> Thank you for getting back to me
> I need to take the Root CA certificate/private key and
> change the modulus from 512 bit to 2048 bit. I assume
> that I have to make a new Root CA Certificate request
> and then sign it with the old one?
> The problem that I have is newer devices are not
> allow
On Wed, May 17, 2006, Phil Dibowitz wrote:
> Dr. Stephen Henson wrote:
> > Your problem is that you are telling OpenSSL to include the AKID
> > extension by
> > copying the SKID from the issuing CA. That CA doesn't have an SKID
> > extension
> > so it gives the error.
> >
> > Either remove that e
On Wed, May 17, 2006, Phil Dibowitz wrote:
> Dr. Stephen Henson wrote:
>
> > The reason for the random nature is so that OpenSSL by default makes it
> > very
> > unlikely to duplicate issuer names and serial numbers, which is a standard
> > violation and can cause peculiar hard to trace errors in
Alicia,
Thank you for getting back to me
I need to take the Root CA certificate/private key and
change the modulus from 512 bit to 2048 bit. I assume
that I have to make a new Root CA Certificate request
and then sign it with the old one?
The problem that I have is newer devices are not
allowin
> I know this is a noob question but I have inherited an
> existing CA based on openssl. I need to change some
> existing certificates from 512 bit to 2048 bit. I have
> the private keys and was wondering if the proper
> approach was to renew the certificate and modify them
> there? Or is this not
Dr. Stephen Henson wrote:
> Your problem is that you are telling OpenSSL to include the AKID
> extension by
> copying the SKID from the issuing CA. That CA doesn't have an SKID
> extension
> so it gives the error.
>
> Either remove that extension from the config file or include SKID in the
> root
Dr. Stephen Henson wrote:
> On Wed, May 17, 2006, Phil Dibowitz wrote:
>
>>
>> "CA.pl -newca" takes a random 64-bit number for the serial number of the
>> CA, and then auto-incriments that for all of the certs it signs.
>>
>> Why random? Why not start at 64-bits of 0s? Is there some benefit here?
I know this is a noob question but I have inherited an
existing CA based on openssl. I need to change some
existing certificates from 512 bit to 2048 bit. I have
the private keys and was wondering if the proper
approach was to renew the certificate and modify them
there? Or is this not possible? Po
On Wed, May 17, 2006, Phil Dibowitz wrote:
>
> "CA.pl -newca" takes a random 64-bit number for the serial number of the
> CA, and then auto-incriments that for all of the certs it signs.
>
> Why random? Why not start at 64-bits of 0s? Is there some benefit here?
>
The serial number is an integ
Dr. Stephen Henson wrote:
> On Wed, May 17, 2006, Phil Dibowitz wrote:
>
>>
>> Thanks for the quick reply.
>>
>> Hmm. Then why is it when I create a self-signed CA with openssl I get
>> the former displayed, but when when I then sign a cert with that CA, I
>> get the latter? I don't understand why
On Wed, May 17, 2006, Phil Dibowitz wrote:
>
> Thanks for the quick reply.
>
> Hmm. Then why is it when I create a self-signed CA with openssl I get
> the former displayed, but when when I then sign a cert with that CA, I
> get the latter? I don't understand why it is using different byte length
Hello,
> Hi, I am new to the openssl. I just compiled openssl FIPS version and
> I found out that other crypto functions are OK, but I couldn't call
> those RC5 crypto function. Is this due to RC5 disabled in FIPS version
> or RC5 is not FIPS approved? I highly appreciate for any helps.
Look at ht
Goetz Babin-Ebell wrote:
> Phil Dibowitz schrieb:
>
> Hello Phil,
>
>>> In some cases I see serial numbers as octet strings, i.e.:
>>>
>>> Serial Number:
>>> ef:e1:73:da:b3:6a:cf:ad:6b:18:dd:58:7f:6b:49:fe
>>>
>>> And other cases as an integer, i.e.:
>>>
>>> Serial Num
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Phil Dibowitz schrieb:
Hello Phil,
> In some cases I see serial numbers as octet strings, i.e.:
>
> Serial Number:
> ef:e1:73:da:b3:6a:cf:ad:6b:18:dd:58:7f:6b:49:fe
>
> And other cases as an integer, i.e.:
>
> Serial Nu
> You must generate new private key (longer) for CA
> and self certify. Next you should publish your new
> CA certificate.
As a transition aide, you might want to have your old root also sign the
new CA key.
/r$
--
SOA Appliances
Application Integration Middleware
_
In some cases I see serial numbers as octet strings, i.e.:
Serial Number:
ef:e1:73:da:b3:6a:cf:ad:6b:18:dd:58:7f:6b:49:fe
And other cases as an integer, i.e.:
Serial Number: 2 (0x2)
In openssl's case, self-signed certs use an octet-string (though this
seems to not be
Hi, I am new to the openssl. I just compiled openssl FIPS version and I found out that other crypto functions are OK, but I couldn't call those RC5 crypto function. Is this due to RC5 disabled in FIPS version or RC5 is not FIPS approved? I highly appreciate for any helps. Shicai
Blab-away
Hi folks,
What I want to do is to get the name of the cipher suite server is trying to
use when I receive a server hello.
From server hello's header (SSL version 3.0), I can read out the cipher
suite number, which is, for example 0x0004, and my Ethereal (Version
0.10.13) shows it is TLS_RSA_
Hello,
> This is probably a real noob question but I've no idea
> where to start looking. I've inherited an openssl
> based CA. The ROOT CA certificate is 512 bits long.
>
> RSA Public Key: (512 bit)
> Modulus (512 bit):
>
> The is the best way to change this? I thought maybe
> re
This is probably a real noob question but I've no idea
where to start looking. I've inherited an openssl
based CA. The ROOT CA certificate is 512 bits long.
RSA Public Key: (512 bit)
Modulus (512 bit):
The is the best way to change this? I thought maybe
renewal might be the best r
On Tue, May 16, 2006, Phil Dibowitz wrote:
> OpenSSL folks,
>
> I'm having an issue when making an intermediate CA.
>
> As I understand the specs (and please, correct me if I'm wrong), a root
> (i.e. self-signed) CA can be a v1 certificate, but intermediate CAs must:
>(a) be v3
>(b) have
21 matches
Mail list logo
