-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ambarish Mitra schrieb: Hello Ambarish,
> On Wed, Oct 25, 2006, Goetz Babin-Ebell wrote: > >> openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem >> should return: >> self_signed_cert.pem: OK > > Maestro Steve appended: > >> Indeed, technically a certificate with issuer and subject names identical is >> self-issued and may or may not be self signed. It has to be signed with its >> own key to be self signed which the above command checks. > > Is there a difference between certificate "issue" and "sign"? I was under > the impression that a certificate is said to be issued only when it is > signed. Can there be a case when a cert is issued, but is not signed? Please > enlighten. A certificate is _issued_ by a CA authority with a given name. But a certificate is _signed_ by a private key. It is always possible to have more than one certificate with the same subject name. Only the combination issuer name / serial number must be unique. (Last time I checked OpenSSL has problems with more than one CA certificate with the subject name...) Let assume the following scenario: * CA1: subj: CN=CA, issr: CN=CA, Ser: 1, Key: #1, signed: Key #1 * CA2: subj: CN=CA, issr: CN=CA, Ser: 2, Key: #2, Signed: Key #2 * Usr1: subj: CN=User1, issr: CN=CA, Ser: 3, Key: #3, Signed: Key #1 * Usr2: subj: CN=User2, issr: CN=CA, Ser: 4, Key: #4, Signed: Key #2 As far as I remember X509 does not totally disallow this, but OpenSSL will have problems to verify the user certificates: All certificates are issued by the CA with the name "CN=CA", but they are signed alternatively by the keys #1 and #2... Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFP4da2iGqZUF3qPYRAr7aAJwIfipWcSzyWupBwYr8TU23MGeDkQCghPFR xiztkrNLS6ypH3GZUICmUnc= =B59/ -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
