Bonjour, Hodie XIV Kal. Iun. MMXI, Tim Watts scripsit: > I do apologise - it's a long post. I'm just not totally sure if I > have the correct attributes and extensions - and whether it meets > the requirements of a v3 SSL cert (I think it does). Is 4096 bit key > and sha1 a good choice?
SHA1 is still tolerated, but being slowly obsolete. You can still use it if your serial numbers have some randomness, which is not the case here. Either use one member of the SHA2 family, or generate random serial numbers. > And is the revocation bit done correctly (assuming I actually > maintain a CRL from openssl ca -gencrl at the url above? All the "ns*" extensions are deprecated, and shouldn't be used anymore. The nsCaRevocationUrl extension should be replaced by this: crlDistributionPoints = URI:http://www.example.com/ssl/CA-example.com.crl You don't need to place a CRLDP extension in the root CA certificate (a root can't really revoke itself). You forgot to place the keyUsage extension in your server certificates. The issuerAltName extension is useless as stated (I'd say it's also useless in general, but I won't argue). I'd set the critical flag for the basicConstraints extension (both CA and end-users (server+user)). -- Erwann ABALEA <erwann.aba...@keynectis.com> Département R&D KEYNECTIS ----- Your mouse has moved. Please reboot to continue. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org