EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Unable to share certs with Linux and vice versa

Posted: 04/25/2006 04:11:05
by Jim Lynch (Basic support level)
Joined: 04/25/2006
Posts: 3

We have been using SecureBlackbox on a Windows SSL socket server quite successfully, however we now need to duplicate the server on a Linux system using OpenSSl and have not discovered a way to use a common certificate. When we generate a 768 bit cert on Windows (.pem) and copy it to Linux, the SSL library croaks on the key, with some arcane message. If we use the openssl utility to verify the key, it simply states the key can't be read. If we generate a cert/private key on Linux and attempt to use it on Windows, it brings up a password popup window, even though there is no passphrase/password. If we simply press OK and leave the PW blank, it complains. The server code on the Linux side is quite happy with the new cert, however.
Can someone help us resolve this issue?
Posted: 04/25/2006 04:30:50
by Ken Ivanov (Team)

Would you be so kind to provide us additional information about the problem, i.e.:
a) what software was used to generate a certificate,
b) what exactly error messages are displayed by Linux and Windows software.

You can also export your Linux certificate to PFX (PKCS#12) file and try to import it on your Windows machine.
Posted: 04/25/2006 04:47:33
by Jim Lynch (Basic support level)
Joined: 04/25/2006
Posts: 3

Here are the openssl commands I'm using to generate the Linux cert. I'm working with another on the Windows side and he's located about 5 hours east of me, so I'll have to get the Windows info from him.

/usr/bin/openssl genrsa -out server.key 768
/usr/bin/openssl req -new -key server.key -out server.csr
/usr/bin/openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

I then cat the server.crt and server.key together to get a .pem file.
Here is what he said when he attempted to use the file:
"Is there a password for the cert/key. An input box is asking for one when I load .pem file.

If I click OK on blank password, an error box appears with 'Invalid format' when processing. "

I did not enter a password when I generated the cert. To be sure, I did it again and sent him a new file. He had the same experience with it.

I don't know how he generated the .pem file on his end, except he said he was using SecureBlackbox.

This is the error I get when I attempt to use the file from a C++ server.
"9413:error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib:ssl_rsa.c:632:"

Here is the statement that generated the failure.
if ( SSL_CTX_use_RSAPrivateKey_file(ctx, kFile, SSL_FILETYPE_PEM) <= 0) {
While it is possible there is an error in the code, since the Linux generated cert/key works OK, I don't think so.

When I attempt to do an openssl verify operation I get:

error 7 at 0 depth lookup:certificate signature failure
9490:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140:
9490:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:935:
9490:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=X509_SIG
9490:error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib:a_verify.c:162:
Posted: 04/25/2006 05:38:44
by Ken Ivanov (Team)

"Is there a password for the cert/key. An input box is asking for one when I load .pem file.
If I click OK on blank password, an error box appears with 'Invalid format' when processing. "

Unfortunately, this information is not enough to find out the reason for the problem. It would be excellent if your colleague will join the topic and provide the additional details on the SecureBlackbox version/edition he is using.

Please also try to save your certificate in PFX format and check if your colleague is able to open it:
openssl pkcs12 -export -in server.pem -out server.pfx

Please note, that server.pem should contain both a certificate and its private key.
Posted: 04/25/2006 11:18:09
by Jim Lynch (Basic support level)
Joined: 04/25/2006
Posts: 3

I'm trying to get the other guy in here too. I sent him a PFX format file, but have not heard back from him. He is using something called CertDemo. I've looked at the interface for the program and haven't a clue as to how to use it.
Posted: 04/25/2006 11:36:32
by Ken Ivanov (Team)

Thank you for the information. However, there are at least 3 different CertDemo applications (included to the .NET, VCL and ActiveX editions of SecureBlackbox). That's why we need to know, what exactly version and edition does your colleague use.
Posted: 04/26/2006 04:30:44
by sc dev (Standard support level)
Joined: 04/26/2006
Posts: 1

SecureBlackBox is version 2.x. CertDemo is for VCL from the Samples folder. It only allows the certificate to be loaded in .cer or .pem format.
Posted: 04/26/2006 09:02:10
by Eugene Mayevski (Team)

SBB 2.x is too old. Licensed users of SBB 2.3 can upgrade to the latest 3.x build for free or to SBB 4 by paying 50% of the current list price.

Sincerely yours
Eugene Mayevski



Topic viewed 16392 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!