Bonsoir, Hodie III Non. Mar. MMV est, ohaya scripsit: > This is the SUB ROOT CA's Cert: > > Certificate: [...] > Validity > Not Before: Mar 2 06:08:03 2005 GMT > Not After : Feb 27 09:22:27 2008 GMT
A little less than 3 years for the duration is a bit short. Not really a problem for a non-root CA, though. [...] > X509v3 extensions: > X509v3 Basic Constraints: critical > CA:TRUE Beware of the certificates you'll sign with this one, as you don't restrict the number of CAs below this one. If you know this CA will *only* sign end-user certificates (humans, servers, routers for example), then you can restrict the pathLen of the basicConstraints extension to '0', and be safer. > X509v3 Key Usage: critical > Digital Signature, Certificate Sign, CRL Sign Unless you'll use this CA to sign messages other than certificates and CRLs, there's no need to put the 'digitalSignature' bit. > X509v3 Authority Key Identifier: > > keyid:FF:78:E3:03:37:8D:EA:0F:1D:ED:B0:C7:D2:48:49:C6:90:D1:D5:B0 Problem. The issuer of this certificate doesn't have any subjectKeyIdentifier extension, so this authorityKeyIdentifier extension is useless, and could potentially be misused. I know that Mozilla doesn't use the AKI to find the issuing cert, and MSIE does. But I haven't tested the case where an AKI existed without the corresponding SKI. > This is the ROOT CA's Cert: > > Certificate: > Data: > Version: 1 (0x0) That's why you don't have any extension on this certificate, it's a version 1 certificate. Today, that type of certificates should really be avoided unless serious reasons to use them exist. [...] > Validity > Not Before: Mar 2 05:38:29 2005 GMT > Not After : Mar 1 09:19:53 2008 GMT And in 3 years, you'll have to deploy again this root certificate... Consider the base of your existing clients at that time, and the estimated work to do... [...] > RSA Public Key: (1024 bit) > Modulus (1024 bit): ...On the other hand, that's only a 1024 bits key, you can't really create a 20 years certificate with such a key... > Per earlier messages from Steve Henson, the SUB ROOT CA (CN=ATEST5) has > "Basic Constraints" with "CA=TRUE", and "Digital Signature, Certificate > Sign, CRL Sign". Maybe I haven't followed the thread, but digitalSignature is useless for a cert and crl signing CA. -- Erwann ABALEA <[EMAIL PROTECTED] is now keynectis}.com> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
