Dear all, I'm new to openssl and I've got a question about putting a certificate "on hold". Maybe someone can please confirm or correct my thoughts please?
As far as I understand things, you can either revoke a cert (which is not reversible) and you can put a cert "on hold". "Holding" a cert is a reversible process; meaning you can "un-hold" the cert and use the SAME cert after it was un-holded. Is this true? Putting a cert "on hold" is like revoking a cert, you only have to provide the reason code "certificate Hold". Then an entry in the CRL will be generated that looks like follows: Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=DE/ST=by/L=muc/O=--/OU=--/CN=HK/emailAddress=xxxxxx Last Update: Oct 13 07:40:50 2008 GMT Next Update: Oct 13 07:40:50 2009 GMT Revoked Certificates: Serial Number: 01 Revocation Date: Oct 13 07:40:50 2008 GMT CRL entry extensions: X509v3 CRL Reason Code: Certificate Hold Serial Number: 03 Revocation Date: Oct 10 08:58:24 2008 GMT CRL entry extensions: X509v3 CRL Reason Code: Key Compromise Signature Algorithm: sha1WithRSAEncryption 97:68:89:05:c8:58:bd:a6:e4:c8:df:99:0c:25:f4:d6:b7:98: 3e:56:c0:4d:98:d9:2e:c0:15:85:13:e3:2c:1e:77:a8:52:00: ce:00:7d:69:30:b7:87:a1:ae:b4:51:16:e0:5f:c8:c0:[...] What I do not understand is, how to "un-hold" the cert. What do I have to do? Theoretically "un-holding" would mean, that you remove the serial number of the "holded" cert from the crl? Best regards, Martin ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]