openssl.cnf option to allow duplicate DNs?
I once found the config option but I cannot find any reference to it now. Can someone remind me what the option to set in openssl.cnf to allow two certificates with the same DN to be issued is? Thanks, - John Douglass Georgia Tech __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl ca function (SPKAC vs. PKCS10req)
I have noticed that when signing SPKAC vs. a PKCS10 request, the resulting -out file is in a different format. For example: openssl ca -in request.spkac -spkac -out cert1.file results in a DER file where openssl ca -in request.pkcs10 -out cert2.file results in a PKCS10 PEM file Ideally, depending on what you're doing, an additional option -outform would be nice to have if it's going to be switching formats like this so I could theoretically get a definitive format when I use that command. Or am I doing something wrong? :) - John Douglass, Georgia Tech (http://papyrus.gatech.edu) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
copy_extensions = copy?
I noticed this setting in the openssl.cnf file (as of late) and was wondering the actual effect of turning this off or on... # Extension copying option: use with caution. # copy_extensions = copy Uncommenting means that we can use things like: # Import the email address. # subjectAltName=email:copy or # Copy subject details # issuerAltName=issuer:copy ?? Thanks! - John Douglass, Georgia Tech __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate Renewal
On Wed, 7 Feb 2001, John Douglass wrote: Is anyone playing around with certificate renewals? I'm trying to figure out how to accomplish this given: 1) Certificate is installed in the browser already 2) I have the certificate (SPKAC) file on the CA 3) I have the signed public key on the CA In order to "renew" do I: A) Need to "resign" the SPKAC request or B) Apply modification of the signed public key (with the appropriate commands, then cat to the browser) and update the "index.txt" file that OpenSSL uses? I was originally attempting to revoke, resign the SPKAC file faking the "serial" number, but OpenSSL didn't like that. :) I think I figured it out. I just need to resign the SPKAC file and then cat that to netscape. It does the pairing up with the private key. Netscape automatically selects the latest certificate associated with the key. However the browser does have record of the OLD signed key (which you can view/delete at will). There is a new serialnumber associated with the certificate but the old serial will be expired soon at any rate. Since we're not doing Digital Signature or S/MIME with our certs, this will probably work for us. I'll have to test the S/MIME behaviour at a later date to see if this method of renewal still allows for the encrypted info to be read. If anyone has a better suggestion or more experience than I, I'd love the correction in my implementation. - JohnD, Georgia Tech __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
modssl related question
I'm getting the following messages in my ssl_engine_log [25/Jan/2001 16:31:56 18090] [error] OpenSSL: error:1408F071:SSL routines:SSL3_GET_RECORD:bad mac decode [Hint: Browser still remembered details of a re-created server certificate?] I am unsure as to how to remedy this... Anyone else experienced this? - John Douglass, Georgia Tech __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SCEP?
Anyone have any experience using OpenSSL to do SCEP? (Simple Certificate Enrollment Protocol) Primarily I'm trying to decode these SCEP messages from a Cisco Box so I can write the proper PERL scripts to respond. Thanks, - John Douglass __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]