In message <[EMAIL PROTECTED]> on Wed, 31 Mar 2004 11:51:13 +0200 (CEST), Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> said:
levitte> In message <[EMAIL PROTECTED]> on Wed, 31 Mar 2004 11:23:29 +0200 (METDST), "Simon Josefsson via RT" <[EMAIL PROTECTED]> said: levitte> levitte> rt> levitte> rt> "Richard Levitte via RT" <[EMAIL PROTECTED]> writes: levitte> rt> levitte> rt> > I'm honestly very unsure about this one. After all, "openssl ca" levitte> rt> > already covers this, so I wonder why there's a need to create another levitte> rt> > way to do the same thing, and add to the confusion on how to do things.. levitte> rt> > . levitte> rt> levitte> rt> How would you use "openssl ca" to do the same? Wouldn't it change levitte> rt> fields in signed certificate, or at least require that the CA key used levitte> rt> to sign correspond to the issuer in the certificate to be signed? As levitte> rt> far as I understood, the RT thread only indicate "openssl ca" has the levitte> rt> same poor security as -noselfsign imply (in that it makes it possible levitte> rt> for the user to sign certificates without POP), not that "openssl ca" levitte> rt> can do the same operation. levitte> levitte> What I understood was that you wanted to be able to sign a certificate levitte> (I call i A from now on) using a CA that doesn't have a root levitte> certificate. That is perfectly possible to do with "openssl ca", levitte> provided you give it that CA's certificate and key. Of course, in levitte> preparation, you should create a certificate request (called reqA) levitte> from certificate A. levitte> levitte> And yes, of course the newly signed signed certificate (A') will have levitte> new and possibly changed extensions. That's within normal CA levitte> operations, I believe. *Ahem* *cough* *blush* Maybe I should actually reread that thread first... *blush* ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
