Re: Directly trusted self-issued end-entity certs - Re: How to rotate cert when only first matching cert been verified

2021-01-01 Thread 定平袁
@Michael Wojcik Thanks for your reply! It makes sense more that you said, the RFC pages are indeed hard to read... @David von Oheimb thanks for the clarification! Sorry for my misunderstanding, also thanks for your fix, I will follow up on that too. BTW, OpenSSL is such a friendly community.

Re: Directly trusted self-issued end-entity certs - Re: How to rotate cert when only first matching cert been verified

2021-01-01 Thread David von Oheimb
On 01.01.21 08:07, 定平袁 wrote: > @David von Oheimb > Thank you so much for your deep investigation! My pleasure! > With subjectKeyIdentifier and authorityKeyIdentifier extensions, it > works like a charm! Good to hear. I've meanwhile submitted a pull request that fixed the be

RE: Directly trusted self-issued end-entity certs - Re: How to rotate cert when only first matching cert been verified

2021-01-01 Thread Michael Wojcik
> From: openssl-users On Behalf Of ??? > Sent: Friday, 1 January, 2021 00:08 > How to pick up cert from trust store(or cert container as you say) > is decided by different implementation themselves, do I understand correctly? Yes, in some cases under partial or complete control by the applicatio

Re: Directly trusted self-issued end-entity certs - Re: How to rotate cert when only first matching cert been verified

2020-12-31 Thread 定平袁
@David von Oheimb Thank you so much for your deep investigation! With subjectKeyIdentifier and authorityKeyIdentifier extensions, it works like a charm! So, the former statements I found on this page only applies to C

Directly trusted self-issued end-entity certs - Re: How to rotate cert when only first matching cert been verified

2020-12-26 Thread David von Oheimb
On 25.12.20 00:35, 定平袁 wrote: > @David von Oheimb I will update to a new version > and try again. Good. Ideally try also a current 3.0.0 alpha release because there have been some changes to cert chain building and verification recently. > To append cert is to make sure new

Re: How to rotate cert when only first matching cert been verified

2020-12-24 Thread 定平袁
Re post my code here, since I send it alone to Michael. Below is the error message: ``` Traceback (most recent call last): File "test.py", line 6, in r = s.get(' https://nsxmanager.pks.vmware.local/api/v1/spec/vmware/types/Tag', verify='./ca.pem') File "/home/kubo/.local/lib/python2.7/si

Re: How to rotate cert when only first matching cert been verified

2020-12-24 Thread 定平袁
Thanks a lot for your reply! Merry Christmas! @Michael WojcikApologies. I clicked the wrong reply button. @David von Oheimb I will update to a new version and try again. To append cert is to make sure new cert and old cert both exist in trust store, thus when server switches cert, it can be

Re: How to rotate cert when only first matching cert been verified

2020-12-24 Thread Jochen Bern
On 23.12.20 23:56, openssl-users-requ...@openssl.org digested: > Message: 4 > Date: Wed, 23 Dec 2020 23:56:44 +0100 > From: David von Oheimb [...] > Yet since both your old and new server cert are not expired and have the > same subject, keyIdentifier, and serial number, > and you appended the new

Re: How to rotate cert when only first matching cert been verified

2020-12-23 Thread David von Oheimb
定平袁 you are welcome. The OpenSSL version you are using is way too old! Do not use version 1.1.0, 1.0.x, and anything older - those versions are unsupported and must be considered insecure. Yet since both your old and new server cert are not expired and have the same subject, keyIdentifier, and se

RE: How to rotate cert when only first matching cert been verified

2020-12-23 Thread Michael Wojcik
> From: 定平袁 > Sent: Tuesday, 22 December, 2020 20:08 > To: Michael Wojcik Please do not send messages regarding OpenSSL to me directly. Send them to the openss-users list. That is where the discussion belongs. > > Why are you appending it to the file containing the existing certificate? > I a

RE: How to rotate cert when only first matching cert been verified

2020-12-21 Thread Michael Wojcik
> From: openssl-users On Behalf Of ??? > Sent: Saturday, 19 December, 2020 17:59 > 1. Generate a new cert, and append it to the cert file Why are you appending it to the file containing the existing certificate? > (at this point, there are 2 certs in the file, first is old cert, second is > new

Re: How to rotate cert when only first matching cert been verified

2020-12-19 Thread 定平袁
the exact behavior: When looking up CA certificates, the OpenSSL library will first search the certificates in *CAfile*, then those in *CApath*. Certificate matching is done based on the subject name, the key identifier (if present), and the serial number as taken from the certificate to be verifi