Hello Martin, Hodie III Id. Oct. MMVIII est, Martin Schneider scripsit: > As far as I understand things, you can either revoke a cert (which is > not reversible) and you can put a cert "on hold".
Right. > "Holding" a cert is a reversible process; meaning you can "un-hold" > the cert and use the SAME cert after it was un-holded. Is this true? > Putting a cert "on hold" is like revoking a cert, you only have to > provide the reason code "certificate Hold". Then an entry in the CRL > will be generated that looks like follows: In fact, the certificate is present in the CRL, but is not considered "revoked" (as per the X.509 recommendation). It's on hold, as the reason tells. For the majority of the applications, it's the same, the behaviour won't be different. But if you wan't to provide signature services that need to be verified far in the future, that's a point to consider. > What I do not understand is, how to "un-hold" the cert. What do I have > to do? Theoretically "un-holding" would mean, that you remove the > serial number of the "holded" cert from the crl? Reading the X.509 recommendation (downloadable for free from the ITU-T web site) tells us that a certificate can be "un-holded" by 2 means: - either really revoke it, by changing the reason code while keeping the date - or completely remove it from the CRL, as you guessed. If you plan to issue deltaCRLs, you MUST use the "removeFromCRL" reason code for such certificates, only for the deltaCRLs. -- Erwann ABALEA <[EMAIL PROTECTED]> ----- When you honestly believe you can compensate for a lack of skill by doubling your efforts, there's no end to what you can't do. Demotivators, 2001 calendar ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]