> 'the' CA being a private or internal one, obviously.
> (I assume this CA is also trusted by some/all people you communicate
> with, otherwise you're not accomplishing anything by using it.)
Yes, it is a private CA trusted by all people in our organization.
> I'm not familiar with thunderbird, but how do you determine this?
I can verify that by deleting the CA cert, then Thunderbird will say that my
personal cert could not be verified.
> It looks to me you did right. You could check by (re)displaying
> each certfile with openssl x509 -text and verify that only
> the validity and signature differ, and in particular any
> attributes relating to keyusage are the same.
Yes, I did. Only the validity and the signature algorithm. Just in case, I'm
including them below.
> When you 'install' the CAcert can you choose anything
> about intended or allowed usage? Maybe some tickboxes?
Yes, I checked "can identify web sites" and "can identify mail users".
> Could thunderbird have cached some info about the old
> CAcert that is now confusing it e.g. a fingerprint?
I don't think so. Is it possible that the signed mails actually contain
the full chain?
> Could you redo from scratch by making a new install,
> installing new-CAcert first, then your entity key+cert?
> (Or on the active copy after a VERIFIED GOOD backup?)
I've tried it on multiple computers with the same effect.
> Also I wonder if the error message might be inaccurate.
> That sometimes happens in software. Some other problems
> I can think of that SHOULD be described differently are:
>
> - entitycert (separately) expired
>
> - entitycert doesn't actually chain correctly
>
> As a test, preferably on a copy on a scratch system,
> could you put the old-CAcert back in, falsify the
> system date, and check it (still) works?
I'll try. Thanks.
> It doubt it. Any decent software less than 10 years old
> (and I'm pretty sure thunderbird satisfies that <G>)
> should support SHA1, and if it didn't it should give a
> quite different error message. But if you want to test,
> just add -md5 to your x509 command line.
Tried it and it didn't make any difference.
Old cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=MO, ST=Macau SAR, L=Macau, O=CPTTM, CN=CA
Validity
Not Before: May 12 05:31:33 2004 GMT
Not After : May 11 05:31:33 2009 GMT
Subject: C=MO, ST=Macau SAR, L=Macau, O=CPTTM, CN=CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bc:e6:03:28:6b:54:83:c7:6e:f1:65:6e:bc:70:
c1:9e:ee:6d:42:0f:84:14:e5:ee:a9:b6:ec:29:bd:
39:78:cd:40:1c:5e:c0:0c:d0:5b:0b:7f:58:41:17:
cb:ad:2a:f1:0e:fa:45:66:04:33:be:37:dd:ea:ac:
ca:78:1b:49:3b:4f:b2:06:85:3c:69:87:e7:74:85:
e9:91:ee:d0:b1:47:ac:78:a4:c6:ef:06:e2:fe:dd:
22:2a:68:1f:b4:81:f3:9b:3a:ab:1b:9c:5e:46:56:
cc:77:38:cc:a1:c3:0b:b0:f7:4c:ad:eb:90:6b:2c:
10:bd:d4:cb:1d:99:c6:58:f7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B4:79:E5:05:D8:43:2D:E7:C2:C9:67:C7:44:03:30:AB:9A:E0:BD:1C
X509v3 Authority Key Identifier:
keyid:B4:79:E5:05:D8:43:2D:E7:C2:C9:67:C7:44:03:30:AB:9A:E0:BD:1
C
DirName:/C=MO/ST=Macau SAR/L=Macau/O=CPTTM/CN=CA
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
5f:c2:97:fb:ce:22:9d:2c:6e:b2:8b:e4:d4:c6:2e:15:e3:a5:
de:a2:d4:50:ee:9d:e0:df:c6:96:90:1e:56:00:b5:42:1c:be:
cc:de:8e:b5:50:35:72:50:d1:31:91:30:bd:ea:26:74:40:a8:
ee:fa:43:aa:70:b9:a1:23:d1:4c:9e:81:26:07:78:d9:77:a1:
e9:77:31:65:dc:ba:03:17:60:b4:9f:44:cb:5c:ac:8e:76:f3:
c8:d0:c0:fc:05:a0:6b:e3:d5:32:78:a4:b2:b6:71:e2:f6:95:
75:57:9a:79:f8:18:32:cc:05:ad:82:a9:b6:d3:85:d2:08:f1:
0b:10
New cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=MO, ST=Macau SAR, L=Macau, O=CPTTM, CN=CA
Validity
Not Before: May 11 09:28:37 2009 GMT
Not After : May 9 09:28:37 2019 GMT
Subject: C=MO, ST=Macau SAR, L=Macau, O=CPTTM, CN=CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bc:e6:03:28:6b:54:83:c7:6e:f1:65:6e:bc:70:
c1:9e:ee:6d:42:0f:84:14:e5:ee:a9:b6:ec:29:bd:
39:78:cd:40:1c:5e:c0:0c:d0:5b:0b:7f:58:41:17:
cb:ad:2a:f1:0e:fa:45:66:04:33:be:37:dd:ea:ac:
ca:78:1b:49:3b:4f:b2:06:85:3c:69:87:e7:74:85:
e9:91:ee:d0:b1:47:ac:78:a4:c6:ef:06:e2:fe:dd:
22:2a:68:1f:b4:81:f3:9b:3a:ab:1b:9c:5e:46:56:
cc:77:38:cc:a1:c3:0b:b0:f7:4c:ad:eb:90:6b:2c:
10:bd:d4:cb:1d:99:c6:58:f7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B4:79:E5:05:D8:43:2D:E7:C2:C9:67:C7:44:03:30:AB:9A:E0:BD:1C
X509v3 Authority Key Identifier:
keyid:B4:79:E5:05:D8:43:2D:E7:C2:C9:67:C7:44:03:30:AB:9A:E0:BD:1
C
DirName:/C=MO/ST=Macau SAR/L=Macau/O=CPTTM/CN=CA
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
ab:e3:08:e6:50:1b:1d:40:65:09:6b:d4:9c:bb:5a:01:4e:8f:
36:5e:5a:e6:8b:b0:2b:71:e5:b8:a3:eb:e2:fd:ba:01:01:b1:
52:4a:d7:e9:76:ad:8d:fd:14:13:46:f0:7d:e9:eb:88:8c:eb:
d3:4f:e5:92:28:36:03:28:f2:37:93:0d:8e:29:68:5b:98:92:
80:3f:20:99:47:1e:3a:0e:48:00:ca:ae:51:54:3b:90:51:54:
52:b9:7d:7c:75:6d:99:9e:73:27:50:1a:f2:eb:2f:4d:cd:8a:
5e:a8:1d:10:d2:42:7c:b7:ac:95:b8:47:55:f9:82:c8:17:61:
5f:f6
-----
--
Kent Tong
Wicket tutorials freely available at http://www.agileskills2.org/EWDW
Axis2 tutorials freely available at http://www.agileskills2.org/DWSAA
--
View this message in context:
http://www.nabble.com/renewing-a-CA-tp23497730p23518626.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
