Bonjour :)
On 19/05/11 13:03, Erwann ABALEA wrote:
Bonjour,
Hodie XIV Kal. Iun. MMXI, Tim Watts scripsit:
I do apologise - it's a long post. I'm just not totally sure if I
have the correct attributes and extensions - and whether it meets
the requirements of a v3 SSL cert (I think it does). Is 4096 bit key
and sha1 a good choice?
SHA1 is still tolerated, but being slowly obsolete. You can still use
it if your serial numbers have some randomness, which is not the case
here. Either use one member of the SHA2 family, or generate random
serial numbers.
Hi Erwann,
Thanks for that. I'm not sure how to do random serials (I let openssl
manage those) but it interesting to know it makes a difference.
And is the revocation bit done correctly (assuming I actually
maintain a CRL from openssl ca -gencrl at the url above?
All the "ns*" extensions are deprecated, and shouldn't be used
anymore.
I had a bad feeling about those, but when I searched on google for "CRL
revocation URL" I didn't find anything else. Again, thanks - exactly the
advice I am after :)
The nsCaRevocationUrl extension should be replaced by this:
crlDistributionPoints = URI:http://www.example.com/ssl/CA-example.com.crl
OK - cool. Should I support both do you think for backwards compatibility?
[1] See point below
You don't need to place a CRLDP extension in the root CA certificate
(a root can't really revoke itself).
OK. Wasn't sure about that...
You forgot to place the keyUsage extension in your server
certificates.
Oops. Ta.
The issuerAltName extension is useless as stated (I'd say it's also
useless in general, but I won't argue).
What should it be in this context?
I'd set the critical flag for the basicConstraints extension (both CA
and end-users (server+user)).
OK -will do :)
Many many thanks for all this :)
This is one of those jobs that I assign the "want to do it right" flag
too - I have a 100 servers that eventually need new certs (though I will
probably be forced to use a wildcard CN on most of them as many do name
based virtual hosting on apache - yes I know, the RFCs only mention
wildcard CNs in the context of a few services and not specifically
HTTPS, but what can you do...)
Cheers,
Tim
[1]
I read an interesting blog by a google employee on the issue of CRLs and
avoiding the whole issue by setting up automatic distribution of very
short time-to-live certs:
http://www.imperialviolet.org/2011/03/18/revocation.html
(Adam is an ex-student of the uni I used to work at - a very sharp
fellow indeed).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
