Re: OpenSSL with v3 extensions and subjectAltName question

On 28.10.2014, at 23:08, Mik J wrote: > I've read numerous webpages but I still don't understand many things on how > to get it working properly. -- Stefan H. Holek ste...@epy.co.at __

Re: Coverity Scan: Would/DId It Catch the Heartbleed Defect?

t have caught the Heartbleed > bug. If so, why did it miss it? > > See this link for the latest report on open source statistics: > > http://softwareintegrity.coverity.com/register-for-scan-report-2013.html > > Kind regards, > > -Tom --

Re: OpenSSL PKI Tutorial updated

le does that. > what is here said about the key length? > > my CA uses a root with 4096 bits RSA key; does it make a sense, that > an intermediate or the signing ca has a stronger key than the root CA? I don't think so. Stefan

Re: OpenSSL PKI Tutorial updated

t used on root CA certs. They only serve to publish a key and ID. I don't use pathlen on intermediate CAs either, just signing CAs. Thank you for your feedback, Stefan -- Stefan H. Holek ste...@epy.co.at __ OpenSSL Proje

OpenSSL PKI Tutorial updated

Hi All, I have updated the OpenSSL PKI Tutorial at Read the Docs. The tutorial provides three complete PKI examples you can play through and the prettiest configuration files this side of Neptune. Check it out! https://pki-tutorial.readthedocs.org/ Cheers, Stefan -- Stefan H. Holek ste

Re: openssl ca -revoke why need CA parm

te database is. Subsequent CRLs issued by the CA will include the revoked certificate. Cheers, Stefan -- Stefan H. Holek ste...@epy.co.at http://pki-tutorial.readthedocs.org | http://pgpdump.net __ OpenSSL Project

Re: DN attributes questions, and OpenSSL/GnuPG interoperability

nterchangable, in a single PKI system? No, X.509 and OpenPGP are not interoperable. Cheers, Stefan -- Stefan H. Holek ste...@epy.co.at http://pki-tutorial.readthedocs.org | http://pgpdump.net __ OpenSSL Project

Re: Using CA signing for a cert and Organization Name setting

ionName DN component. In the CA section find the policy= entry. Then in the policy section change organizationName=match to organizationName=supplied. HTH, Stefan -- Stefan H. Holek ste...@epy.co.at http://pki-tutorial.readthedocs.org | http://pgpdump.net _

Re: openssl ca -revoke

revocation. Correct. You then use the openssl -gencrl command to create a new CRL from the db. You may want to check out the tutorial linked from my sig. Cheers, Stefan -- Stefan H. Holek ste...@epy.co.at http://pki-tutorial.readthedocs.org

Re: Display CSR w/ subjectAltName

On 23.05.2013, at 17:41, Craig White wrote: > openssl req -noout -text -in SOME_FILE.csr > > gives me the contents of the CSR but not the subjectAltNames embedded in the > CSR. The SAN extension should appear in the Requested Extensions: section of the output. -- Stefan

Re: Self-signed certificates and keyUsage extension

up:unable to get local issuer certificate -- Stefan H. Holek ste...@epy.co.at http://pki-tutorial.readthedocs.org | http://pgpdump.net

Re: Encoding arbitrary AKI value.

rectly, the > following should work: > > [ user_with_bad_aki ] > authorityKeyIdentifier = @bad_aki > > [ bad_aki ] > keyid = DER:01:02:03:04:05:06:07:08:09:0A > > > However, when I try this, it appears that I can't override the default > behaviour of copying the SKI from the

Re: OpenSSL PKI Tutorial updated

ectory". I.e.: Good catch! I have fixed 4.3 to use the "ca" directory as well. > So far though, this has been a helpful tutorial for a noob to PKI. Thanks! > Kevin > Thank you, Stefan -- Stefan H. Holek ste...@epy.co.at

OpenSSL PKI Tutorial updated

your call for more verbosity! The first two examples now have much more detailed instructions, and I hope that by the third example you won't need instructions anymore. ;-) Cheers, Stefan -- Stefan H. Holek ste...@epy.

Feedback Please: New OpenSSL PKI Tutorial

://bitbucket.org/stefanholek/pki-tutorial/issues -- Stefan H. Holek ste...@epy.co.at __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org

Re: MIME types for PEM encoded CRLs

t CRLs must be DER encoded: http://tools.ietf.org/html/rfc2585.html#section-3 Stefan -- Stefan H. Holek ste...@epy.co.at __ OpenSSL Project http://www.openssl.org User Support Mailing List

Re: Private RANDFILE per CA required?

On 02.10.2012, at 15:22, Jakob Bohm wrote: > On 10/2/2012 2:04 PM, Stefan H. Holek wrote: >> When using the openssl command line utility, is a private RANDFILE per CA >> required for security reasons, or is it just fine to use a single RANDFILE >> for everything (i.e. the d

Private RANDFILE per CA required?

~/.rnd)? Older configuration files seem to indicate the former, but is this still true? IOW, I am looking for an answer to whether not having its own RANDFILE degrades the security of a CA. Thank you, Stefan -- Stefan H. Holek ste...@epy.co.at

Re: What do YOU use for your cert p/w?

On Mon, 15 Nov 1999, steve wrote: > No, I'm not asking what your password is. But some people gotta have a > theme, and I'm wondering what type of text you guys would use for your > secure certificate password? A completely random grouping of letters and > numbers? Lyrics from an obscure song

x509 vs. ca

Looking at RSE's mkcert.sh (from mod_ssl) I found that it is obviously *not* required to use the ca command to sign a CSR with a CA's certificate; this can very well be done with the x509 command. OTOH, the ca command seems to be the only way to create a CRL. Is this observation correct? The crl