RE: Questions about signing an intermediate CA

2020-02-16 Thread Michel
And I am one of those who appreciates very much your explanations/clarifications for a long time. Thank you again Michael. > [...] > And here on the openssl-users list there are people with widely varying > experience with and understanding of these matters; > [...] > So it's useful to try to b

RE: Questions about signing an intermediate CA

2020-02-13 Thread Michael Wojcik
> From: Michael Leone [mailto:tur...@mike-leone.com] > Sent: Wednesday, February 12, 2020 16:09 > > On Wed, Feb 12, 2020 at 4:19 PM Michael Wojcik > wrote: > > > > the infamous "The OSI of a New Generation" presentation > > I'm not sure how "infamous" it is, as I've never heard of it, even in > pa

Re: Questions about signing an intermediate CA

2020-02-12 Thread Michael Leone
On Wed, Feb 12, 2020 at 4:19 PM Michael Wojcik wrote: > > > From: Michael Leone [mailto:tur...@mike-leone.com] > > Sent: Wednesday, February 12, 2020 12:35 > > > Even though I used what might be the wrong terms, I'm sure you knew what I > > meant ... > > Sure. But PKIX, and X.509-based PKI more g

RE: Questions about signing an intermediate CA

2020-02-12 Thread Michael Wojcik
> From: Michael Leone [mailto:tur...@mike-leone.com] > Sent: Wednesday, February 12, 2020 12:35 > Even though I used what might be the wrong terms, I'm sure you knew what I > meant ... Sure. But PKIX, and X.509-based PKI more generally, are - not to mince words - horrible. They're agonizingly c

Re: Questions about signing an intermediate CA

2020-02-12 Thread Karl Denninger
On 2/12/2020 12:59, Michael Leone wrote: > > > On Wed, Feb 12, 2020 at 1:24 PM Karl Denninger > wrote: > > On 2/12/2020 11:32, Michael Leone wrote: >> So we are mostly a MS Windows shop. But I use a Linux openssl as >> my root CA. What I am planning on doing,

Re: Questions about signing an intermediate CA

2020-02-12 Thread Michael Leone
On Wed, Feb 12, 2020 at 2:22 PM Michael Wojcik < michael.woj...@microfocus.com> wrote: > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Michael Leone > > Sent: Wednesday, February 12, 2020 11:59 > > > ... the only CA I have is the root, so that is what I will be si

RE: Questions about signing an intermediate CA

2020-02-12 Thread Michael Wojcik
> From: Michael Leone [mailto:tur...@mike-leone.com] > Sent: Wednesday, February 12, 2020 12:10 > > Here's the config section I use for my test intermediate certificate: > > [ v3_intermediate_ca ] > > authorityKeyIdentifier = keyid:always,issuer > > # pathlen:0 means these certs can only sign non

RE: Questions about signing an intermediate CA

2020-02-12 Thread Michael Wojcik
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Michael Leone > Sent: Wednesday, February 12, 2020 11:59 > ... the only CA I have is the root, so that is what I will be signing with. This is incorrect. A CA is not a certificate. A CA is an organization or individ

Re: Questions about signing an intermediate CA

2020-02-12 Thread Michael Leone
On Wed, Feb 12, 2020 at 1:16 PM Michael Wojcik < michael.woj...@microfocus.com> wrote: > Terminological note: "Windows intermediate CA" isn't really a meaningful > phrase. There's nothing OS-specific about a CA. What you're creating is a > Windows-hosted implementation of your intermediate-CA func

Re: Questions about signing an intermediate CA

2020-02-12 Thread Michael Leone
On Wed, Feb 12, 2020 at 1:24 PM Karl Denninger wrote: > On 2/12/2020 11:32, Michael Leone wrote: > > So we are mostly a MS Windows shop. But I use a Linux openssl as my root > CA. What I am planning on doing, is creating a Windows intermediate CA, and > using that to sign all my internal requests

Re: Questions about signing an intermediate CA

2020-02-12 Thread Karl Denninger
On 2/12/2020 11:32, Michael Leone wrote: > So we are mostly a MS Windows shop. But I use a Linux openssl as my > root CA. What I am planning on doing, is creating a Windows > intermediate CA, and using that to sign all my internal requests. But > before I do that, I have a coupleĀ of questions. > >

RE: Questions about signing an intermediate CA

2020-02-12 Thread Michael Wojcik
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Michael Leone > Sent: Wednesday, February 12, 2020 10:32 > So we are mostly a MS Windows shop. But I use a Linux openssl as my root CA. > What I am planning on doing, is creating a Windows intermediate CA, and using >

Questions about signing an intermediate CA

2020-02-12 Thread Michael Leone
So we are mostly a MS Windows shop. But I use a Linux openssl as my root CA. What I am planning on doing, is creating a Windows intermediate CA, and using that to sign all my internal requests. But before I do that, I have a couple of questions. I have the steps to install the certificate services