Tiller, Robert wrote:
Hi,
How about a new Phase I Step 4 to be done after the normal init and
cert setup that would be "Issue CRL". This is so you have a
fresh CRL before the dataexchange to the RA and you don't have to go
back and do it later.
Any comments?
yeah - i mean you could do this b
Title: Proposed new Phase I Step 4
Hi,
How about a new Phase I Step 4 to be done after the normal init and
cert setup that would be "Issue CRL". This is so you have a
fresh CRL before the dataexchange to the RA and you don't have to go
back and do it later.
Any comments?
thanks!
Rober
Hi Michael,
>> * OpenCA uses the CA certificate for signing the cert Role. (BTW:
>> openca-sv does use the CA cert regardless of its key usage
>> bits - and can create invalid signatures this way!)
>
> We enforce this because we had no other solution.
I see... :-)
>> * I may be wrong, but I
Hi Martin,
In OpenCA standard configuration the CA certificate itself
is issued with the following key usages:
digitalSignature, nonRepudiation, cRLSign, keyCertSign
However, I believe that CA certs should NOT be used for anything else
than signing CRLs and certificates, and this would only requi
Tiller, Robert wrote:
Hi,
Would all this extra signing lead to unnecessary leakage of the CA private
key? Do private keys become "stale" after too many uses and/or time?
Theoretically yes.
Michael
--
---
Michael Bell
Martin Bartosch wrote:
Hi,
the (now fixed) recent problem with the signed role for a new certificate
raises several interesting problem, at least for me.
In OpenCA standard configuration the CA certificate itself
is issued with the following key usages:
digitalSignature, nonRepudiation, cRLSign, k
Hi,
> Would all this extra signing lead to unnecessary leakage of the CA
> private
> key? Do private keys become "stale" after too many uses and/or time?
no, private keys to not become stale if used properly (this includes
a number of security precautions, such as correct padding and using the
Hi,
Would all this extra signing lead to unnecessary leakage of the CA private
key? Do private keys become "stale" after too many uses and/or time?
thanks!
Robert
-Original Message-
From: [EMAIL PROTECTED] on behalf of Martin Bartosch
Sent: Wed 8/18/2004 8:41 AM
To: [EMAIL P
Hi,
the (now fixed) recent problem with the signed role for a new certificate
raises several interesting problem, at least for me.
In OpenCA standard configuration the CA certificate itself
is issued with the following key usages:
digitalSignature, nonRepudiation, cRLSign, keyCertSign
However
Hi Michael,
> If we issue a cert then we first create the cert and second create some
> signatures for the role and the CRIN. Perhaps we must run openca-sv
> within the wrapper like openssl. Please see the functions sign, verify,
> encrypt and decrypt in OpenSSL.pm (src/modules/openca-openssl/).
Hello!
Ok, to begin with, let's have one here:
lib/cmds/raList
line 63 should be:
"NAME"=> gettext("Filter displayed
requests"),
---
after this change, works perfectly...
unfortunately, I don't know anyting about writing .diff files, so thisi is
the only wa
Hi,
I will try to debug the CSR serial creation as Michael just suggested
in his answer to my question concerning ENTRY_EXIST errors after
importing the SQL dump.
Since my original efforts to import the SQL dump and the var/ files
to a new machine still failed, I decided to go the "official"
way
Hi Janez,
if you found a not translateable phrase then please write it to the list
or open a bug report on Sourceforge. If we know such a bug then we will
fix it immediately but the most developers work with English and so we
don't see such bugs.
Michael
--
-
Hi,
> If we issue a cert then we first create the cert and second create some
> signatures for the role and the CRIN. Perhaps we must run openca-sv
> within the wrapper like openssl. Please see the functions sign, verify,
> encrypt and decrypt in OpenSSL.pm (src/modules/openca-openssl/).
you are
Hi Martin,
the following code in basic_csr calculates the new serial:
my $last_req = libDBGetLastItem ("REQUEST");
my $req_elements = 0;
$req_elements= $last_req->getSerial("REQUEST") if ($last_req);
$req_elements >>= getRequired ("ModuleShift");
if ((not defined $req_elements) or ($req_elemen
Hi Martin,
So the reason might not actually be the missing signature on the
original CSR, you think? Should the CA sign the Role after issuing
the cert, then? This is the only way, the nCipher or OpenSC module
could be responsible for this problem, I think.
If we issue a cert then we first create t
Tiller, Robert wrote:
Does this mean getting rid of Berkeley DB(aka Sleepycat)?
I use Sleepycat for the DB on Openca and it is quite easy to setup and
use.
Is there any chance of adding the configure options back in instead of
hacking the config.xml file for the DB options?
No, there is no chanc
Janez Pirc wrote:
And also another question on the subject; why doesn't the selection of the
default language work? I selected my language to be the default in
config.xml, but the OpenCA web interface always starts in english ("C")
language. When I switch to my, or any other language it of course
Hello!
As mentioned before I'm making the Slovene translation of OpenCA. Good for
me, since I'm almost finished. But: what I noticed is that many phrases or
strings used in the code are not displayed "through" gettext, or to put it
correctly, their translated name is not obtained with gettext a
Hi,
maybe I've messed up something again, after fixing the problem
with literal \n -> LF conversion on imported SQL dumps, I am
now facing a new problem.
After importing the SQL dump and restoring the var/ hierarchy, I can
now display the certificates.
However there is a new problem: if I issue a
Hi Oliver,
> you use the nCipher Module and OpenSC ?
> I had a similar problem that is based on some bad decryption bugs in a
> recent OpenSC version. The current CVS of OpenSC solved the problem for me
I am using the nCipher module for the CA, OpenSSL tokens for everything
else. OpenSC is not us
Hi Martin,
you use the nCipher Module and OpenSC ?
I had a similar problem that is based on some bad decryption bugs in a
recent OpenSC version. The current CVS of OpenSC solved the problem for me
Oliver
Martin Bartosch wrote:
Hi,
in my test environment I have some certificates that were "approve
Hi,
in my test environment I have some certificates that were "approved
without signing" by the RA admin and issued by the CA. Of course
these certs do not contain a signature on the cert's role in
the database.
However, if I try to access the cert from the certificate overview
list, I get the fo
23 matches
Mail list logo
