Re: Reissue CA certificate

2003-06-21 Thread pablo neira 
Hi David,

I found your question quite interesting, I thought it wasn't possible in 
the beginning but I found some documentation related to this stuff after 
some time.

http://www.qxmail.com/bio/structuredarts/docs/edu/reissue.htm

This link is documentation related to how to reissue the Root CA 
certificate by using Netscape Certificate Server (propietary software), 
anyway I think it's nice to reissue your Root CA by using OpenSSL, it 
makes sense what it says.

Here comes the magical recipe:

1) You must generate a request (pkcs#10) with the same Distinguish Name 
and NotBefore (beginning date) fields (I would also use the same 
EmailAddress...).  The NotAfter must be older than the first one. The 
extensions must be also the same (nsCertType, nsX...).
2) Use the same Private Key to self-sign the Root CA cert.
3) Load the new Root CA cert to all server and clients.

I didn't try this and I cannot do it at this moment, so let me know how 
everything goes.

Pablo

David wrote:

Hello list,

I've a some questions about reissuing of CA certificates. Imagine I've 
got
the following hierarchy within my PKI.

  TLCA
|
   CA
|
end-entities
If the CA-certificate is about to expire before the certificates
of the end-entities do, can i reissue the CA certificate with an extended
validity period to work around this ?
If yes,
Can I do this by issuing a certificate with the same public-key, CN and
subjectKeyIdentifier from the current CA-certificate? Cause that are the
only "fields" which are used within the verifying process, if I'm right.
I hope someone can shine some light on this situation,

Thanks in advange,

David


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Automating Openssl commands

2003-06-06 Thread pablo neira 
Dr. Stephen Henson wrote:

On Fri, Jun 06, 2003, Kwan Hon Luen wrote:

 

Hi,

How do I automate the signing of server certificate by a CA ?
without the following prompt:
(1) "Enter PEM pass phrase:"
(2) "Sign the certificate?"
(3) "commit?"
   

Use the 'x509' utility instead, passphrase can be entered via -passin there
are no other prompts.
but this way you don't keep the index.txt file the all valid 
certificates generated, so it seems there's no way to automate the 
process by using the 'ca' utility, am I right?

Thanks
Pablo
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Startup error

2003-06-06 Thread pablo neira 
Swenson, Chris wrote:

I have install apache 1.3.27 with openssl-0.9.7b and mod-ssl2.8.13-1.3.27
This is all running on RH 8.0.
I installed the default certificate to play with and all was good.
I purchased a certificate from VeriSign and things are so so.
When the server starts in the ssl_engine_log I get the following error
[warn] Init: (ragnarock.domain.tld:443) RSA server certificate CommonName
'RAGNAROCK' does not match server name!?
I have messed with the server name ad nauseum.  Any ideas out there?
 

the Common Name of your server certificate should be the FDQN, so it 
should be "ragnarock.domain.tld" and not "ragnarock", that's why you got 
that warning message.

Also since this service runs on a virtual server, should I have the virtual
server under a different name then the actual server name?  This is a single
purpose server only.
 

Cheers,
Pablo
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]