On Fri, Mar 21, 2014 at 12:25 AM, Stefan H. Holek <ste...@epy.co.at> wrote: > I have updated the OpenSSL PKI Tutorial at Read the Docs. The tutorial > provides three complete PKI examples you can play through and the prettiest > configuration files this side of Neptune. Check it out! > > https://pki-tutorial.readthedocs.org/
This is really awesome. I've been trying to make sense of the config files for cert generation and align to best practices (when I can find them), and having good documentation is great. A few questions: 1. Is there a reason you're not using SHA-256 hash by default - it appears that SHA1 is being recommended against currently: http://www.digicert.com/sha-2-ssl-certificates.htm 2. I couldn't figure out what the [additional_oids] section of the Expert example's root-ca.conf file is for - either through research or going through the commit history. Could you elaborate on what that accomplishes? https://pki-tutorial.readthedocs.org/en/latest/expert/root-ca.conf.html 3. Is there a reason to not set a pathLen in the basicConstraints section of the Root CA's (to 1, to allow a maximum of one layer of CA's below the Root), but to do so on the Intermediate CA's? Thanks, Zack ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
