tag:blogger.com,1999:blog-8079863.post3505681273050413201..comments2024-03-15T21:12:43.843-07:00Comments on the wild web: roll your own EVSid Stammhttp://www.blogger.com/profile/08788622306405563565noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-8079863.post-32722853858965593032022-01-24T05:34:22.045-08:002022-01-24T05:34:22.045-08:00I haven't done anything with EV SSL in quite a...I haven't done anything with EV SSL in quite a long time, but if you're having trouble with the businessCategory, check out the CA/Browser Forum's EV SSL requirements: https://cabforum.org/ev-certificate-contents/<br /><br />There it says businessCategory is a string, which seems to have changed since I wrote this blog post in April 2009.<br /><i> "Business Category (EVG 9.2.4) – This field must contain one of the following strings: “Private Organization”, “Government Entity”, “Business Entity”, or “Non-Commercial Entity”."</i>Sid Stammhttps://www.blogger.com/profile/08788622306405563565noreply@blogger.comtag:blogger.com,1999:blog-8079863.post-34989291725696368102018-03-14T01:06:08.389-07:002018-03-14T01:06:08.389-07:00When using the openssl-ca utility to create the re...When using the openssl-ca utility to create the request and sign certificate I'm receiving an error about creating the object 'businessCategory' from the example openssl config: https://gist.github.com/h1nk/aa8531930e0f8b0f5d880c1a391fd484Anonymoushttps://www.blogger.com/profile/16137111458701701381noreply@blogger.comtag:blogger.com,1999:blog-8079863.post-30566524157658914842018-03-14T01:03:55.066-07:002018-03-14T01:03:55.066-07:00I'm receiving an error when trying to use the ...I'm receiving an error when trying to use the openssl-ca utility to create the request and sign the certificate (OpenSSL 1.1.1-pre3-dev): https://gist.github.com/h1nk/aa8531930e0f8b0f5d880c1a391fd484Anonymoushttps://www.blogger.com/profile/16137111458701701381noreply@blogger.comtag:blogger.com,1999:blog-8079863.post-55011708771784956222018-03-14T01:03:54.386-07:002018-03-14T01:03:54.386-07:00I'm receiving an error when trying to use the ...I'm receiving an error when trying to use the openssl-ca utility to create the request and sign the certificate (OpenSSL 1.1.1-pre3-dev): https://gist.github.com/h1nk/aa8531930e0f8b0f5d880c1a391fd484Anonymoushttps://www.blogger.com/profile/16137111458701701381noreply@blogger.comtag:blogger.com,1999:blog-8079863.post-60308389945590705742018-03-12T15:45:04.416-07:002018-03-12T15:45:04.416-07:00Thanks for the great blog post! I'm having tro...Thanks for the great blog post! I'm having trouble working out the details of the openssl.cnf to get to actually sign a request. I find that if I have the businessCategory = 2.5.4.15 in the [ new_oids ] section (as you suggest), that ca complains that "object identifier routines:OBJ_create:oid exists" (and points to ../crypto/objects/obj_dat.c). Well, then, if I remove that from new_oids, then I can get farther (past the signature check) but then "The businessCategory field needed to be supplied and was missing". Let me know if I'm missing something very obvious or if there are more in-depth resources I should be studying.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8079863.post-19686135401827752522017-05-06T21:45:19.626-07:002017-05-06T21:45:19.626-07:00For the life of me, I can't understand why the...For the life of me, I can't understand why these comments all have times but no dates, which is the most relevant. Chasehttps://www.blogger.com/profile/18220295738810627876noreply@blogger.comtag:blogger.com,1999:blog-8079863.post-53738236624019732032010-09-14T16:37:39.128-07:002010-09-14T16:37:39.128-07:00Since I don't have the CA.pl or the batch file...Since I don't have the CA.pl or the batch file, I'm wondering if the <b>basicConstraints</b>,<b>keyUsage</b>, and <b>OID</b> fields are required for the CA to then make the EV. I already have a CA cert at https://podaci.co.uk/root.crt without those properties and am wondering if I will have to create a new one and re-issue the current certs in order to use it to make an EV intermediary CA.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8079863.post-45222110888211540082010-07-27T13:28:27.652-07:002010-07-27T13:28:27.652-07:00@dsage: I take that back, it was probably a pre-re...@dsage: I take that back, it was probably a pre-release 3.5 build since I was working on mozilla-central in April 2009.Sid Stammhttps://www.blogger.com/profile/08788622306405563565noreply@blogger.comtag:blogger.com,1999:blog-8079863.post-17188761724853510132010-07-27T13:26:33.226-07:002010-07-27T13:26:33.226-07:00@Anonymous: It's still there (see http://mxr.m...@Anonymous: It's still there (see <a href="http://mxr.mozilla.org/mozilla-central/source/security/nss/Makefile#81" rel="nofollow">http://mxr.mozilla.org/mozilla-central/source/security/nss/Makefile#81</a>). I tried it today and it worked.<br /><br />With mozilla-central checked out, you have to change to the security/nss/ subdirectory and issue the make command there.<br /><br />@dsage: I think this was 3.0.17. Should still work in 3.6 or trunk builds today since NSS hasn't changed a whole lot.Sid Stammhttps://www.blogger.com/profile/08788622306405563565noreply@blogger.comtag:blogger.com,1999:blog-8079863.post-77450922131281394932010-07-27T11:06:53.423-07:002010-07-27T11:06:53.423-07:00I know that this article is a little old, but may ...I know that this article is a little old, but may I ask what version of Firefox you used?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8079863.post-37431841520936331692010-07-25T14:19:24.622-07:002010-07-25T14:19:24.622-07:00I understand your reasoning, but all of the makefi...I understand your reasoning, but all of the makefiles that I get, have no target for nss_build_all so is there a way I can add that?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8079863.post-12483702897220434232010-07-13T09:37:54.555-07:002010-07-13T09:37:54.555-07:00@Anonymous: no, I won't post a patched build o...@Anonymous: no, I won't post a patched build of Firefox. You have to patch it and compile it with your own CA and OID details anyway, so unless I post my custom CA's private key and cert along with the patch it is useless.<br /><br />I also am of the opinion that if you want to play with fire, you should know how fire works. :)Sid Stammhttps://www.blogger.com/profile/08788622306405563565noreply@blogger.comtag:blogger.com,1999:blog-8079863.post-75552493298393784272010-07-12T19:54:33.912-07:002010-07-12T19:54:33.912-07:00Can you provide a link to a patched firefox?Can you provide a link to a patched firefox?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8079863.post-17655117562909428522009-06-15T12:59:20.826-07:002009-06-15T12:59:20.826-07:00I filed a bug on figuring out a way to add EV test...I filed a bug on figuring out a way to add EV tests to our mochitest suite a while back:<br />https://bugzilla.mozilla.org/show_bug.cgi?id=458727Ted Mielczarekhttps://www.blogger.com/profile/10137338363695482997noreply@blogger.comtag:blogger.com,1999:blog-8079863.post-25898050226925459482009-04-22T10:40:00.000-07:002009-04-22T10:40:00.000-07:00@btornado: hah, yeah, I should probably clarify th...@btornado: hah, yeah, I should probably clarify that, thanks. (See edit.)Sid Stammhttps://www.blogger.com/profile/08788622306405563565noreply@blogger.comtag:blogger.com,1999:blog-8079863.post-28225254679850091832009-04-22T10:28:00.000-07:002009-04-22T10:28:00.000-07:00I'm sure this is common knowledge in your field, b...I'm sure this is common knowledge in your field, but what is EV?Unknownhttps://www.blogger.com/profile/01521712372413187492noreply@blogger.com