On 09-02-17 10:58, PM Extra wrote:
Should I remove expired certificates from CRL?
No. The date of the revocation, which can be found in the CRL, is still
relevant for checking when older certificates were revoked, in case you
ever need to check signatures on older messages.
--
Wouter
If you remove expired certificates from the CRL, then CRL consumers have no way
of knowing whether a certificate was revoked before it expired, and thus no way
of knowing whether a timestamped signature made with the corresponding key is
valid.
This is a complex issue, because CRL bloat is a
On 09/02/2017 10:58, PM Extra wrote:
Should I remove expired certificates from CRL?
If so, how to do this?
Depends if any relying parties are checking old signatures "as of"
some securely recorded date of receiving the signature.
In that case, they will still need to be able to s
Should I remove expired certificates from CRL??
If so, how to do this?--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
I'm running in a linux-elf environment as the su.
when I run "make tests" at the tail end of the tests I get some
errors about expired certificates:
testing pkcs7 conversions
p -> d
p -> p
d -> d
p -> d
d -> p
p -> p
testing pkcs7 conversions (2)
p ->
> From: Salz, Rich
>
> OpenSSL does nothing about this. It’s an interesting question. As for as
> TLS/SSL is concerned,
> it is only using the certificate at the time the connection is initially
> established, and therefore
> expiration (or revocation) during the application’s use of the certif
4/2013 19:17, Vijaya Venkatachalam a écrit :
Hi
I am new to openssl application development.
I had a question on how to handle expired certificates.
So at the time of openssl connection establishment, the certificate is
valid.
But while the connection is still up, the certificate expires.
Is the app
On Tue, Apr 23, 2013 at 10:17:54AM -0700, Vijaya Venkatachalam wrote:
> So at the time of openssl connection establishment, the certificate is valid.
> But while the connection is still up, the certificate expires.
The certificate was valid at the time it was verified, this is sufficient.
> Is t
OpenSSL does nothing about this. It's an interesting question. As for as
TLS/SSL is concerned, it is only using the certificate at the time the
connection is initially established, and therefore expiration (or revocation)
during the application's use of the certificate is up to the application
Hi
I am new to openssl application development.
I had a question on how to handle expired certificates.
So at the time of openssl connection establishment, the certificate is valid.
But while the connection is still up, the certificate expires.
Is the application supposed to handle this or
Le 25/09/2012 18:45, Jakob Bohm a écrit :
On 9/25/2012 6:12 PM, Erwann Abalea wrote:
Le 25/09/2012 14:16, Jakob Bohm a écrit :
> On 9/25/2012 11:11 AM, Erwann Abalea wrote:
[...]
Any signature algorithm works by dividing the universe of N bit strings
into those that are validsignatures for the
On 9/25/2012 6:12 PM, Erwann Abalea wrote:
Bonjour,
Le 25/09/2012 14:16, Jakob Bohm a écrit :
> On 9/25/2012 11:11 AM, Erwann Abalea wrote:
>> Le 24/09/2012 21:03, Jakob Bohm a écrit :
>> > Does that work with any other serious X.509 validation toolkit?
>>
>> It should.
And in fact, OpenSSL wor
Bonjour,
Le 25/09/2012 14:16, Jakob Bohm a écrit :
On 9/25/2012 11:11 AM, Erwann Abalea wrote:
Le 24/09/2012 21:03, Jakob Bohm a écrit :
> Does that work with any other serious X.509 validation toolkit?
It should.
And in fact, OpenSSL works correctly, at least versions 1.0.1 (Ubuntu),
and 1
On 9/25/2012 11:11 AM, Erwann Abalea wrote:
Bonjour,
Le 24/09/2012 21:03, Jakob Bohm a écrit :
> Does that work with any other serious X.509 validation toolkit?
It should.
When trying to build a valid certification path, all possibilities have
to be tested until one of them succeeds. If a CA gi
, Erik Tkal wrote:
I suppose that’s a workaround, but doesn’t address the root cause.
Windows can quite happily handle expired certificates still hanging out
in trusted stores; I see this all the time as root updates occur and
renewed certificates are installed. It seems that a change in OpenSSL
broke
Bonjour,
Le 24/09/2012 21:03, Jakob Bohm a écrit :
Does that work with any other serious X.509 validation toolkit?
It should.
When trying to build a valid certification path, all possibilities have
to be tested until one of them succeeds. If a CA gives a good signature,
but fails for whateve
Thanks Jacob, but in the three scenarios you mentioned, the first one *does
not* seem to be supported by openssl 1.0.0*. I think that was the subject
of this email thread in the beginning.
>>1. Changing expiry or other attributes while keeping the key.
Here the CA issues a new self-signed certific
Does that work with any other serious X.509 validation toolkit?
To make this work (assuming the old root CA cert has not yet expired),
the validation code will need to actually verify the End Entity
certificate against both public keys, which effectively reduces the
algorithm security by allowi
Only the private and public keys are different.. Rest of the fields are
same.. Basically I am simulating the trust anchor update related scenarios..
And yes Jacob, thanks for indicating, I'll make sure I don't use such
abbreviations from here on..
Ashok
On Sep 24, 2012 11:25 PM, "Jakob Bohm" wrot
Hi,
In your test case which fields actually differ between the
old root CA certificate and the new root CA certificate?
P.S.
Please do not use those 3 letter abbreviations of certificate
field names, very few people know those abbreviations.
For the benefit of other readers:
I think Ashok was
Hi,
One more observation was made here in another test case.
*Configuration:*
One old root CA certificate oldca.pem with subject name say, C=IN
One new root CA certificate newca.pem with same subject name.
One EE certificate, ee.pem issued by new root CA.
*Test case 1:*
Using CAFile option in ope
On 9/13/2012 3:41 PM, Charles Mills wrote:
Would it make sense to delete the expired certificate from the Windows
store? Duplicate expired/non expired CA certificates sounds to me like a
problem waiting to happen.
/Charles/
Windows has built in support for using and checking time stamping
c
I had tested this with my
> own SSL client and observed the same behaviour.
>
> --
> Ashok
>
> On Thu, Sep 13, 2012 at 8:39 PM, Erik Tkal wrote:
>
>> I suppose that’s a workaround, but doesn’t address the root cause.
>> Windows can quite happily handle expired cer
that’s a workaround, but doesn’t address the root cause.
> Windows can quite happily handle expired certificates still hanging out in
> trusted stores; I see this all the time as root updates occur and renewed
> certificates are installed. It seems that a change in OpenSSL broke the
> pr
I suppose that's a workaround, but doesn't address the root cause. Windows can
quite happily handle expired certificates still hanging out in trusted stores;
I see this all the time as root updates occur and renewed certificates are
installed. It seems that a change in OpenSSL
, September 13, 2012 12:49 AM
To: openssl-users@openssl.org
Subject: Re: certificate validation issues with openssl 1.0.0 and expired
certificates in cafile
Sending again as the previous email did not appear in list.
Is there some problem with the mailing list?
--
Ashok
On Wed, Sep 12, 2012 at
Sending again as the previous email did not appear in list.
Is there some problem with the mailing list?
--
Ashok
On Wed, Sep 12, 2012 at 2:59 PM, Ashok C wrote:
> Hi,
>
> I don't think this question was answered. Could you please reply?
>
> --
> Ashok
>
>
> On Tue, Jul 31, 2012 at 11:13 PM, Kl
Hi,
I don't think this question was answered. Could you please reply?
--
Ashok
On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion <
klaus.mailingli...@pernau.at> wrote:
> Hi!
>
> I wrote a small program which dumps all root certificates from Windows
> certificate store into a file. Then I use ope
Hi!
I wrote a small program which dumps all root certificates from Windows
certificate store into a file. Then I use openssl to connect to Google
and validate its certificate:
openssl s_client -connect www.google.com:443 -CAfile dump.crt
When using openssl0.9.8k or openssl0.9.8x everything w
> How can I get rid of the expired certificates in the revocation
> list? When I
> do openssl ca -gencrl -out revocationlist.crl -config myconfig.cfg the
> revoked certificates that are also expired are added into the
> list. It is no
> use to store them there because the rev
unski schrieb:
How can I get rid of the expired certificates in the revocation list? When I
do openssl ca -gencrl -out revocationlist.crl -config myconfig.cfg the
revoked certificates that are also expired are added into the list. It is no
use to store them there because the revocation list
How can I get rid of the expired certificates in the revocation list? When I
do openssl ca -gencrl -out revocationlist.crl -config myconfig.cfg the
revoked certificates that are also expired are added into the list. It is no
use to store them there because the revocation list grows bigger and
the revoke command > is when it is really needed. > Do i need to use the revoke command and why?. No. Revoking of expired certificates is only needed if you keep using your index file and the "unique_subject" entry in openssl.cnf is not set to "no".One thing you'll
tem but i would like to have a client and
server pair and have two way authentication but keeping the same CA
forever is fine. The only time i would like to use the revoke command
is when it is really needed.
Do i need to use the revoke command and why?.
No. Revoking of expired certificates is onl
authentication but keeping the same CA forever is fine. The only time i would like to use the revoke command is when it is really needed. Do i need to use the revoke command and why?. Also what is the easiest way for me to renew my expired certificates?. Any answers to both these questions would be greatly
I think that I found the answer - get the error code
from the X509_STORE_CTX and check for the value
X509_V_ERR_CERT_HAS_EXPIRED (defined in x509_vfy.h).
-David
--- david kine <[EMAIL PROTECTED]> wrote:
> My application requires a feature that allows
> connection to secure servers whose certifi
My application requires a feature that allows
connection to secure servers whose certificates may
have expired.
I suppose that the OpenSSL verify callback function,
set with the function SSL_CTX_set_verify(), can
inspect an error condition and return "true" to
establish the secure connection.
My
Hello all!
I've developed a solution that leverages openssl (Through COM) for
certificate management. We have our own internal CA and we have issued
over 500 X.509 client certificates for accessing sensitive information
on our customer support site. It works great! Today, we hit a problem.
For
On Wed, Jan 28, 2004 at 02:28:47AM -0800, Kathiravan Velusamy wrote:
>
> Hi,
>
> The process of renewing a self-signed certificate once it has expired is as follows:
[snip]
> $patch renew-server-cert.sh < user-patch
That should be $patch renew-user-cert.sh < user-patch
Sorry for that typo. Inc
Hope it is useful for you
Regards,
Kathiravan
www.visolve.com
- Original Message -
From: "Gerd Schering" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 22, 2004 3:34 PM
Subject: revoking expired certificates
> Hi,> > It is po
What if my cert happened to expire 1 month later? Would that mean if someone
did compromise my cert and sent signed e-mails before it expired (but
*after* I added to the CRL), then after it expires, that signed e-mail
would appear VALID - as it wouldn't be in the CRL anymore?
No, it will be in the
On Thu, Jan 22, 2004 at 10:44:31AM -0500, Rich Salz wrote:
> Why? If I signed something last week, and the certificate was valid
> last week, isn't the signature still good? There are some people who
> feel differently. It probably all depends on legal and regulatory
> context. Is the wet si
But let me be somewhat more specific. If I use the openssl ca utility,
it is technically possible to revoke a cert which has expired for
instance for one year. If I generate a CRL (via the ca utility) the cert
appears on the CRL.
Does this make any sense?
The crl tool has to be able to include a
Rich Salz wrote:
Gerd Schering wrote:
Hi,
It is possible (via the ca utility) to revoke certificates that
already have expired.
Hard to say. The ITU X.509 standard says that if a certificate is
revoked, it stays on the CRL for one CRL past its expiration date. In
other words, if the order
REMOVE
hi all,
I would like to pose questions about expired certificates, because
I don't know at all what happens to openssl when a certificate expires.
I suppose that in "index.txt" "V" is changed to "E" (?) or something
like that, and then ? What to do if I wa
hi all,
I would like to pose questions about expired certificates, because
I don't know at all what happens to openssl when a certificate expires.
I suppose that in "index.txt" "V" is changed to "E" (?) or something
like that, and then ? What to do if I wa
[EMAIL PROTECTED] wrote:
Hello Jon,
> It appears from my testing that the expiry time on a certificate is taken
> from the client's machine time, not the server time. I've tested this with
> IE 5.01 SP1 and Netscape 4.77.
No the expiry time should be encoded in the certificate.
The element for t
I've just made an interesting discovery after suffering the ignomy of having
an SSL certificate expire. (Supposedly I'll have it within the next two
hours. A late night for me!)
It appears from my testing that the expiry time on a certificate is taken
from the client's machine time, not the serve
49 matches
Mail list logo
