Re: [openssl-users] Binaries exit with signature bytes

2016-03-31 Thread Satya Das
Forgot to mention that I am on fips module 2.0.11 fipsld building openssl 1.0.1e with distribution patches when I get the "libcrypto.so.10 is not cross-compiler aware" error. The symbols that incore is looking for are indeed not present (startX etc) in the shared object built. How can I fix this

Re: [openssl-users] Properly manage CA-signed certificates that have expired

2016-03-31 Thread Jeffrey Walton
On Thu, Mar 31, 2016 at 6:36 PM, Ben Humpert wrote: > 2016-03-31 18:09 GMT+02:00 Jakob Bohm : >> On 31/03/2016 17:16, warron.french wrote: >> 3. Then create new server certificates for the 2 servers again. >> >> Yep, and give the new ones a slightly different "full" >> distinguished name (importa

Re: [openssl-users] Properly manage CA-signed certificates that have expired

2016-03-31 Thread Jakob Bohm
On 01/04/2016 00:36, Ben Humpert wrote: 2016-03-31 18:09 GMT+02:00 Jakob Bohm : On 31/03/2016 17:16, warron.french wrote: 3. Then create new server certificates for the 2 servers again. Yep, and give the new ones a slightly different "full" distinguished name (important for CRL and "ca" databa

Re: [openssl-users] Properly manage CA-signed certificates that have expired

2016-03-31 Thread Ben Humpert
2016-03-31 18:09 GMT+02:00 Jakob Bohm : > On 31/03/2016 17:16, warron.french wrote: > 3. Then create new server certificates for the 2 servers again. > > Yep, and give the new ones a slightly different "full" > distinguished name (important for CRL and "ca" database). > My approach is to include t

Re: [openssl-users] Properly manage CA-signed certificates that have expired

2016-03-31 Thread Salz, Rich
> Yep, and give the new ones a slightly different "full" > distinguished name (important for CRL and "ca" database). > My approach is to include the year-month as an extra OU e.g. > >  CN=foo.example.private,OU=isonetwork,OU=2016-03,O=YourCompany >Inc,L=YourTown,C=XX Ooh, that's neat advice!

Re: [openssl-users] Properly manage CA-signed certificates that have expired

2016-03-31 Thread Jakob Bohm
On 31/03/2016 17:16, warron.french wrote: Hello, I had to build a Certificate Authority (CA) server for an isolated network (I know, it seems silly). Anyway, I figured out how to create the CA service doing a self-signed certificate that will expire in 9 years, because it was a 10-year certif

[openssl-users] Properly manage CA-signed certificates that have expired

2016-03-31 Thread warron.french
Hello, I had to build a Certificate Authority (CA) server for an isolated network (I know, it seems silly). Anyway, I figured out how to create the CA service doing a self-signed certificate that will expire in 9 years, because it was a 10-year certificate of which 9 years remains available. I th