Re: [openssl-users] Offline Root CA and CRL generation

2013-03-15 Thread Sven Dreyer
Hi Erwann, Am 15.03.2013 17:36, schrieb Erwann Abalea: Yes. That's one possible solution (possible from a PKI point of view). Another solution would be to play with indirect CRLs. That involves Thank you very much for your explanations, I will try these scenarios. Thanks, Sven _

Re: [openssl-users] Offline Root CA and CRL generation

2013-03-15 Thread Erwann Abalea
Le 15/03/2013 17:01, Sven Dreyer a écrit : Hi Erwann, Am 15.03.2013 16:16, schrieb Erwann Abalea: You can generate a self-issued certificate dedicated to CRL signing (same name, different key, signed by your root). That's acceptable for RFC5280, but you'll have to check with your clients. And f

Re: [openssl-users] Offline Root CA and CRL generation

2013-03-15 Thread Sven Dreyer
Hi Erwann, Am 15.03.2013 16:16, schrieb Erwann Abalea: You can generate a self-issued certificate dedicated to CRL signing (same name, different key, signed by your root). That's acceptable for RFC5280, but you'll have to check with your clients. And find a way to distribute this certificate.

Re: [openssl-users] Offline Root CA and CRL generation

2013-03-15 Thread Erwann Abalea
X.509 allows for a self-signed certificate dedicated to CRL signing (with the same name, of course). But that's not acceptable for RFC5280. You can generate a self-issued certificate dedicated to CRL signing (same name, different key, signed by your root). That's acceptable for RFC5280, but yo

Re: Offline Root CA and CRL generation

2013-03-15 Thread Sven Dreyer
Hi Matthew, Am 15.03.2013 16:03, schrieb Matthew Hall: Read about the cRLSign KeyUsage bit. This is how it is usually handled. I already let the Root CA issue a certificate with "keyUsage = cRLSign" and used that certificate to sign the CRL, but my colleague's Windows machine refused to acce

Offline Root CA and CRL generation

2013-03-15 Thread Sven Dreyer
Hi List, I would like to setup an OpenSSL-based offline Root CA. Certificates issued by this Root CA contain a CDP. I would like to issue CRLs every 3 days, which would mean that I would have to take the offline Root CA online each 3 days. Is there a way to let the Root CA issue a "CRL signe

crl generation

2002-04-03 Thread Michal Bachorik
Hi everybody! Does anybody if it is possible to generate CRL with crl utility and how? I mean input files format and so on .. Thanks a lot Michal Bachorik __ OpenSSL Project http://www.openssl

CRL generation help

2001-02-15 Thread Evan Cross
This is the Postfix program at host speedy.server.zoom.co.uk. I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. For further assistance, please contact <[EMAIL PROTECTED]> If you do so, please include this problem report. You can