Thank you Christian ... I was wondering if somebody was using this mailing list anymore... Is there another place to post questions ??
Remember : ======= On a running install of OpenCA we discovered the following : * 1) when we create a CSR (with openssl for instance on a separate serveur) and then we try to introduce it in OpenCA to create a certificate, the system claims that our CSR does not follow the rules and we need to correct to O= field or the certificate name. * 2) when we create the CSR directly from the OpenCA Pub node, some defaults are applied concerning the fields OU=, O= in the distinguished name for the certificate name. Regarding this, we have three questions : a) Where can we modifiy these defaults ? We tried in openssl.cnf in /OpenCA/etc/openssl and in /openssl directly but no way. The way to use the policies (if i am right it has something to do with this) is really not clear and the behavior of this feature is not documented AFAIK. >> here: etc/servers/pub.conf (again, thank you Christian...) b) Can we specify different defaults for these fields, related to the type of certificate we want (User, Web, CAOperator, RAOperator, etc...) c) We really want to publish all the certificates and stuff in a OpenLDAP directory running on the RA node. Are we obliged to strictly follow the same distinguished name, in other words, the distinguished name in the certificate is the same than in the LDAP directory ? * 3) We will be obliged to regenerate the CA certificate (self signed). We won't change the secret key but only the cert. We will revoke actual CA and then create a new CA cert. Is there any chance that we won't be obliged to recreate each certificate ? Already published certificates will be able to be verified against this new CA Cert ? Note : we will change the DN of the CA Many thanks in advance for your advice concerning questions b) and c)...and question 3) Francois ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
