Thank you for you answers:)
On Thu, 3 Jun 2004, Oliver Welter wrote:
- Is it possible to enter different expiration date for different certificates?I think you can assign different times to different roles, but I think you cant do this per certificate
*** Great, this should be enough. I've found the config for ssl for each role. Probably this is the place. Thank you!:)
- Is it possible to revoke certificate from RA interface and have the possibility to revoke certificate from PUB interface?
You can request the revocation from the PUB when you know the CRIN (Revocation pin) or withput pin on the ra.
The revocation itself can only be done on the CA because it must be signed (its added to the revocation list which is then signed)
*** Yes, I ment CRR. But the problem is that if you create CRR on PUB, it's written to DB, and when approving CRR on RA, it run cmd approveCRR with
CRR serial in KEY variable.
<input type=Hidden Name=key Value="1312"> <input type=Hidden Name=cmd value="approveCRR">
But if I want to create CRR on RA, it creates something like virtual CRR (it's NOT written into DB) and if I want to approve this CRR, it wants to run cmd approveCRR but with certificate serial number in SERIAL variable.
<input type=hidden name="serial" value="6"> <input type=hidden name="cmd" value="approveCRR">
And here is the problem, because I cannot define two scripts of the same name with different content. I need one approveCRR CMD with owner_method CRR_SERIAL and owner_argument KEY and the other approveCRR CMD with owner_method CERTIFICATE_SERIAL and owner_argument SERIAL. The only solution I see is to let approveCRR for CRR created on PUB with CRR_SERIAL/KEY and use approveCRRnotSigned for CRR created on RA with CERTIFICATE_SERIAL/SERIAL. Am I right? What is to correct solution?
- Is there a functionality for renew certificate?
Yes - go to "archived request" and re-request it. But for security reasons you should NOT do this because you will "recycle" the keypair.
*** Oh, I thought this is for deleted requests to make them again available. Ok, great!
And I would like to understand the way, how user can get his certificate and private key, if he generate it on PUB OpenCA interface. For example, I want to create key pairs and certificate for web server. I create keys and CSR on PUB, then this request is approved on RA and certificate is issued on CA. Then I can get certificate for web server on web using PUB interface and /cgi/pki?cmd=getcert&key=10&type=CERTIFICATE. But this will send me only the certificate without private key. I can get private key (in encrypted form) from CA and RA interface, but can I get private key from PUB too (or is it denied for security reason)?I think it is disabled for security because the roll-out of the keys should be done in a more secure way - but Im not sure about this...
*** Hmmm, looks like good idea to download private key only on CA and RA.
OK, again thank you very much for answers:)
Robert Wolf.
------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
