Hy!
If I have suspended (crlReason=certificateHold) a certificate in the past an
now want to really revoke it using openssl ca, I get an error message
ERROR:Already revoked, serial number 01. Is there some way to make openssl
automaticalls upgrade the suspension to a revocation with having to
A further related question: Is there some way to remove a suspended
certificate from a CRL without manually editing the index file? Using the -
crl_reason removeFromCRL option on the ca command does not work.
cheers
Mat
On Friday 02. May 2014 14:35:23 you wrote:
Hy!
If I have suspended
Some standards (like the CA/Browser Forum guidelines) request a certain amount
of entropy (like 20 bits) to be contained within the serial number. Is there
some sort of best-practice for incorporating this small amount of real random
data into a larger unique serial number?
cheers
Mat
On
openssl can use a PKCS#11 interface in some scenarios, but you won't need it
for what you want to do.
I'd advise you to get the actual PKCS#11 standard document. For each function,
there is always some sample code included.
cheers
Mat
On Monday 28. April 2014 23:32:21 you wrote:
Need some
I agree with Walter, that it is not exactly good practise to have a CA key
lying around on multiple servers. But anyway, if you need to do it you have to
create the random serial number externally by some script and write it into
the serial file (as set in the openssl configuration file used)
You can add a caIssuer entry to the authorisInformationAccesss extension
of cert B and C. Put an URL where you can download the issuing certificate (so
cert C has a URL to download cert B). That way, windows can automatically
fetch the intermediate certificate.
cheers
Mat
On Tuesday 12.
On Tuesday 01. October 2013 02:56:16 you wrote:
Hi,
I am very new to OpenSSL.
I would like to understand how exactly CRL is used.
Means, lets say, we try to login using gmail.com in any browser. Now we see
certificates - We see Google Inc is the 1st level and it has a CRL which is
Just a wild guess: If you click on edit trust on the root certificate in
Firefox, you have to tick the box for web server certificates.
cheers
Mat
On Friday 04. October 2013 21:29:57 you wrote:
Hello,
there exists a self signed root CA certificate (A)
one intermediate CA certificate (B)
If you create a selfsigned certificate, the signature algorithm will obviously
be that of the public key of the certificate. If you use an EC key, you can
only end up with a ecds-with* signature. If you want sha1WithRSAEncryption,
you need to create a RSA key. Or have your EC-certificate signed
On Tuesday 13. August 2013 06:17:35 redpath wrote:
I have a best practices question on CA management for signing.
I have created CA signing cert and issue all other certs using this
CA to sign them.
1) I noticed that many CA examples set a term of 3650 days, is this commmon
practice
How
On Wednesday 14. August 2013 04:10:23 you wrote:
Thanks and as for the last question number (5) I meant I simply replace the
SSL cert and assume there
will be a challenge to accept the new certificate by a browser? I revoke the
old one SSL cert.
I still don't get it. If you have revoked your
Hy!
Is it possible to create a timestamp response with openssl ts with a private
key stored on a PKCS#11 token?
cheers
Mat
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
On Friday 14. December 2012 17:08:02 you wrote:
Hi Patrick ,
I actually don't want to use the file that is generated from
sautil. For security reasons - i delete the private key from disk and
rely on the one stored inside the HSM partition. I've been directed to
use the following
Hello!
I have a certificate, which is supposed to be used for s/mime signatures and
tls-client authentication:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 157 (0x9d)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Foo
Validity
Not
14 matches
Mail list logo