On Tue, Nov 09, 2010 at 11:42:14AM -0500, josh kirbey wrote:
> Hi All,
>
> We are required to upgrade the sizes of private/public key pairs to 3072
> bits from 1024 bits.
Welcome to bureaucratic insanity. There is no rational basis for
this requirement. Even 2048 bits is excessively conservative for most
applications, you're likely much better off with 1280 or 1536-bit keys.
> During the upgrade process, I pick the X509stack and pick the certificate
> and generate the new keys with 3072 bits size. Also, I am successfully able
> to set the public key for this cert using the API X509_set_pubkey. Using the
> new public key in the Cert and the new private key, we prepare a certificate
> request that is to be sent to the CA server.
>
> Along with the new certificate request, we also send the Cert chain (PKCS
> value) to the provisioning server for verification. PKCS value is not really
> touched here. On the provisioning end, when we call "X509_verify_cert" it
> always fails with the error, "Certificate Verification error : 7". this
> stands for X509_V_ERR_CERT_SIGNATURE_FAILURE
If you modify a certificate, its signature will be invalid.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
