51:4a:6a:d8:69:cf:
84:57:76:a4:90:eb:b0:cc:13:e5:da:1f:1c:75:b2:26:27:94:
1e:a8:e1:6e
You will notice that the "Not After" line does, in fact, indicate that their
cert is expired. And not only expired, but expired a long time ago.
Why does no-one else notice?
the various cases that are found
in the real world.
Cheers,
Patrick.
> Thanks,
> Steve
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson
> Sent: Thursday, July 18, 2013 9:35
__
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager maj
te-status-tp45877.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl
> sent, and may contain information that is confidential or legally protected.
> If you are not the intended recipient or have received this message in error,
> you are not authorized to copy, distribute, or otherwise use this message or
> its attachments. Please notify the sender imm
ears to be:
[ user_with_bad_aki ]
authorityKeyIdentifier = ASN1:SEQUENCE:bad_aki
[ bad_aki ]
keyIdentifier = FORMAT:HEX,EXPLICIT:0,OCTETSTRING:0102030405060708090A
Cheers,
---
Patrick Patterson
Chief PKI Architect
d_aki
[ bad_aki ]
keyid = DER:01:02:03:04:05:06:07:08:09:0A
However, when I try this, it appears that I can't override the default
behaviour of copying the SKI from the Signing CA Certificate.
Any thoughts?
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security
Hi Robert:
On 2012-12-20, at 8:05 PM, Robert Moskowitz wrote:
> OK. I am swamped. What is the command to display the cert content?
>
openssl x509 -in cert.pem -text -noout.
Have fun.
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.caril
support now available see: http://www.openssl.org
>> ______
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing Listopenssl-users@openssl.org
>> Automated List Man
t it's not FIPS
> certified when the config line is not "./config [no-asm]". Does anyone
> know what the issue is or how I can work around it without losing my FIPS
> cert?
>
> Thanks,
>Michael Johnson
th sha2. Is SHA 2 supported?
>
> The commands that I tried were
>
> openssl ca -md sha2
> openssl ca -md sha256
>
> I am using openssl versioned OpenSSL 1.0.1c 10 May 2012.
>
> Let me know.
>
> thanks
> Pushkar
---
Patrick Patterson
Chief PKI Architect
Cari
me as we cannot disclose
> this information.
> Vladimir Belov: Ok. No.
> Clifford: If there is nothing further, thank you for choosing Thawte and have
> a great day.
> Thank you for using thawte Live Chat. You may now close this window.
>
atch on OID values, and not on
any other part of the certificatePolicy extension.
Have fun!
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__
Open
, most if not all of the
> methods called inside that module are static so they're not available to
> my get_crl.
>
> I'd appreciate your feedback and guidance.
> __
> OpenSSL Project
best way to store
> certificate with string format ?
PEM of course.
> 4) is a bad idea to handle everywhere certificates in string format ?
>
VERY, VERY bad...
Have fun!
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
__
rrect extensions.
>
> Certificate you posted has critical mark on "X509v3 Subject Alternative Name"
> which is completely wrong in this case. It is "Time Stamping" that has to be
> marked as critical.
>
>
> --
> Kind Regards / S poz
ook to pull a certs info via
> https, ldap over ssl, etc.
>
> Thanks!
> Andy G
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automa
:
> How may I introduce them in this commnad line?
>
> openssl req -new -key key_user.pem -out req_user.pem
>
> Thank you
> Felix
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
___
e that you could chain that way.
Best Regards,
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
__
OpenSSL Project http://www.openssl.org
User S
Hi Steve:
Please see reply inline.
On 2010-11-23, at 2:41 PM, Dr. Stephen Henson wrote:
> On Mon, Nov 22, 2010, Patrick Patterson wrote:
>>
>> I believe that an indirect issuerLogo SHOULD be encoded in openssl.cnf as:
>>
>> [extra_extensions]
>> 1.3.6
OICE. The other thing is to know is if
anyone knows whether, for implementation of 3709, if AlgorithmIdentifier
parameters really should be NULL, or omitted.
Thanks.
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://
the CRL DP in the certificate that you issue to your servers.
Have fun!
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
__
OpenSSL Project
by step manual?
You can find such a guide here:
http://www.carillon.ca/library/openssl_testca_howto_1.3.pdf
Have fun!
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
__
can be a bit tricky,
however, the how-to that we have posted at:
http://www.carillon.ca/library/openssl_testca_howto_1.3.pdf
should help you through it.
Have fun!
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www
openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
tel: +1 514 485 0789
mobile: +1 514 994 8699
fax: +1
tional OIDs to the
> certificate.
>
> Thanks in advance,
> Gumbie
---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
tel: +1 514 485 0789
mobile: +1 514
rd...@openssl.org
>>
>
> __________
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager
any CA that does NOT handle SAN. Most will not get it out of the Subject
DN (since it is a horrible, horrible idea, and definitely not in line with best
practice) of the Certificate Request, but everything will correctly handle it
when building a certificate. Even ancient versions of Ope
>>OpenSSL Project http://www.openssl.org
>>User Support Mailing List openssl-users@openssl.org
>> <mailto:openssl-users@openssl.org>
>&g
ating any certs that a Microsoft
environment may need. Having OpenSSL generate certs that are usable for
Exchange is rather trivial.
Anyways - Have fun.
---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
tel: +1 514 485 0789
mob
sageNet Systems
> chris.ri...@messagenetsystems.com
> __________
> OpenSSL Project http://www.openssl.org User Support Mailing List
> openssl-users@openssl.org Autom
efault
> and just enable when specifically needed.
>
>
> However, if there is another way to do this then I would like to know. The
> only other option I can see if to configure a Microsoft CA or some other CA
> that does not use openssl.
>
> -Thanks
>
>
>
> On 09/
isabled by default
> and just enable when specifically needed.
>
>
> However, if there is another way to do this then I would like to know. The
> only other option I can see if to configure a Microsoft CA or some other CA
> that does not use openssl.
>
> -Thanks
>
xx, CN=server1.company.com
>
>
> X509v3 Subject Alternative Name:
> DNS:server1.company.comm, DNS:server2.company.com
>
>
> I need to use a SAN with my Exchange server certificate since the same
> certificate is used for several
__
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
---
Patrick Patterson
President and Chief PKI Archit
self asserted value in a
CSR to prove that, were you? :)
Have fun!
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__
OpenSSL Project
> openssl ca
>
> Thanks
> Alex
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
-
gt;
> Was anyone able to use CAPI in OpenSSL 1.0.0a? I tried to find any
> example in the Internet, but without any luck.
>
> Best regards,
>Mike
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List
_
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.or
> works for you, a nice bonus is that it saves money and time getting the
> > certificates.
> >
> > Another would be to maintain a database of legitimate certificates or
> > their fingerprints and only accept certificates with a matching
> > fingerprint. Of course
Hi there:
A couple of things:
1: Neither of your CA certs have "certSign" as a keyUsage. This is the most
likely cause of failure.
2: Your router cert has a Basic constraint of CA=true - while probably not
causing you any problems, this is EXTREMELY dangerous.
I would suggest you go and make
[pid 2911:tid 3040861040] [client
> 10.0.2.2:1444] Connection closed to child 194 with abortive shutdown
> (server fedoragui.mydomain.com:443)
>
> /ulfW
> __
> OpenSSL Project http://www.openssl.org
arious applications that have
patches available) then I would have (one would still require the AIA field,
though) :)
Have fun.
Patrick.
> -Original Message-
> From: owner-openssl-us...@openssl.org on behalf of Patrick Patterson
> Sent: Fri 7/16/2010 11:58 AM
> To: openssl-
will NOT fetch intermediate certificates for
you (which is why you needed to put both certs in the cafile.pem) - this is
because it doesn't have any code to be an HTTP or LDAP client (probably a good
thing:). If you want to do path construction, you have to write an application
that uses OpenSS
OID for AIA, thus the application should
NOT be able to find the OCSP information. Fix the CA that generated this
certificate to generate correct PKIX RFC5280 certificates, and at least part
of your problem should go away.
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
then you'll have to talk pretty fast to get
them to accept your CA into their browser.
That's it. If you need any help, give us a call :)
---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
_
On 14/04/10 1:05 PM, Jerry Wang wrote:
> Hi,
>
> I was just wondering what is the best way for converting type
> ASN1_UTCTIME* to type char* or string in C++?
>
Probably the best way is to convert it to a time_t, and then use your
normal platform functions to convert that to a string. This has th
Hi there:
One other thing to keep in mind is that the DN for the CRLDP *SHOULD* be
the same as that for the CA that signs the CRL. I believe this is a
"Best Practice", and not completely normative, but it is well enough
enshrined (USFBCA CP and all cross-certified CA's, Canadian Govn't,
etc.), tha
Hello Peter:
On 08/04/10 3:45 AM, peter23452345 wrote:
>
> hi, i have been trying to create a certificate for use on my webscarab proxy.
> essentially what i want to do is this: run a php curl script which redirects
> certain https traffic though the webscarab proxy so that i can see the
> outpu
On 23/03/10 8:50 PM, PGNet Dev wrote:
> On Tue, Mar 23, 2010 at 4:54 PM, Patrick Patterson
> wrote:
>>> where "OCSP.cert.pem" is a single-purpose cert, only for the OCSP responder.
>>>
>> I hope you realize that there are MANY warnings against doing this f
Hi there:
On 23/03/10 7:39 PM, PGNet Dev wrote:
> I'm planning to run openssl ocsp in server mode,
>
> openssl ocsp \
> -index /svr/demoCA/index.txt \
> -port \
> -CA /svr/demoCA/certs/CA/CA.cert.pem \
> -rsigner /svr/demoCA/crl/OCSP.cert.pem \
> -rkey /svr/demoCA/crl/OCSP.privkey.pem
On 23/03/10 3:09 PM, Konrads Smelkovs wrote:
> What are the risk moments here? Why this clause was put in?
Probably due to the complexity of handling the trust path correctly -
most clients can't do even the most simple checks required by
RFC5280/3280 - expecting to have the client know somehow th
ther case. You can explicitly trust
> > the responder certificate with the -VAfile option or add explicit OCSP
> > signing trust to the root.
> >
> > Steve.
> > --
> > Dr Stephen N. Henson. OpenSSL project core developer.
> > Commercial tech supp
exchanges of
identity during the SSL handshake. I suggest you go back and read the
relevant standards again.
Best Regards,
---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
comma value for the reason)
Field 4: Certificate Serial Number
Field 5: Unused - always "unknown"
Field 6: Subject DN of certificate
The file is tab delimited, if I am not mistaken.
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security
On February 22, 2010 09:18:25 am Eisenacher, Patrick wrote:
> > -Original Message-
> > From: Patrick Patterson
> >
> > On 12/02/10 8:51 AM, skillz...@gmail.com wrote:
> > > Is there a way (via the API rather than the tool) to tell
> >
> > Ope
On 12/02/10 8:51 AM, skillz...@gmail.com wrote:
> Is there a way (via the API rather than the tool) to tell OpenSSL that
> the sub-CA certificate is trusted and it doesn't need to walk further
> up the chain? For my case, I embed the sub-CA certificate in my code
> and I'm space constrained so I'd
On 09/02/10 11:02 AM, Steffen DETTMER wrote:
> * Patrick Patterson wrote on Sun, Feb 07, 2010 at 10:14 -0500:
>>> A quick question here. Should the Certificate Signing Request message be
>>> protected when requesting for Certificate from CA?
>
> I think, if you wa
Hi there:
On 07/02/10 8:55 AM, sandeep kiran p wrote:
> Hi,
>
> A quick question here. Should the Certificate Signing Request message be
> protected when requesting for Certificate from CA? If I am sending a
> PKCS10 request to a remote CA, there could be a possibility that an
> attacker might in
12 -info -clcerts
Have fun.
Patrick.
>
> On Thu, Feb 4, 2010 at 9:08 AM, Patrick Patterson
>
> wrote:
> > On February 3, 2010 05:57:36 pm Dan Letkeman wrote:
> >> The server i'm trying to import it into is and Astaro Firewall.
> >> www.astaro.com. I have
g that you get an error doesn't
really help us to help you.
> The Astaro only takes PKCS12 files.
>
Ok - do you need to configure any sort of CA certificate? What values does the
Astaro require in the certificate?
--
Patrick Patterson
President and Chief PKI Architect,
Carillon In
Please define "doesn't work" - how doesn't it work?
Also, most servers take the key and cert files - so can you let us
know which server you are trying to make work?
Have fun
--
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.caril
the tool and the task at hand, but the toolkit is
more than adequate for creating some form of signed Word Document.
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__
have a CRLDP, since that would be self
referential.
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__
OpenSSL Project http:
Hi there:
It is really quite simple. How do you want to sign or encrypt this
document? Do you want to do it natively from word? Or do you want to do
this from a Unix command prompt? What formats do you want it encrypted
in? How will the consumer decrypt or verify the document? Again, do you
want
PKCS7_dataFinal(p7, p7bio);
>
> Thanks!
>
> []s
> Douglas Gemignani
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@opens
Hi Kyle:
While your EKU is correct, I'm not sure that your KU values are correct.
We've generated successful UCC certs here with the following profile:
[ usr_ucc_ext ]
basicConstraints= CA:FALSE
keyUsage= critical, keyEncipherment,
digitalSignature
extended
openssl.my.cnf -policy policy_anything -in
> >> datareq.csr
> >>
> >> I'm at a loss at the moment so any help would be appreciated.
> >>
> >> Thanks ,
> >>
> >> Anton
> >
> > --
> > --
> > Mounir IDRASSI
> > IDRIX
> > http:
openssl.my.cnf -policy policy_anything -in
> >> datareq.csr
> >>
> >> I'm at a loss at the moment so any help would be appreciated.
> >>
> >> Thanks ,
> >>
> >> Anton
> >
> > --
> > --
> > Mounir IDRASSI
> > IDRIX
> > http:/
On January 6, 2010 12:19:53 pm Johannes Bauer wrote:
> Patrick Patterson schrieb:
> > Check out the archives, and see my reply to Martine Schneider and David
> > Schwartz from yesterday to the query:
> >
> > Sign CSR after modifying data in CSR possible?
>
> Ahhh
___
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.or
xample.com/?cACertificate;binary?base?objectclass=pkiCA
[crl_dist_points]
URI.0=http://www.example.com/caops/test-signca1-crl.crl
URI.1=ldap://dir.example.com/?certificateRevocationList;binary?base?objectclass=pkiCA
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Car
e" );
> break;
> }
>
> Ultimately we are getting "Unable to read CRL file" if we are loading
> DER format CRL. Did you see anything wrong there?
>
> Thanks
> Radhakrishna.
>
> -----Original Message-
> From: owner-openssl-us...@openssl.org
> [m
Sebastián Treu wrote:
> Hi David,
>
>
>>> Others things are to instantaneously put that client in a wait list
>>> when SSL_write() could not succed, continue with the others, and try
>>> with that client again later. But, sometimes we can get a WANT_WRITE
>>> or WANT_READ when renegotiating so th
o take a look at the ATA Spec42 guidance on building PKI
applications in the air transport industry.
Best Regards,
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
Radha krishna Meduri -X (radmedur - HCL at Cisco) wrote:
> Thanks for your supp
Hi Rene:
Rene Hollan wrote:
>
> 2) Things like OCSP, CRLs, and other SSL "extensions" have always
> stumped me. Is it something the user of the library is responsible
> for, when validating a cert, or can the library do it itself when I
> try to establish an SSL connection, and to what degree can
Hey there;
When asking for advice, please at least say whether you are trying to do
something programatically (i.e.: using the OpenSSL API), or just need to
do it from the command line.
If it is the command line, then please include what you have tried, and
the results that you got.
To this curr
Hi there;
Since you have narrowed the problem down to something in your
certificate, and, since certificates are by nature 'public' files, can
you perhaps post the certificate from one of the failing PKCS#12 files
here, which would allow folks to perhaps help you out more?
(It may be that instead
ant to look at section 4.4
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__
OpenSSL Project http://www.openssl.org
Use
rmediate CA following RFC5280. If you do not, your PKI will
keep failing in new and interesting ways.
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
_
best
thing to do here is to solve the actual problem (RSA performance too slow on
the HSM), and not hack around it.
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
___
Peter Lin wrote:
> Hi folks,
>
> I have a problem about key security.
>
> If a RSA private key is encrypted by an AES key, which is again encrypted by
> the same RSA private key itself, is this considered as a secure procedure?
> Obtaining the encrypted RSA private key and the AES key, is there a
Hi Jeff:
Jeffrey Walton wrote:
> Hi Doctor,
>
> Form the docs:
> SHA1 is the digest of choice for new applications.
>
> It appears the docs are bit dated. Depending on the application, I
> believe NIST recommends that new applications use SHA-2 family (circa
> 2006 [1]), and requires SHA-2 a
all certificates
7: All CA Certs assert Basic Constraints.
And any other check that is specified in RFC5280 that I've missed. :)
We've actually written a tool that does Path Discovery and validation called
Pathfinder, if you are looking for such a tool. It can be found at:
http://www.car
Hi there:
Anoop C wrote:
> Hi all
>
> I am using certificates generated by openssl for authenticating the
> WiFi useres using EAP-TLS 802.1x authentication.
> I would like to add MAC address of the user machines into each user
> certificates so that the certificates used by one machi
Hello Jehan:
In answer to your question on certificate path construction, there is,
in fact, a standard - first of all, this is now collectively known as
Path Discovery and Validation, and the canonical algorithm for a PKIX
compliant PKI is in RFC5280 (a previous, and slightly more ambiguous
algor
salini g wrote:
> Is OpenSSL secures both data and control channel. Could yo please let
> me know where I can find some reference documents for this.
>
OpenSSL is a library implementing various cryptographic primitives, and
some protocols (i.e.: TLS, CMS and S/MIME). For TLS, please see RFC5246.
F
Jehan PROCACCIA wrote:
> Le 26/08/2009 22:16, Patrick Patterson a écrit :
>> Hi there:
>>
>>
>>> Ok, then in my case $PREFIX is it_root_ca.crt (PKI public cert) and
>>> $CAPREFIX it_root_ca.key (PKI private key) .
>>> but here's what I get :
, keyCertSign
That's it, that's all.
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__
OpenSSL Project http:/
a_enc
[ rsa_enc ]
capabilityID = OID:rsaEncryption
parameter = NULL
Have I got the magic formula right now?
(This LOOKS like it generates the right ASN.1 - but I just want to be
sure...:)
Thanks.
Patrick.
Dr. Stephen Henson wrote:
> On Tue, Aug 25, 2009, Patrick Patterson wrote:
>
&
ntains an arc under their
country arc for organisations and companies in that country). Also, since Root
CA Certificates are not revoked by CRL (Please see RFC3280/RFC5280 for trust
anchor verification), it is not considered good practice to have CRL DP in the
root cert. And, having an AIA that p
there that I can find. That,
and there is a notable lack of client programs that will spit out the contents
of this extension in any sort of form that is useful.
Can one of the OpenSSL gurus please let me know if I'm on the right path?
Thanks.
--
Patrick Patterson
President and Chie
ht help me!
> Greetings
> NielsJ
>
> - --
> DMCA: The greed of the few outweighs the freedom of the many
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFKg/wo2iGqZUF3qPYRAoMDAJ4sT61SRz/HP5
are" method is probably the most reliable.
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__
OpenSSL Project http:/
Hi there:
PMHager wrote:
> Correct, as I already denoted these are from the obsolete RFC2459.
>
> As the IETF/PKIX charter could not define a consenting set of flags,
> Steve Kent had suggested to drop them and leave it to the IPsec WG.
> This has been done by RFC4809: Its recommendation is not
stortoaranci wrote:
> Hi All,
>
> I just have a silly question on Openssl.
>
> I use a self-signed CA to sign several server/clients cert.
>
> For example I could use signed certs to implement an OpenVPN LAN and one
> Wi-FI RADIUS auth for different clients.
>
> The question is: "how to be sure
Akos Vandra wrote:
> Thank you, this was much more helpful.
>
> 2009/7/10 Victor Duchovni :
>> On Fri, Jul 10, 2009 at 11:11:48PM +0200, Akos Vandra wrote:
>>
The parties involved here are not connected to the internet, and thus
don't have any access to a (this is an embedded project),
Hi Christoph:
The other responses both ignore one obvious point - just find a CA that
doesn't care about what you put in the CSR Subject field (there are
several) and use the CSR's that you DO have, or that allows you to
submit an X.509 certificate with an arbitrary Subject DN.
If you have an Ope
Konstantin:
You have a fundamental problem here - your server must be connected to,
in order to identify itself with its certificate. Therefore, connection
number 6, 7, 8, etc., won't even get the certificate to know that the
server only has 5 connections possible.
If you want to use attribute ce
tible private key file that
contains the handle (if you don't have it already), I would talk to your HSM
vendor.
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
1 - 100 of 185 matches
Mail list logo
