Add 1.:
We too want the "renew certificate" in the public interface.
We changed the configuration in the following way, and it worked.
Is there any risk or any other reason, why this should not be done ?
In our environment the pub interface is used by a limited number of well
known employees, so senseless requests should not occur.
Allow module 32 access to "csr view" and "csr renew" in etc/rbac/acl.xml
and add the following to etc/servers/pub.conf
CmdRefs_viewCert "INSTALL_CERT" "SENDCERT" "SEND_CERT_KEY"
"VIEW_CSR"
CmdRefs_viewCSR "RENEW"
CHANGE_DAYS "OFF"
SET_REQUEST_SERIAL_IN_DN "N"
REQUEST_SERIAL_NAME "sn"
SET_CERTIFICATE_SERIAL_IN_DN "Y"
CERTIFICATE_SERIAL_NAME "serialNumber"
AUTOMATIC_SUBJECT_ALT_NAME "N"
DEFAULT_SUBJECT_ALT_NAME "Email"
DN_WITHOUT_EMAIL "YES"
UNIQUE_DN "YES"
OPENSSL_DIR "/magwien/openca/subCA/etc/openssl/openssl"
Add 3.:
In my version I cannot use a public key twice unless explicitly using
renew.
It is not possible to use a request a second time, even if the first
certificate is revoked.
--- BEGIN OPENCA OUTPUT
(Fehler 6746
Allgemeiner Fehler A Certificate with the same public key exists!
This is a keycompromise of the certificates with the serial:
* 11
* 12
Bitte rufen Sie die Zertifikate zuruck und loschen Sie den
Antrag.
--- END OPENCA OUTPUT
--Michael
-----Ursprungliche Nachricht-----
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Auftrag von Oliver
Welter *EXTERN*
Gesendet: Mittwoch, 27. April 2005 17:28
An: [email protected]
Betreff: Re: [Openca-Users] Renew
Hi Nuno,
> Some questions about renew a certificate.
> 1. It's possible a user to request a renew of is certificate in
public
> interface ?
No
> 3. When i try to renew a certificate in CA (using the same request as
> for the initial certificate), i must first revoke the certificate. It
is
> possible that CA can make this automatically ?
>
This is a configuration problem - you must either put the Certificate
Serial in the DN or disable the "unique_dn" feature. Both is found in
the server/*.conf files
Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: http://www.ldv.ei.tum.de/page72
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id�492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
