Re: [Openca-Users] OpenCA and security vulnerability in Debian

2008-05-21 Thread Maciej Szuba 
Hello Dominique!!
Ok thx for answer. But I don't understand one thing. I  think the way
to do this is: So first step is revoked user certs on subca and these
serials I can find in subca crl , next is  revoked subca cert, and
root crl include this information. So next step is new generete new
cert from subca, subscribe this subca cert in  root ca, import back it
on subca. I use batch processor to automatics process generating cert
for client. But I don't know one thing. The crl on subca  include
revoked  cert??? That is important because client can verificate
status old certs.

Maybe this is wrong way?? Maybe I only need revoke cert of  subca,
destroy subca and create new. But what about client. Where they find
info about this action that mean crl. I want create new subca that has
domaine name the same like this destroy old.
Maciej

2008/5/21 Dominique Lohez [EMAIL PROTECTED]:
 Maciej Szuba a écrit :
 Hello!
 What should I have do? I use Debian for subca, rootca is working on
 Fedora. I generated 400 cert on subca and distributed to clients.
 Last week I saw message about openssl vulnerability in Debian:
 Luciano Bello discovered that the random number generator in Debian's
 openssl package is predictable.  This is caused by an incorrect
 Debian-specific change to the openssl package (CVE-2008-0166).  As a
 result, cryptographic key material may be guessable.  I check certs
 are Affected.  So in this way I must revoked all client 's certs and
 subca cert in rootca. But i have a questions what about crl, where
 client find crl if I revoced (and genetated new) subca cert. I would
 like ask developers about way to find solution??

 here is a hint of answer
 Normally   the things SHOULD work  that way
 the  user's certs  are recognized  becuse they are issued by the trusted
 CA subca
 subca is trusted because of certificate issued by rootCA
 so revoking the subca certificate and issue the corresponding CRL from
 rhe unvulnerable root CA should be sufficient
 Now you must be sure that the both check of  user and subca are   always
 effective

 I hope this help

 Dominique
 Macie

 -
 This SF.net email is sponsored by: Microsoft
 Defy all challenges. Microsoft(R) Visual Studio 2008.
 http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
 ___
 Openca-Users mailing list
 Openca-Users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openca-users





 --
 Dr Dominique LOHEZ
 ISEN
 41, Bd Vauban
 F59046 LILLE
 France

 Phone : +33 (0)3 20 30 40 71
 Email: [EMAIL PROTECTED]


 -
 This SF.net email is sponsored by: Microsoft
 Defy all challenges. Microsoft(R) Visual Studio 2008.
 http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
 ___
 Openca-Users mailing list
 Openca-Users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openca-users


-
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] OpenCA and security vulnerability in Debian

2008-05-20 Thread Maciej Szuba 
Hello!
What should I have do? I use Debian for subca, rootca is working on
Fedora. I generated 400 cert on subca and distributed to clients.
Last week I saw message about openssl vulnerability in Debian:
Luciano Bello discovered that the random number generator in Debian's
openssl package is predictable.  This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166).  As a
result, cryptographic key material may be guessable.  I check certs
are Affected.  So in this way I must revoked all client 's certs and
subca cert in rootca. But i have a questions what about crl, where
client find crl if I revoced (and genetated new) subca cert. I would
like ask developers about way to find solution??
Macie

-
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Batch processor use for create crt from csr?

2007-09-03 Thread Maciej Szuba 
Hello !

I would like to use a batch processor to create certificates for my clients.
I know that I can make this by prepared batch_process_date.txt file, and it
really work! But I can't use this standard workflow (statemachine concept),
because I use java application, which generate private key on pki card and
create csr. So in this way I obtain 400 csr, and I would like create  400
certs.

It is possibility to use batch for this work. How?

Any help for pointers how I must approach this task would be very

appreciated,


 Maciej
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now   http://get.splunk.com/___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users