Le 25/03/2014 17:44, Zack Williams a écrit :
On Fri, Mar 21, 2014 at 12:25 AM, Stefan H. Holek <ste...@epy.co.at> wrote:
I have updated the OpenSSL PKI Tutorial at Read the Docs. The tutorial provides
three complete PKI examples you can play through and the prettiest
configuration files this side of Neptune. Check it out!
https://pki-tutorial.readthedocs.org/
This is really awesome. I've been trying to make sense of the config
files for cert generation and align to best practices (when I can find
them), and having good documentation is great.
A few questions:
1. Is there a reason you're not using SHA-256 hash by default - it
appears that SHA1 is being recommended against currently:
http://www.digicert.com/sha-2-ssl-certificates.htm
Good point.
2. I couldn't figure out what the [additional_oids] section of the
Expert example's root-ca.conf file is for - either through research or
going through the commit history. Could you elaborate on what that
accomplishes?
https://pki-tutorial.readthedocs.org/en/latest/expert/root-ca.conf.html
The OIDs are used in the CertificatePolicies extension of a subordinate
CA of this root CA.
For a policyId to be acceptable for an end-user certificate, this same
policyId (or the special value anyPolicy) MUST be present in all CAs
between this end-user cert and the root CA. The root CA is special in
that it doesn't need to contain any CertificatePolicies extension.
3. Is there a reason to not set a pathLen in the basicConstraints
section of the Root CA's (to 1, to allow a maximum of one layer of
CA's below the Root), but to do so on the Intermediate CA's?
Because it's not used by the standardized validation algorithm (RFC5280
section 6, X.509 section 10).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org