On 25.03.2014, at 17:44, Zack Williams wrote: > 1. Is there a reason you're not using SHA-256 hash by default - it > appears that SHA1 is being recommended against currently: > http://www.digicert.com/sha-2-ssl-certificates.htm
No reason. Just for maximum compatibility. Every software can do SHA1. But this comes up a lot and I might switch to sha256 the next time around. > 2. I couldn't figure out what the [additional_oids] section of the > Expert example's root-ca.conf file is for - either through research or > going through the commit history. Could you elaborate on what that > accomplishes? These define symbolic names for policy OIDs used in the certificatePolicies extension. You could well use the raw numbers without mapping them to names. Also note that policies are entirely optional and you are free to ignore them if you don't have a use case. > 3. Is there a reason to not set a pathLen in the basicConstraints > section of the Root CA's (to 1, to allow a maximum of one layer of > CA's below the Root), but to do so on the Intermediate CA's? Pathlen is not used on root CA certs. A lot of things are not used on root CA certs. They only serve to publish a key and ID. I don't use pathlen on intermediate CAs either, just signing CAs. Thank you for your feedback, Stefan -- Stefan H. Holek ste...@epy.co.at ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
