Hello Dominique!! Ok thx for answer. But I don't understand one thing. I think the way to do this is: So first step is revoked user certs on subca and these serials I can find in subca crl , next is revoked subca cert, and root crl include this information. So next step is new generete new cert from subca, subscribe this subca cert in root ca, import back it on subca. I use batch processor to automatics process generating cert for client. But I don't know one thing. The crl on subca include revoked cert??? That is important because client can verificate status old certs.
Maybe this is wrong way?? Maybe I only need revoke cert of subca, destroy subca and create new. But what about client. Where they find info about this action that mean crl. I want create new subca that has domaine name the same like this destroy old. Maciej 2008/5/21 Dominique Lohez <[EMAIL PROTECTED]>: > Maciej Szuba a écrit : >> Hello! >> What should I have do? I use Debian for subca, rootca is working on >> Fedora. I generated 400 cert on subca and distributed to clients. >> Last week I saw message about openssl vulnerability in Debian: >> "Luciano Bello discovered that the random number generator in Debian's >> openssl package is predictable. This is caused by an incorrect >> Debian-specific change to the openssl package (CVE-2008-0166). As a >> result, cryptographic key material may be guessable." I check certs >> are Affected. So in this way I must revoked all client 's certs and >> subca cert in rootca. But i have a questions what about crl, where >> client find crl if I revoced (and genetated new) subca cert. I would >> like ask developers about way to find solution?? >> > here is a hint of answer > Normally the things SHOULD work that way > the user's certs are recognized becuse they are issued by the trusted > CA subca > subca is trusted because of certificate issued by rootCA > so revoking the subca certificate and issue the corresponding CRL from > rhe unvulnerable root CA should be sufficient > Now you must be sure that the both check of user and subca are always > effective > > I hope this help > > Dominique >> Macie >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Microsoft >> Defy all challenges. Microsoft(R) Visual Studio 2008. >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >> _______________________________________________ >> Openca-Users mailing list >> Openca-Users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/openca-users >> >> >> > > > -- > Dr Dominique LOHEZ > ISEN > 41, Bd Vauban > F59046 LILLE > France > > Phone : +33 (0)3 20 30 40 71 > Email: [EMAIL PROTECTED] > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Openca-Users mailing list > Openca-Users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
