On 08/30/2017 09:22 PM, Michael Richardson wrote:
Viktor Dukhovni wrote:
> So indeed, you'd not be the first to consider a special-purpose
> concise format. It is somewhat surprising that the applications
> you're considering use X.509 certificates at all, rather than just
Viktor Dukhovni wrote:
> So indeed, you'd not be the first to consider a special-purpose
> concise format. It is somewhat surprising that the applications
> you're considering use X.509 certificates at all, rather than just
I meant to add in my previous email, that the reason to use
Viktor Dukhovni wrote:
> So indeed, you'd not be the first to consider a special-purpose
> concise format. It is somewhat surprising that the applications
> you're considering use X.509 certificates at all, rather than just
> raw public keys. With expiration times in the year "9
Viktor Dukhovni wrote:
> The openssl ca(1) program is to some extent just a demo, that meets
I'd actually suggest that it be either:
1) ripped out of the source code, and turned into a seperate "application".
2) pushed internal to the source code (not installed), and used only for
ru
On 08/30/2017 10:33 AM, Viktor Dukhovni wrote:
On Wed, Aug 30, 2017 at 06:03:03AM -0400, Robert Moskowitz wrote:
I woke up a little clearer head, and realized, that a truly
constrained device won't even bother with DER, but just store the raw
keypair.
FWIW, Apple's boot firmware stores the s
On Wed, Aug 30, 2017 at 06:03:03AM -0400, Robert Moskowitz wrote:
> I woke up a little clearer head, and realized, that a truly
> constrained device won't even bother with DER, but just store the raw
> keypair.
FWIW, Apple's boot firmware stores the signature key as the raw
RSA key bits in little
Viktor,
On 08/30/2017 12:59 AM, Viktor Dukhovni wrote:
On Wed, Aug 30, 2017 at 12:17:09AM -0400, Robert Moskowitz wrote:
So back to openssl ca and deal with no way to directly create a DER
formatted cert.
Definitely a deficiency.
Not really a deficiency, as the certificates in question need
On Wed, Aug 30, 2017 at 12:17:09AM -0400, Robert Moskowitz wrote:
> So back to openssl ca and deal with no way to directly create a DER
> formatted cert.
>
> Definitely a deficiency.
Not really a deficiency, as the certificates in question need to
be squirreled away in PEM format in the CA's "ce
Viktor,
thanks for the explanation. Obviously I read more into the man that was
really there:
https://www.openssl.org/docs/man1.1.0/apps/x509.html
So back to openssl ca and deal with no way to directly create a DER
formatted cert.
Definitely a deficiency.
On 08/29/2017 07:25 PM, Viktor Du
On Tue, Aug 29, 2017 at 05:36:34PM -0400, Robert Moskowitz wrote:
> Another problem. It is almost like it is not reading the CA selction?
Not "almost", but actually as expected, since "openssl x509 -req"
is not the ca(1) application.
>openssl x509 -req -extfile $dir/openssl-8021AR.cnf \
>
Another problem. It is almost like it is not reading the CA selction?
openssl ca -config $dir/openssl-8021AR.cnf -extensions 8021ar_idevid
-notext -md sha256 \
-in $dir/csr/$DevID.csr.pem -out $dir/certs/$DevID.cert.pem
processes the default_enddate
default_enddate= 1231235959Z # p
11 matches
Mail list logo
