Message-----
> From: Michael St. Laurent [mailto:mikes(at)hartwellcorp.com]
> Sent: Thursday, December 21, 2006 5:33 PM
> To: pound(at)apsis.ch
> Subject: RE: [Pound Mailing List] Using Verisign site cert with pound
> 
> I can't figure this out.  We took this same text and used it to create a
> .cer file and it worked on the IIS server.  On the linux system I opened
> VI and pasted the text into the window.  The line count matches and it
> looks like everything went in.  I save that and try to verify it:
> 
> [root(at)guardian certs]# openssl verify verisign.cer
> unable to load certificate
> 28362:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c
> :946:
> 28362:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:t
> asn_dec.c:304:Type	_CINF
> 28362:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
> asn1 error:
> tasn_dec.c:566:FieldĪrt_info, Type	
> 28362:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> lib:pem_oth.c:82:
> [root(at)guardian certs]#
> 
> -----Original Message-----
> From: Dave Steinberg [mailto:dave(at)redterror.net]
> Sent: Thursday, December 21, 2006 10:38 AM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Using Verisign site cert with pound
> 
> Michael St. Laurent wrote:
> > The text I got from them is a bit different than what was created when
> I
> > used OpenSSL to generate my own.
> >
> > Theirs starts with -----BEGIN CERTIFICATE----- and ends with -----END
> > CERTIFICATE-----.
> 
> That's the actual cert.
> 
> > The one I created with OpenSSL also has an RSA PRIVATE KEY section and
> a
> > DH PARAMETERS section.
> 
> That's a "pem format" cert.  It's exactly as you describe, key + dh
> params + cert.
> 
> > I've tried using the Verisign cert as provided but pound will not
> start.
> > It reports a config error and terminates.
> 
> You'll need to use the cert verisign gave you to build a pem-format cert
> 
> for use with pound.  Just follow the structure of the one you generated
> yourself (you can literally copy / paste the relevent private key in
> place).  Google for 'pem format' and similar for more details.
> 
> Note that DH params aren't specific to your cert / key, they can be
> generated on their own (in fact, you're supposed to change them
> periodically).
> 
> --
> Dave Steinberg
> http://www.geekisp.com/
> http://www.steinbergcomputing.com/
> 
> --
> To unsubscribe send an email with subject 'unsubscribe' to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> http://www.apsis.ch/pound/pound_list/archive/2006/2006-12/1166718839000/
> 1166726267000
> 
> --
> To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> http://www.apsis.ch/pound/pound_list/archive/2006/2006-
> 12/1166718839000/1166740359000

-- 
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2006/2006-12/1166718839000/1166744978000

Ah, okay.  So I've got my cert and an intermediate cert to install as well.

-----Original Message-----
From: Michael St. Laurent [mailto:mikes(at)hartwellcorp.com] 
Sent: Friday, December 22, 2006 9:15 AM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Using Verisign site cert with pound

Okay, I've requested a new certificate from GoDaddy hoping that I would be able
to manipulate it more easily as the cert request was issued by myself. 
However, when I generated the RSA key to issue the csr I used a key phrase on
it.  Will that interfere with creating the PEM file when the certificate info
arrives (should be in the next few minutes according to their representative)?

-----Original Message-----
From: Joe Gooch [mailto:mrwizard(at)k12system.com] 
Sent: Thursday, December 21, 2006 3:50 PM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Using Verisign site cert with pound

IIS/IE usually use DER format.

Try openssl x509 -inform DER -in verisign.cer -noout -text

And see if you get results

If you don't, try openssl x509 -inform PEM -in versign.cer -noout -text

You did include the --- BEGIN CERTIFICATE lines too, right?  They need to be
included.


You need a pem file that has the KEY and the CERT in it to work.  So something
like this:

pound.pem:
------BEGIN RSA PRIVATE KEY-----
(whole bunch of Base64 letters/numbers/symbols)
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
(whole bunch of Base64 letters/numbers/symbols)
------END CERTIFICATE-----


If you've done it right, openssl x509 -inform PEM -in pound.pem -noout -text
will return your certificate information.

Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540


> -----Original Message-----
> From: Michael St. Laurent [mailto:mikes(at)hartwellcorp.com]
> Sent: Thursday, December 21, 2006 5:33 PM
> To: pound(at)apsis.ch
> Subject: RE: [Pound Mailing List] Using Verisign site cert with pound
> 
> I can't figure this out.  We took this same text and used it to create a
> .cer file and it worked on the IIS server.  On the linux system I opened
> VI and pasted the text into the window.  The line count matches and it
> looks like everything went in.  I save that and try to verify it:
> 
> [root(at)guardian certs]# openssl verify verisign.cer
> unable to load certificate
> 28362:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c
> :946:
> 28362:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:t
> asn_dec.c:304:Type	_CINF
> 28362:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
> asn1 error:
> tasn_dec.c:566:FieldĪrt_info, Type	
> 28362:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> lib:pem_oth.c:82:
> [root(at)guardian certs]#
> 
> -----Original Message-----
> From: Dave Steinberg [mailto:dave(at)redterror.net]
> Sent: Thursday, December 21, 2006 10:38 AM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Using Verisign site cert with pound
> 
> Michael St. Laurent wrote:
> > The text I got from them is a bit different than what was created when
> I
> > used OpenSSL to generate my own.
> >
> > Theirs starts with -----BEGIN CERTIFICATE----- and ends with -----END
> > CERTIFICATE-----.
> 
> That's the actual cert.
> 
> > The one I created with OpenSSL also has an RSA PRIVATE KEY section and
> a
> > DH PARAMETERS section.
> 
> That's a "pem format" cert.  It's exactly as you describe, key + dh
> params + cert.
> 
> > I've tried using the Verisign cert as provided but pound will not
> start.
> > It reports a config error and terminates.
> 
> You'll need to use the cert verisign gave you to build a pem-format cert
> 
> for use with pound.  Just follow the structure of the one you generated
> yourself (you can literally copy / paste the relevent private key in
> place).  Google for 'pem format' and similar for more details.
> 
> Note that DH params aren't specific to your cert / key, they can be
> generated on their own (in fact, you're supposed to change them
> periodically).
> 
> --
> Dave Steinberg
> http://www.geekisp.com/
> http://www.steinbergcomputing.com/
> 
> --
> To unsubscribe send an email with subject 'unsubscribe' to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> http://www.apsis.ch/pound/pound_list/archive/2006/2006-12/1166718839000/
> 1166726267000
> 
> --
> To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> http://www.apsis.ch/pound/pound_list/archive/2006/2006-
> 12/1166718839000/1166740359000

-- 
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2006/2006-12/1166718839000/1166744978000

-- 
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2006/2006-12/1166718839000/1166807710000