In message <[EMAIL PROTECTED]> on Wed, 19 Jan 2005 22:35:46 +0900, Joel <[EMAIL PROTECTED]> said:
rees> On the question of using certificates to sign vs. using keys to rees> sign, could I ask for one more clarification -- rees> rees> If, for the sake of argument, I made a key for CA use, signed rees> certificates for servers with it, and then made the CA's rees> certificate, are the certificates signed when only the key rees> existed going to be valid? And are they going to be identical to rees> certificates signed afterwards, other than entropy? It's really a matter of interpretation for those doing the validation, and as long as things look OK at the time you publish any certificate, there should really be no problems. There are a few things to keep track of, though: - it would look quite suspicious of the notValidBefore field of the CA certificate is later than the noValidBefore field of any certificate it has issued. - there are extensions that get data from the issuing certificate, so creating certificates using only a key may not be very productive. - the openssl utility won't allow it, because it will need the issuer certificate to be able to fill in the issuer field, at the very least. Cheers, Richard ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
