Hodie XV Kal. Iun. MMXI, Alex Bergmann scripsit:
On 05/18/2011 11:17 AM, Erwann ABALEA wrote:
Bonjour,
Hodie XV Kal. Iun. MMXI, Jean-Ann GUEGAN scripsit:
Hi !
It’s possible to renew a Certificate Autority or extend the date
validity
?
These 2 options are possible.
Hi folks,
I'm setting up a new CA/SSL infrastructure for work - the CA is self
signed and all SSL certs (mostly server certs rather than client certs)
will be signed off against this CA.
I've just made the effort to try to actually understand SSL a bit better
rather than monkey churning
On Thu, May 19, 2011 at 5:44 AM, Tim Watts t...@dionic.net wrote:
Hi folks,
I'm setting up a new CA/SSL infrastructure for work - the CA is self signed
and all SSL certs (mostly server certs rather than client certs) will be
signed off against this CA.
I've just made the effort to try to
On 19/05/11 11:53, Jeffrey Walton wrote:
I'm setting up a new CA/SSL infrastructure for work
...
and whether it meets the requirements of a v3 SSL cert
(I think it does). Is 4096 bit key and sha1 a good choice?
SHA-1 is not a good choice here. You are exceeding 128 bits of
security with the
Bonjour,
Hodie XIV Kal. Iun. MMXI, Tim Watts scripsit:
I do apologise - it's a long post. I'm just not totally sure if I
have the correct attributes and extensions - and whether it meets
the requirements of a v3 SSL cert (I think it does). Is 4096 bit key
and sha1 a good choice?
SHA1 is
Bonjour :)
On 19/05/11 13:03, Erwann ABALEA wrote:
Bonjour,
Hodie XIV Kal. Iun. MMXI, Tim Watts scripsit:
I do apologise - it's a long post. I'm just not totally sure if I
have the correct attributes and extensions - and whether it meets
the requirements of a v3 SSL cert (I think it does). Is
Bonjour Tim,
Hodie XIV Kal. Iun. MMXI, Tim Watts scripsit:
On 19/05/11 13:03, Erwann ABALEA wrote:
[...]
SHA1 is still tolerated, but being slowly obsolete. You can still use
it if your serial numbers have some randomness, which is not the case
here. Either use one member of the SHA2 family,
On 19/05/11 14:48, Erwann ABALEA wrote:
Bonjour Tim,
Hodie XIV Kal. Iun. MMXI, Tim Watts scripsit:
Thanks for that. I'm not sure how to do random serials (I let
openssl manage those) but it interesting to know it makes a
difference.
This how I do this:
- in the setup phase, after having
Bonjour Tim,
Hodie XIV Kal. Iun. MMXI, Tim Watts scripsit:
On 19/05/11 14:48, Erwann ABALEA wrote:
Hodie XIV Kal. Iun. MMXI, Tim Watts scripsit:
Thanks for that. I'm not sure how to do random serials (I let
openssl manage those) but it interesting to know it makes a
difference.
This how
The problem with this scheme is that it doesn't deal well with
parallel certificate signatures. You have one shared information that
must be incremented in an atomic way. But for a Junk CA (that's how
I call the set of scripts I use), that's not a problem.
another approach is to take the
On 19/05/11 16:46, Peter Sylvester wrote:
The problem with this scheme is that it doesn't deal well with
parallel certificate signatures. You have one shared information that
must be incremented in an atomic way. But for a Junk CA (that's how
I call the set of scripts I use), that's not a
Hodie XIV Kal. Iun. MMXI, Tim Watts scripsit:
On 19/05/11 16:46, Peter Sylvester wrote:
another approach is to take the value of 'time' (the current second)
and append to it the current process number, and, in case of
several machines, some number indicating the id of the machine.
instead
On 19/05/11 17:38, Erwann ABALEA wrote:
Hodie XIV Kal. Iun. MMXI, Tim Watts scripsit:
On 19/05/11 16:46, Peter Sylvester wrote:
another approach is to take the value of 'time' (the current second)
and append to it the current process number, and, in case of
several machines, some number
On Thu May 19 2011, Tim Watts wrote:
I think I might add some randomness into mine - seems easy enough. I
won't pretend I fully understand why - mostly because I wasn't clear why
the serial is important.
If your CPU has a 'time stamp register' (cycle counts since power-up) -
You can grab
That is correct, and what I was trying to get accross. bio pairs are your
friend.
From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on
behalf of Neo Liu [diablo...@gmail.com]
Sent: Wednesday, May 18, 2011 3:54 AM
To:
On 05/19/2011 06:20 PM, Tim Watts wrote:
On 19/05/11 16:46, Peter Sylvester wrote:
The problem with this scheme is that it doesn't deal well with
parallel certificate signatures. You have one shared information that
must be incremented in an atomic way. But for a Junk CA (that's how
I call
A very simple one -- tax the time stamp register or the 4 byte cycles
since 1970, and concatenate the process id (which is unique for a
long time). The same process id cannot get either of those two
numbers in two calls to be the same. Eric
At 10:24 AM 5/19/2011, you wrote:
On Thu May 19
From: owner-openssl-us...@openssl.org On Behalf Of Erwann ABALEA
Sent: Thursday, 19 May, 2011 04:20
Hodie XV Kal. Iun. MMXI, Alex Bergmann scripsit:
snip: renew CA
The only way I found was to give the new Root Certificate the same
serial number as the previous one.
That's forbidden by
When I run these two commands, the program prompts me for my password
twice, and then I get a popup which says, openssl.exe has stopped
working... A problem caused the program to stop working... (I am using
Windows 7)
C:\OpenSSL openssl pkcs12 -export -out cff_auth.pfx -name HRB Web
Service
19 matches
Mail list logo