On Fri, Feb 07, 2003 at 05:39:21PM +0100, Michael Bell wrote:
> OpenCA includes a mechanism to be protected against keycompromising by
> bad random numbergenerators. If you need a new cert for the same key
> then please go to the old request (now archived request). There is a
> renew button.
Aha. Moving from 0.8.x to 0.9.1 meant manually transferring things.
I did not (yet?) transfer the requests...
> Please take in mind that the actual OpenSSL ca command is a little bit
> problematical (or better the database handling is the problem) if you
> try to issue a certificate with the same DN (I think you now this
> problem better than I :) ). There are four solutions:
>
> 1. Issue a certificate with a different DN. If you include the
> serialnumber into the DN then there is no problem by default.
I see.
> 2. There is a patch for OpenSSL to deactivate the indexverification of
> OpenSSL for DNs (-nouniqueDN). This patch was contributed to OpenSSL but
> the patch was not included to 0.9.7 because it was to late and until
> today nobody added it to the 0.9.8 tree but it is in the bugtracking
> system of OpenSSL (#299). I think there are to many problems with the
> 0.9.7. The patch itself was for 0.9.7 snapshots during the beta phase of
> 0.9.7.
In another environment I use(d) to issue certificates directly with
OpenSSL. Manually editing the certificate database did the trick :-)
Probably not elegant, though :-)
Seems I'll have to push #299 or include the modification myself :-)
> 3. You wait until the certs are expired, renew the requests and then you
> can issue certs with the same DN.
This already happened to my certificate today but I do have a bunch of
other certificates to expire in the next days...
> 4. You revoke the old certs, renew the archived requests and then you
> can issue new certs with the same DN.
>
> I think the following about the options:
>
> - 3 and 4 are obsolete
> - 2 is the best way but you have to patch OpenSSL
> - 1 is the default way if you can accept another DN for the new certs
>
> I hope one of these options work for you. What do you think about them?
As I stated above, having a second certificate for the same DN _and_ the
same public key was possible with manually tricking around with OpenSSL.
Netscape even can handle this situation (several certificates with the same
private key) and will automatically use the correct (valid) one.
I also cannot see a reason to not use this technique... Do you see one?
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
