Hi,
I'm actually testing this with openssl 1.0.1, which explains the
behavior. I misunderstood what you where saying about openssl 1.0.1
being "not clever".
Looks like I'll have to wait for openssl 1.0.2 being rolled out to all
my clients, or do a hard transition to the new CA, meaning some clien
> From: owner-openssl-us...@openssl.org On Behalf Of Sven Reissmann
> Sent: Thursday, May 29, 2014 12:24
> What I did was:
>
> - I generated a newRootCA (new keypair, selfsigned certificate).
>
> - I generated another selfsigned certificate (bridgeCert) from the
> newRootCA's private key. From
Hi,
Dave, thank you very much for your suggestions. This sounds like the
solution I'm looking for. I've set up a completely new PKI to test this,
but I'm still having one problem.
What I did was:
- I generated a newRootCA (new keypair, selfsigned certificate).
- I generated another selfsigned c
> From: owner-openssl-us...@openssl.org On Behalf Of Eisenacher, Patrick
> Sent: Tuesday, May 27, 2014 12:41
> > From: Sven Reissmann
> >
> > What I want to achieve is having a new rootCA, which replaces an
> > oldRootCA, which I am using until now.
> >
> > So far the trust chain is: oldRoot -> ol
The X.509-canonical way to do this is to have the old trust anchor sign a
new certificate containing the new public key, using the same Issuer name
and a different AuthorityKeyIdentifier. This is called "key rollover", but
it retains the security level of the old key (meaning, if the original
trus
Hi Sven,
> -Original Message-
> From: Sven Reissmann
>
> What I want to achieve is having a new rootCA, which replaces an
> oldRootCA, which I am using until now.
>
> So far the trust chain is: oldRoot -> oldServerCert.
>
> What I thought should be possible is building this trust chain:
Hi,
thank you all for the clarification. As most users do not have OpenSSL
1.0.2, this doesn't seem to solve my problem.
What I want to achieve is having a new rootCA, which replaces an
oldRootCA, which I am using until now.
So far the trust chain is: oldRoot -> oldServerCert.
What I thought sh
On Tue, May 27, 2014, Viktor Dukhovni wrote:
> On Tue, May 27, 2014 at 03:44:46PM +0200, Sven Reissmann wrote:
>
> > But, should't it also be possible to only verify the trust chain up to
> > the subCA (i.e., if I fully trust this CA)? I would have expected that
> > this will verify sucessfully:
On Tue, May 27, 2014 at 03:44:46PM +0200, Sven Reissmann wrote:
> But, should't it also be possible to only verify the trust chain up to
> the subCA (i.e., if I fully trust this CA)? I would have expected that
> this will verify sucessfully:
OpenSSL versions prior to 1.0.2 require that all truste
Hello,
On Tue, May 27, 2014 15:44, Sven Reissmann wrote:
> Hi,
>
> I'm having a comprehension question on certificate verification.
>
> Having a trustchain like this:
>
> rootCA -> subCA -> subCA2
>
> I can verify the subCA2 certificate using the command:
>
> openssl verify -CAfile rootCA.pem -unt
Hi,
I'm having a comprehension question on certificate verification.
Having a trustchain like this:
rootCA -> subCA -> subCA2
I can verify the subCA2 certificate using the command:
openssl verify -CAfile rootCA.pem -untrusted subCA.pem subCA2.pem
But, should't it also be possible to only veri
11 matches
Mail list logo
