Hello Dominique!!
Ok thx for answer. But I don't understand one thing. I think the way
to do this is: So first step is revoked user certs on subca and these
serials I can find in subca crl , next is revoked subca cert, and
root crl include this information. So next step is new generete new
cert from subca, subscribe this subca cert in root ca, import back it
on subca. I use batch processor to automatics process generating cert
for client. But I don't know one thing. The crl on subca include
revoked cert??? That is important because client can verificate
status old certs.
Maybe this is wrong way?? Maybe I only need revoke cert of subca,
destroy subca and create new. But what about client. Where they find
info about this action that mean crl. I want create new subca that has
domaine name the same like this destroy old.
Maciej
2008/5/21 Dominique Lohez [EMAIL PROTECTED]:
Maciej Szuba a écrit :
Hello!
What should I have do? I use Debian for subca, rootca is working on
Fedora. I generated 400 cert on subca and distributed to clients.
Last week I saw message about openssl vulnerability in Debian:
Luciano Bello discovered that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable. I check certs
are Affected. So in this way I must revoked all client 's certs and
subca cert in rootca. But i have a questions what about crl, where
client find crl if I revoced (and genetated new) subca cert. I would
like ask developers about way to find solution??
here is a hint of answer
Normally the things SHOULD work that way
the user's certs are recognized becuse they are issued by the trusted
CA subca
subca is trusted because of certificate issued by rootCA
so revoking the subca certificate and issue the corresponding CRL from
rhe unvulnerable root CA should be sufficient
Now you must be sure that the both check of user and subca are always
effective
I hope this help
Dominique
Macie
-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]
-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
