Post Reply 
the two .pem's...
Mar. 18, 2012, 07:23 PM
Post: #1
the two .pem's...
is it possible to get an updated "how to" so that users can "roll their own" as far as the two *.pem files go?

i have tried and tried, then tried and tried, and then tried and tried yet again to "roll my own"... used everything from 98 FIRST edition to 98 SECOND edition to XP to Vista - NONE of the "rolled" .pem's have "worked"... at least not the 'certs.pem', the 'proxcert.pem' "seems to" be just fine (not that i really know "how" to test it independently of 'certs.pem')...
Add Thank You Quote this message in a reply
Mar. 19, 2012, 12:57 AM
Post: #2
RE: the two .pem's...
Upload a couple of the 'certs.pem' files. I'll see if I can see what is wrong.

I'm assuming that you used the instructions and files in 'make-certspem.zip', http://prxbx.com/forums/showthread.php?t...6#pid15196 .
Add Thank You Quote this message in a reply
Mar. 19, 2012, 01:18 AM (This post was last modified: Mar. 19, 2012 01:20 AM by ProxRocks.)
Post: #3
RE: the two .pem's...
yes, those instructions to-a-T...

have used Notepad, WordPad, Notepad++, Notepad2, and MetaPad...

have used WinXP, Vista, Win98, and Win98SE...

have even deleted the "expired" ones (which the instructions "to-a-T" would suggest leaving the expired ones in)...

have checked the "include all in path" checkbox (an option when exporting as .p7b), have also left it unchecked...


can only upload ONE (Win98SE & WordPad)...
it's shear luck that this one hasn't been deleted yet (why keep 'em around if they don't work?)...


much appreciated, i really want to be able to roll these myself...
and perhaps even learn how to edit them for sites such as RapidShare - wink, wink...


Attached File(s)
.zip  certs.zip (Size: 223.23 KB / Downloads: 604)
Add Thank You Quote this message in a reply
Mar. 19, 2012, 02:12 AM
Post: #4
RE: the two .pem's...
I'm assuming that nag screens mean it doesn't work. Wink

(Mar. 19, 2012 01:18 AM)ProxRocks Wrote:  yes, those instructions to-a-T...

Are you sure that you only exported those certificates used for "Server Authentication"? I don't remember some of these.

Quote:* Under the control panel go to...
Internet Options->Content->Certificates
* Go to the "Trusted Root Certification Authorities" tab
* Select "Advanced"
* Check *only* "Server Authentication"
* "Export Format" should be PCKS #7
* exit back to certificates tab
* Pick <advanced purposes> from the drop-down selector at the top
of the "Certificate manager" tab
* Select all the certificates left in the tab's listbox and click "Export"
However, those issued to "Microsoft Root Certificate Authority" will need to be removed later, if extracted.
* Follow through and save the certs to "certs.p7b"
* Add "certs.p7b" to the "make-certspem" folder.
* Run "make-certspem.bat".
There should now be a "certs.pem" file in the "make-certspem" folder.
* Use an editor to remove the certificates issued to "Microsoft Root Certificate Authority" from "certs.pem", if necessary.
* Rename the old "certs.pem" in the Proxomitron's folder.
* Add the new "certs.pem" to the Proxomitron's folder.
* You should be done.



(Mar. 19, 2012 01:18 AM)ProxRocks Wrote:  have even deleted the "expired" ones (which the instructions "to-a-T" would suggest leaving the expired ones in)...

Expired certs can be necessary. They may be needed for things that were signed before they expired.

(Mar. 19, 2012 01:18 AM)ProxRocks Wrote:  much appreciated, i really want to be able to roll these myself...
and perhaps even learn how to edit them for sites such as RapidShare - wink, wink...

This editing is little more than trial and error. If a new 'certs.pem' throws an error where the old one didn't, I remove new certs from the new 'certs.pem' until the problem cert is found.
Add Thank You Quote this message in a reply
Mar. 19, 2012, 02:26 AM
Post: #5
RE: the two .pem's...
(Mar. 19, 2012 02:12 AM)JJoe Wrote:  I'm assuming that nag screens mean it doesn't work. Wink

Are you sure that you only exported those certificates used for "Server Authentication"? I don't remember some of these.

* Pick <advanced purposes>

server authentication - POSITIVE

advanced purposes - 99% positive for MOST of the "roll attempts", but no, i did forget that step in the attched win98se attempt...

nag screen - HADES YES, if their is a nag-crap-piece-of-shinola, then it DOES NOT WORK Smile!
Add Thank You Quote this message in a reply
Mar. 19, 2012, 03:17 AM
Post: #6
RE: the two .pem's...
(Mar. 19, 2012 02:26 AM)ProxRocks Wrote:  nag screen - HADES YES, if their is a nag-crap-piece-of-shinola, then it DOES NOT WORK Smile!

I think that there are nags that can't be fixed by editing.
Add Thank You Quote this message in a reply
Mar. 19, 2012, 01:44 PM
Post: #7
RE: the two .pem's...
i've rolled another, paying closer attention to the instructions, lol...
(after rolling DOZENS of them, i actually thought i had the process "memorized", but yeah, i did miss ONE step...)

BUT this one "nag screens" at http://https-px-.secure.ingdirect.com/my...splayLogin whereas your posted certs.pem does not - so i'm still "missing something"...

do you see anything 'wrong' with the attached?


Attached File(s)
.zip  certs.zip (Size: 207.52 KB / Downloads: 567)
Add Thank You Quote this message in a reply
Mar. 19, 2012, 03:58 PM
Post: #8
RE: the two .pem's...
(Mar. 19, 2012 01:44 PM)ProxRocks Wrote:  do you see anything 'wrong' with the attached?

What happens after you remove

Code:
subject=/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root
issuer=/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root
-----BEGIN CERTIFICATE-----
MIICTDCCAbUCAgD9MA0GCSqGSIb3DQEBBAUAMG4xCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
bHV0aW9ucywgSW5jLjEcMBoGA1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9vdDAeFw05
ODA0MDMxNDUyMDFaFw0wNDA0MDMyMzU5MDBaMG4xCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
bHV0aW9ucywgSW5jLjEcMBoGA1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9vdDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuo69dZAS+uV5dLLZ9ybUDkEd6TYHVnLV
uGnaVNSx1nhtquM7PaOENyXHr68E3LMiseltvoJt640vvbSucB6i1m4gMVHmVlxz
UrIjUE68+5pnQMSGEUbHQyK66gBPbHLNYZzey/ruMNLm+ludxZncIPg5v2SMB1Y7
vdxsXva/4dkCAwEAATANBgkqhkiG9w0BAQQFAAOBgQCWXx08xnWVtmuvhwDNpUEr
i7/QjTFbOWXT8dGPWB5SIsM9hvLCmvbdSF5xw0UcfEyiWe6hUZY999U0JDqq/YIm
ZcVMQg8Mj2lgfOfW1RpLefruWrVMpsyja0bW0cgyVKAwZ9JdhhGRvMO6KpzVeFEa
1F3ddpEiRWsxWT75hVlOyw==
-----END CERTIFICATE-----

?

HTH
Add Thank You Quote this message in a reply
Mar. 19, 2012, 04:55 PM
Post: #9
RE: the two .pem's...
Eureka! That did the trick!

Fairly limited testing, but so far so good...
(not with RapidShare, not to beat that dead horse, lol...)


How did you know to remove that one?

I'm also noticing that my rolled certs.pem is 416 KB whereas the publicly posted update dated 1/2/2012 is 560 KB - does this indicate that I'm still "missing" something?
Add Thank You Quote this message in a reply
Mar. 19, 2012, 09:52 PM (This post was last modified: Mar. 19, 2012 09:53 PM by JJoe.)
Post: #10
RE: the two .pem's...
(Mar. 19, 2012 04:55 PM)ProxRocks Wrote:  How did you know to remove that one?

I've been removing it from my 'certs.pem' files.
Found it by one slightly educated guess.

(Mar. 19, 2012 04:55 PM)ProxRocks Wrote:  I'm also noticing that my rolled certs.pem is 416 KB whereas the publicly posted update dated 1/2/2012 is 560 KB - does this indicate that I'm still "missing" something?

You have fewer certs. Probably best to use a file comparison program to see the details.
Add Thank You Quote this message in a reply
Mar. 19, 2012, 10:44 PM
Post: #11
RE: the two .pem's...
did you intentionally add cert's that "windows" didn't fetch on its own?
Add Thank You Quote this message in a reply
Mar. 19, 2012, 10:58 PM
Post: #12
RE: the two .pem's...
(Mar. 19, 2012 10:44 PM)ProxRocks Wrote:  did you intentionally add cert's that "windows" didn't fetch on its own?

No.

However, I would add

Code:
subject=/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
issuer=/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
-----BEGIN CERTIFICATE-----
MIIEEjCCAvqgAwIBAgIPAMEAizw8iBHRPvZj7N9AMA0GCSqGSIb3DQEBBAUAMHAx
KzApBgNVBAsTIkNvcHlyaWdodCAoYykgMTk5NyBNaWNyb3NvZnQgQ29ycC4xHjAc
BgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEhMB8GA1UEAxMYTWljcm9zb2Z0
IFJvb3QgQXV0aG9yaXR5MB4XDTk3MDExMDA3MDAwMFoXDTIwMTIzMTA3MDAwMFow
cDErMCkGA1UECxMiQ29weXJpZ2h0IChjKSAxOTk3IE1pY3Jvc29mdCBDb3JwLjEe
MBwGA1UECxMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSEwHwYDVQQDExhNaWNyb3Nv
ZnQgUm9vdCBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCpAr3BcOY78k4bKJ+XeF4w6qKpjSVf+P6VTKO3/p2iID58UaKboo9gMmvRQmR5
7qx2yVTa8uuchhyPn4Rms8VremIj1h083g8BkuiWxL8tZpqaaCaZ0Dosvwy1WCbB
RucKPjiWLKkoOajsSYNC44QPu5psVWGsgnyhYC13TOmZtGQ7mlAcMQgkFJ+p55Er
GOY9mGMUYFgFZZ8dN1KH96fvlALGG9O/VUWziYC/OuxUlE6u/ad6bXROrxjMlgko
IQBXkGBpN7tLEgc8Vv9b+6RmCgim0oFWV++2O14WgXcE2va+roCV/rDNf9anGnJc
PMq88AijIjCzBoXJsyB3E4XfAgMBAAGjgagwgaUwgaIGA1UdAQSBmjCBl4AQW9Bw
72lyniNRfhSyTY7/y6FyMHAxKzApBgNVBAsTIkNvcHlyaWdodCAoYykgMTk5NyBN
aWNyb3NvZnQgQ29ycC4xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEh
MB8GA1UEAxMYTWljcm9zb2Z0IFJvb3QgQXV0aG9yaXR5gg8AwQCLPDyIEdE+9mPs
30AwDQYJKoZIhvcNAQEEBQADggEBAJXoC8CN85cYNe24ASTYdxHzXGAyn54Lyz4F
kYiPyTrmIfLwV5MstaBHyGLv/NfMOztaqTZUaf4kbT/JzKreBXzdMY09nxBwarv+
Ek8YacD80EPjEVogT+pie6+qGcgrNyUtvmWhEoolD2Oj91Qc+SHJ1hXzUqxuQzIH
/YIX+OVnbA1R9r3xUse958Qw/CAxCYgdlSkaTdUdAqXxgOADtFv0sd3IV+5lScdS
VLa0AygS/5DW8AiPfriXxas3LOR65Kh343agANBqP8HSNorgQRKoNWobats14dQc
BOSoRQTIWjM4bk0cDWK3CqKM09VUP0bNHFWmcNsSOoeTdZ+n0qA=
-----END CERTIFICATE-----

if not already present.

HTH
Add Thank You Quote this message in a reply
Mar. 20, 2012, 12:43 AM
Post: #13
RE: the two .pem's...
already added, that's why i'm surprised we have different file sizes...
haven't "compared" the two side-by-side yet, just going by file size...

i'd be more "confident" if there was a ".crl" file that could be downloaded from Microsoft (gasp!) or VeriSign or whoever the biggies in the .crl-world are and that there was a way to convert those to .pem... but i'm totally clueless and don't know if that's just totally too far "out there"...
Add Thank You Quote this message in a reply
Mar. 20, 2012, 01:51 AM (This post was last modified: Mar. 20, 2012 01:53 AM by JJoe.)
Post: #14
RE: the two .pem's...
I don't think there is a 'complete' store of certificates. You start with some and add or remove as needed.

For Windows XP SP3, you can find and install the latest "rootsupd.exe", http://www.microsoft.com/download/en/details.aspx?id=28965 .

I used Windows Update to get a current store before I extracted the certs.
Add Thank You Quote this message in a reply
Mar. 20, 2012, 11:06 AM
Post: #15
RE: the two .pem's...
will give that a try...

initial observation is that rootsupd.exe is dated 2/27/2012 whereas the posted certs.pem is dated 1/2/2012...

seems worthy to note in that the RapidShare nag-screen-piece-of-shi-er-um-crap started sometime BETWEEN those two dates (not sure if that's "significant" or not)...
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: