> On May 25, 2017, at 10:28 AM, Salz, Rich via openssl-users
> wrote:
>
>> It uses SSL_CTX_use_certificate_chain_file in some places and in other places
>> it uses PEM_read_bio_X509
>>
>> When these APIs are used, can the OpenSSL stack detect updated files on
>>
> It uses SSL_CTX_use_certificate_chain_file in some places and in other places
> it uses PEM_read_bio_X509
>
> When these APIs are used, can the OpenSSL stack detect updated files on
> disk and reload them without any intervention from the application?
No, it's a load and use the current
Hi,
The reSIProcate project is using OpenSSL to load[1] certificates and
private keys.
It uses SSL_CTX_use_certificate_chain_file in some places and in other
places it uses PEM_read_bio_X509
When these APIs are used, can the OpenSSL stack detect updated files on
disk and reload them without
to
decide what you want to do.
Or was your question about best practices when creating a CA policy?
Hope this helps at least a bit,
Ted
;)
Am 21.01.2014 06:51, schrieb Kamalraj Madhurakasan:
Hello guys,
I would like to know whether my understanding about certificate
renewal is correct
Madhurakasan:
Hello guys,
I would like to know whether my understanding about certificate renewal
is correct or not.
To renew the certificate:
1. we need to generate a new CSR from the private key
2. revoke the old certificate
3. get the new CSR signed by the CA with validity extended
certificate renewal is correct or not.
To renew the certificate:
1. we need to generate a new CSR from the private key
2. revoke the old certificate
3. get the new CSR signed by the CA with validity extended
The fields that are common between old
Hello guys,
I would like to know whether my understanding about certificate renewal is
correct or not.
To renew the certificate:
1. we need to generate a new CSR from the private key
2. revoke the old certificate
3. get the new CSR signed by the CA with validity extended
The fields
Hi,
My apologies for a slightly off-topic question. When certificates are renewed
in most scenarios, is it usual to generate a new RSA key pair or would a client
re-use the existing keys and just ask for a new certificate with those keys?
Thanks for any guidance or pointers...
Regards,
Carl
Hi,
RFC 3647 defines certificte renewal as follows:
Certificate renewal means the issuance of a new certificate to the subscriber
without changing the
subscriber or other participant's public key or any other information in
the certificate.
http://www.faqs.org/rfcs/rfc3647.html (section
Hello,
I have a problem with OIDs during CA root certificate renewal.
I am using openssl 0.9.6b.
I've performed the following steps:
1) Converting existing certificate to CSR:
openssl x509 -x509toreq -in old_cert.pem -signkey PrivKey.pem -out careq.csr
2)Signing the request with existing private
Nobody answered me this one...
I will have to try to revocate a certificate to see if I can add it later
However, most root CA, keep old certificates as valid, because it takes some time to install a new certificate on a machine...
Cheers
On 14 Nov 2001 12:29:30 -0500, POLIVKA-ROHRER,
On Wed, 7 Feb 2001, John Douglass wrote:
Is anyone playing around with certificate renewals?
I'm trying to figure out how to accomplish this given:
1) Certificate is installed in the browser already
2) I have the certificate (SPKAC) file on the CA
3) I have the signed public key on the
Hi,
This solution was interesting but it seems that I need the private key of
the user certificate to sign the request (and unfortunately it was created
and stored in the client browser).
openssl x509 -x509toreq -in cert.pem -out req.pem
Getting request Private Key
no request key file specified
Maxime Dubois wrote:
This solution was interesting but it seems that I need the private key of
the user certificate to sign the request
Yes, my fault. Use the old cert request.
You should store them for auditing reasons anyway.
Ciao, Michael.
Thanks
So I need to keep request files as I keep cert files...
I think renewal is interesting because we don't think the validity period of
certs is determined by their weakness but by an internal policy of users and
CRL management. In an organisation delivering certificates to its members, we
Maxime Dubois wrote:
So I need to keep request files as I keep cert files...
Maybe you can also try to generate a new request from an expired
cert.
openssl x509 -x509toreq
I think renewal is interesting because [...]
It's always a matter of your local policy.
Ciao, Michael.
Radovan Semancik wrote:
And what about the certificate serial number. It will be changed or
stays same?
User will download a renewed certificate just as a "original" one? Won't
Netscape complaint about duplicate certificate?
No, the serial number is different. Netscape will correctly
[EMAIL PROTECTED] wrote:
Radovan Semancik wrote:
Hi!
Maybe this is FAQ or even OT, but anyway:
How is certificate renewal done? I mean the case, that user's
certificate expired and she wants a new one.
User sends a new CSR? How does CA handle it? And how about serial
number
Radovan Semancik wrote:
Hi!
Maybe this is FAQ or even OT, but anyway:
How is certificate renewal done? I mean the case, that user's
certificate expired and she wants a new one.
User sends a new CSR? How does CA handle it? And how about serial
number, I don't think
Hi!
Maybe this is FAQ or even OT, but anyway:
How is certificate renewal done? I mean the case, that user's
certificate expired and she wants a new one.
User sends a new CSR? How does CA handle it? And how about serial
number, I don't think it will be the same for expired and renewed
Hi,
Does anyone know how to renew certificate? I tried:
openssl x509 -x509toreq -in cert_file -out csr_file -signkey CA_private_key
but the signature of the created csr_file is incorrect.
Does the 'ca' package have renew function?
In addition, I can't sign certs with same dn but
I'm having difficulty to install a new
certificate after a certificate renewal
w/ MSIE 5.
Our certification authority have been
tested during some time, now we have
generated new CA's key pairs.
In fact MSIE doesn't "refresh" the
new certificate. (Same tests with
Communicator 4.61
22 matches
Mail list logo