first I agree with Bill but OpenCA includes some workarounds for such specific problems but it is strongly recommended to don't use them :)
Pierre Scholtes wrote:
But here comes the problem: when trying to issue the second cross-certificate, RootCA1 (openCA) tells me that there already exists a certificate with this public key and that this will result in a key compromise. This is what I don't understand: there is no key compromise as long as the subject to whom the public key belongs is the same in the 2 certificates (or am I wrong here).
Is it correct that openCA never lets you issue 2 certificates for the same public key:subject pair?
It is correct. There is only one workaround. You can renew the archived request from which the first certificate was created and then you can create a new certificate from the renewed request. The public key is not checked in this situation but this was developed for email certificates. I prefer new keys because it is really difficult to create correct CRLs if you have more than one certificate with a compromised key.
Isn't it possible to check whether the subject in the existing certificate is the same than the one requesting the new certificate and then issue the second certificate.
The subject is not relevant because it can but it has not to be unique. Subjects are more a semantic thing (means applicationspecific).
I really need 2 (or may be more) cross-certificates to restrict what group of users can verify what type of certificates.
Again you can do this with request renewal. If you want to do this with OpenSSL then you must patch OpenSSL 0.9.7 (with our path) or you have to use 0.9.8 (which doesn't work today with OpenCA because of some changes in the headerfiles).
PS: Is it right that openCA does not support any naming or policy constraints in cross-certificates (because of openssl not supporting them)?
We create certificatess with OpenSSL. So we support every extension which OpenSSL supports. I cannot say more because I don't know exactly what you mean with naming or policy constraints. Is there an RFC or something else what I can read?
Michael
_________________________ Pierre Scholtes Unicible
tel: +41 (0)21 644 6111 fax: +41 (0)21 644 6300 mailto:[EMAIL PROTECTED] http://www.unicible.ch
-- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
