Dear all,
I'm new to openssl and I've got a question about putting a certificate
"on hold". Maybe someone can please confirm or correct my thoughts
please?
As far as I understand things, you can either revoke a cert (which is
not reversible) and you can put a cert "on hold".
"Holding" a cert is a reversible process; meaning you can "un-hold"
the cert and use the SAME cert after it was un-holded. Is this true?
Putting a cert "on hold" is like revoking a cert, you only have to
provide the reason code "certificate Hold". Then an entry in the CRL
will be generated that looks like follows:
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=DE/ST=by/L=muc/O=--/OU=--/CN=HK/emailAddress=xxxxxx
Last Update: Oct 13 07:40:50 2008 GMT
Next Update: Oct 13 07:40:50 2009 GMT
Revoked Certificates:
Serial Number: 01
Revocation Date: Oct 13 07:40:50 2008 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Certificate Hold
Serial Number: 03
Revocation Date: Oct 10 08:58:24 2008 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
Signature Algorithm: sha1WithRSAEncryption
97:68:89:05:c8:58:bd:a6:e4:c8:df:99:0c:25:f4:d6:b7:98:
3e:56:c0:4d:98:d9:2e:c0:15:85:13:e3:2c:1e:77:a8:52:00:
ce:00:7d:69:30:b7:87:a1:ae:b4:51:16:e0:5f:c8:c0:[...]
What I do not understand is, how to "un-hold" the cert. What do I have
to do? Theoretically "un-holding" would mean, that you remove the
serial number of the "holded" cert from the crl?
Best regards,
Martin
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
