On 01/11/2011 05:50 PM, Dominique Lohez wrote:
Fredrik Strömberg a écrit :
Hello,
I want to sign a certificate without using the index or serial files.
Can someone tell me how to disable them?
by using the command x509 and not ca for example.
you can use a serial number based on a date
seconds plus processid for example) to guarantee
uniqueness.
As said below: If you create the same serial number
for different certs, the results may be
unpredictable depending at least on whether
a verifier has a cache of certificates.
Some example scripts like this can be in the test
directory of 'curl' obtainable at http://curl.haxx.se
Not using -config makes openssl use the compiled default, and using my
own while commenting out "database" and "serial" gives me the error
"variable lookup failed for CA_default::database". If they can´t be
disabled I would like to know if there´s a possibility to lock the
files from openssl. Should that not work I need to implement my own
filelocking.
(For the curious: I don´t need serial because I only identify with CN,
and I don´t need a database because I will never revoke any
certificates.)
In my understanding of your problem, the serial number of the certificate is
always required because
you can generate more than one certificate for a given user identified with a
given DN( and not CN)
This arise because you issue a certificate valid from January 1st to March 31th
the next one valid from April 1st to June 30th etc for example
etc
The only way to distinguish these certificates is the serial number.
I hope this helps
Best regards
Dominique LOHEZ
Any thoughts?
Kind regards,
Fredrik Strömberg
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
