Re: [openssl-users] ca md too weak

Thanks for your answer too, I had already seen this wiki page before posting but I didn't find in it any info on how to do that; I'll look into it again and try harder then. F. Delente -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ca md too weak

On Fri, Oct 6, 2017 at 12:22 PM, Fabrice Delente wrote: > OK, I understand, thanks for your answer! I'll look into building > openvpn 2.4.3 from source. I believe you only have to set Fedora's security policy to allow MD5. That is covered in the Fedora wiki page you were

Re: [openssl-users] ca md too weak

OK, I understand, thanks for your answer! I'll look into building openvpn 2.4.3 from source. F. Delente -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ca md too weak

Hi, On 06/10/17 17:26, Fabrice Delente wrote: Hello, Until two days ago I used OpenVPN to connect to my workplace, on a non-security sensitive tunnel (just for convenience). However, OpenSSL updated on my machine (Fedora 26), and now the certificate is rejected: Fri Oct 6 17:25:06 2017

Re: [openssl-users] ca md too weak

> Until two days ago I used OpenVPN to connect to my workplace, on a > non-security sensitive tunnel (just for convenience). > > However, OpenSSL updated on my machine (Fedora 26), and now the > certificate is rejected: > > ... > routines:SSL_CTX_use_certificate:ca md too weak > Fri Oct 6

[openssl-users] ca md too weak

Hello, Until two days ago I used OpenVPN to connect to my workplace, on a non-security sensitive tunnel (just for convenience). However, OpenSSL updated on my machine (Fedora 26), and now the certificate is rejected: Fri Oct 6 17:25:06 2017 OpenVPN 2.4.4 x86_64-redhat-linux-gnu [SSL (OpenSSL)]

[openssl-users] CA validation.

Hi, Does X509_verify_cert() checks KeyUsage extension? Is there any API to check whether the CA certificate is properly used based on the Criticality specified in the certificate? [Eg. CRL signing, Key Cert signing etc.] Thanks. -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] CA chain.

On 29/07/2016 06:13, asmar...@yahoo.com wrote: Hi, I am new to SSL stuff. I was wondering whether the CA chain of a certificate can be changed. Let say the initial chain is Server->Intermediate CA1->Intermediate CA2->Root CA and during renewal we have Server->Root CA Renewal creates a

Re: [openssl-users] CA design question?

On Sat, Dec 05, 2015 at 07:55:50PM +0100, Walter H. wrote: > my website has an official SSL certificate, which I renewed this year to > have a SHA-256 certificate; > when I test my site with SSLLabs.com, I'm shows two certificate paths: > > the first one: > my SSL cert (SHA-256) sent by server >

[openssl-users] CA design question?

Hello, my website has an official SSL certificate, which I renewed this year to have a SHA-256 certificate; when I test my site with SSLLabs.com, I'm shows two certificate paths: the first one: my SSL cert (SHA-256) sent by server (SHA1 Fingerprint: 0fae9fd23852fb834fe4f32d7d3c73714daa6aa9)

Re: [openssl-users] CA design question?

On 05.12.2015 20:20, Viktor Dukhovni wrote: On Sat, Dec 05, 2015 at 07:55:50PM +0100, Walter H. wrote: my website has an official SSL certificate, which I renewed this year to have a SHA-256 certificate; when I test my site with SSLLabs.com, I'm shows two certificate paths: the first one: my

Re: [openssl-users] CA certificate bundle bogus certs

Hi, Thanks for your response. I'm sorry my question wasn't clearly defined (it was will this file work correctly? If so, why?), but you seem to have answered nonetheless, thank you. As a followup question, is there a way to include these certs in the way originally intended by the mozilla

Re: [openssl-users] CA certificate bundle bogus certs

Bonjour, Le 25/11/2013 17:14, Sassan Panahinejad a écrit : I am dealing with a CA certificate bundle, similar to this one: https://github.com/twitter/secureheaders/blob/master/config/curl-ca-bundle.crt, like the example, the one I am dealing with was automatically generated from mozilla's

Re: [openssl-users] CA certificate bundle bogus certs

Hi Erwann, Thanks for your response. I'm sorry my question wasn't clearly defined (it was will this file work correctly? If so, why?), but you seem to have answered nonetheless, thank you. As a followup question, is there a way to include these certs in the way originally intended by the mozilla

Re: [openssl-users] CA certificate bundle bogus certs

Excellent, just what I was looking for and incidentally a source I can cite to my client. Many thanks! On 25 November 2013 17:24, Ralph Holz ralph-devn...@ralphholz.de wrote: Hi, Thanks for your response. I'm sorry my question wasn't clearly defined (it was will this file work correctly?

RE: [openssl-users] CA

From: owner-openssl-us...@openssl.org On Behalf Of Peter Lin Sent: Wednesday, 01 June, 2011 04:35 I am having a similar problem here: history snipped For some reason I need to renew/extend a intermediate certificate within a chain. Without setting the old serial

Re: [openssl-users] CA

I am having a similar problem here: For some reason I need to renew/extend a intermediate certificate within a chain. Without setting the old serial number, all its descending certs verification will fail when use 'openssl verify'. So the question is: Is there anyway to issuing a new signing

Re: [openssl-users] CA

If this isn't resolved yet, can you post the contents of the old cert, new cert and the user cert? -Sandeep On Fri, May 20, 2011 at 8:33 PM, Alex Bergmann a...@linlab.net wrote: Hi Erwann! On 05/19/2011 10:20 AM, Erwann ABALEA wrote: old end-user certificates can only be verified by the

Re: [openssl-users] CA

Hodie XIV Kal. Iun. MMXI, Dave Thompson scripsit: From: owner-openssl-us...@openssl.org On Behalf Of Erwann ABALEA Sent: Thursday, 19 May, 2011 04:20 Hodie XV Kal. Iun. MMXI, Alex Bergmann scripsit: snip: renew CA The only way I found was to give the new Root Certificate the same

Re: [openssl-users] CA

Hi Erwann! On 05/19/2011 10:20 AM, Erwann ABALEA wrote: old end-user certificates can only be verified by the old CA certificate, of course (in case the CA is renewed, with its key changed, etc). I didn't renew the CA certificate, I've used the existing private key to create thr new one.

Re: [openssl-users] CA

Hi Erwann! On 05/19/2011 10:20 AM, Erwann ABALEA wrote: old end-user certificates can only be verified by the old CA certificate, of course (in case the CA is renewed, with its key changed, etc). I didn't renew the CA certificate, I've used the existing private key to create thr new one.

Re: [openssl-users] CA

Hodie XV Kal. Iun. MMXI, Alex Bergmann scripsit: On 05/18/2011 11:17 AM, Erwann ABALEA wrote: Bonjour, Hodie XV Kal. Iun. MMXI, Jean-Ann GUEGAN scripsit: Hi ! It’s possible to renew a Certificate Autority or extend the date validity ? These 2 options are possible.

RE: [openssl-users] CA

From: owner-openssl-us...@openssl.org On Behalf Of Erwann ABALEA Sent: Thursday, 19 May, 2011 04:20 Hodie XV Kal. Iun. MMXI, Alex Bergmann scripsit: snip: renew CA The only way I found was to give the new Root Certificate the same serial number as the previous one. That's forbidden by

Re: [openssl-users] CA

Bonjour, Hodie XV Kal. Iun. MMXI, Jean-Ann GUEGAN scripsit: Hi ! It’s possible to renew a Certificate Autority or extend the date validity ? These 2 options are possible. Recertify (i.e. sign the same certificate, but change the serial number and validity dates) is the least

Re: [openssl-users] CA

On 05/18/2011 11:17 AM, Erwann ABALEA wrote: Bonjour, Hodie XV Kal. Iun. MMXI, Jean-Ann GUEGAN scripsit: Hi ! It’s possible to renew a Certificate Autority or extend the date validity ? These 2 options are possible. Recertify (i.e. sign the same certificate, but change the