Re: OpenSSL PKI Tutorial updated
On Thu, Mar 27, 2014 at 2:47 AM, Stefan H. Holek ste...@epy.co.at wrote: No reason. Just for maximum compatibility. Every software can do SHA1. But this comes up a lot and I might switch to sha256 the next time around. It appears that even what most legacy web browsers and servers support sha256, given these lists: http://www.tbs-certificates.co.uk/FAQ/en/476.html http://www.tbs-certificates.co.uk/FAQ/en/477.html Are there other lists of other products that are modern (or still in active use), but lack sha256 compatibility? 2. I couldn't figure out what the [additional_oids] section of the Expert example's root-ca.conf file is for - either through research or going through the commit history. Could you elaborate on what that accomplishes? These define symbolic names for policy OIDs used in the certificatePolicies extension. You could well use the raw numbers without mapping them to names. Also note that policies are entirely optional and you are free to ignore them if you don't have a use case. I assume that verifying that only correct/allowed OIDs are used in a cert chain happens whether or not they get used by the rest of the software, correct? Or is this configurable? Thank you for your feedback, Thank you for working on this! - Zack __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL PKI Tutorial updated
On Fri, Mar 21, 2014 at 12:25 AM, Stefan H. Holek ste...@epy.co.at wrote: I have updated the OpenSSL PKI Tutorial at Read the Docs. The tutorial provides three complete PKI examples you can play through and the prettiest configuration files this side of Neptune. Check it out! https://pki-tutorial.readthedocs.org/ This is really awesome. I've been trying to make sense of the config files for cert generation and align to best practices (when I can find them), and having good documentation is great. A few questions: 1. Is there a reason you're not using SHA-256 hash by default - it appears that SHA1 is being recommended against currently: http://www.digicert.com/sha-2-ssl-certificates.htm 2. I couldn't figure out what the [additional_oids] section of the Expert example's root-ca.conf file is for - either through research or going through the commit history. Could you elaborate on what that accomplishes? https://pki-tutorial.readthedocs.org/en/latest/expert/root-ca.conf.html 3. Is there a reason to not set a pathLen in the basicConstraints section of the Root CA's (to 1, to allow a maximum of one layer of CA's below the Root), but to do so on the Intermediate CA's? Thanks, Zack __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: OpenSSL PKI Tutorial updated
On Tue, Mar 25, 2014 at 10:54 AM, Erwann Abalea erwann.aba...@keynectis.com wrote: 2. I couldn't figure out what the [additional_oids] section of the Expert example's root-ca.conf file is for - either through research or going through the commit history. Could you elaborate on what that accomplishes? https://pki-tutorial.readthedocs.org/en/latest/expert/root-ca.conf.html The OIDs are used in the CertificatePolicies extension of a subordinate CA of this root CA. For a policyId to be acceptable for an end-user certificate, this same policyId (or the special value anyPolicy) MUST be present in all CAs between this end-user cert and the root CA. The root CA is special in that it doesn't need to contain any CertificatePolicies extension. So these are used to group or link the certificate chain together? Is there guidance for generating and naming this OID? Given an OID in this form: 1.3.6.1.4.1.X.Y.Z I'm assuming that you would register the top level number (X) with the IANA (or other appropriate issuing body), but is there guidance to setting Y and Z, which are 7 and 8 or 9 respectively in the Expert example? 3. Is there a reason to not set a pathLen in the basicConstraints section of the Root CA's (to 1, to allow a maximum of one layer of CA's below the Root), but to do so on the Intermediate CA's? Because it's not used by the standardized validation algorithm (RFC5280 section 6, X.509 section 10). I looked through RFC5280 section 6.1.4 (m), and it appears that setting the pathLen would apply to the Root CA, and would cause section (l) to fail on CA's created beyond the depth specified. Am I interpreting the RFC incorrectly? Thanks, Zack __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org