Hello,
since Firefox 3.5 apparently doesn't accept Root CA self signed
certificate which doesn't contain correct extensions (Basic Constraints:
CA:TRUE)
I wonder how I can add these extensions to my already existing and self
signed Root CA :
http://ca.institut-telecom.fr/pki/IT_MASTER_CA/itr
Le 25/08/2009 20:09, Patrick Patterson a écrit :
The only way to add this extension to your
root cert is to re-issue your Root CA certificate (you can use the same
private keys, so you wouldn't have to change or re-do any of the other
certificates in your trust chain, as long as your Certificate
Le 26/08/2009 12:17, Peter Sylvester a écrit :
OK, then how do I re-issue my root CA certificate with my already
existing ca.key ?
If I could have a sample commande line for openssl it would help me .
something like
OPENSSL x509 -set_serial $SERIAL -clrext -extfile CA-EXTENSION.prm
-days $D
On 08/26/2009 04:24 PM, Peter Sylvester wrote:
Jehan PROCACCIA wrote:
Le 26/08/2009 12:17, Peter Sylvester a écrit :
OK, then how do I re-issue my root CA certificate with my already
existing ca.key ?
If I could have a sample commande line for openssl it would help me .
something like
Le 26/08/2009 22:16, Patrick Patterson a écrit :
Hi there:
Ok, then in my case $PREFIX is it_root_ca.crt (PKI public cert) and
$CAPREFIX it_root_ca.key (PKI private key) .
but here's what I get :
[pkiitr...@localhost ~/New_IT_ROOT_CA/pki/ca]
$ openssl x509 -set_serial 01 -clrext -extfile
Le 28/08/2009 02:57, Patrick Patterson a écrit :
Jehan PROCACCIA wrote:
Le 26/08/2009 22:16, Patrick Patterson a écrit :
Hi there:
Ok, then in my case $PREFIX is it_root_ca.crt (PKI public cert) and
$CAPREFIX it_root_ca.key (PKI private key) .
but here's what
Jehan PROCACCIA a écrit :
Le 28/08/2009 02:57, Patrick Patterson a écrit : Now I removed all my
mozilla (firefox, seamonkey ) profiles on my test client
that's what you mean by "replacing root CA certificate on your client " ?
since I erased profiles (and hence stored
jehan procaccia a écrit :
I finally found it !
[proca...@anaconda ~]
$ openssl s_client -host svnext.it-sudparis.eu -port 443 -CAfile
/etc/pki/tls/certs/new_it_root_ca10.crt -verify 3
verify depth is 3
CONNECTED(0003)
depth=3 /CN=Institut TELECOM Root class1 Certificate
Authority/O
lton a écrit :
Never, ever, ever, ever, ever under any circumstances issue the same
serial number twice. You tried to issue the same serial to both roots
-- badbadbadbadbadDONOT.
-Kyle H
On Tue, Sep 1, 2009 at 8:56 AM, jehan
procaccia wrote:
jehan procaccia a écrit :
I finally found i
Peter Sylvester a écrit :
well, if one takes the standard configuration of openssl,
it sets the authoritykey_identifier both the hash and
issuer serial, no exception for the root. comment says
that pkix recommends that.
yes , and the thread you refered me on this list named "Bug in
"authorityKe
hello,
in a recent thread on this list about "add extension to an existing
(signed) CA certificate" I was wondering how openssl software validate a
certificate chain.
jehan procaccia wrote :
Can someone tell me how SSL clients check/verify a 3 level hierarchie ?
is it based on
Good initiative I'll give it a try ...
although I am looking for "intermediate" size PKI free software,
I am a bit confused with large scale software like openca or ejbca , too
complex :-(
I used to operate my pki with a perl-openssl package from
http://devel.it.su.se/pub/jsp/polopoly.jsp?d=102
ar now and it was easy to modify it to
accommodate my own requirements (like supporting SHA1 instead of the
default MD5 and adding new templates). I hope it can be useful for you
as it is for me.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
jehan procaccia wrote:
Good initiative I'll
/users/leifj/ is where
it can be found. You're using either 0.31 or 0.32, if you're using
one with a date from 2005.
-Kyle H
On Fri, Sep 11, 2009 at 8:24 AM, jehan procaccia
wrote:
Actually I am looking for a simple software with command line interface to
operate a CA, sub-CA then
Le 15/09/2009 09:37, Leif Johansson a écrit :
On Monday 14 September 2009 16.17.26 jehan procaccia wrote:
Indeed CSP is a version 0.34 since 2007, no updates since then ... but
perhaps the project is mature and bug free, no evolution needed ? is
there still someone behind it (leifj at
Leif Johansson a écrit :
On Tuesday 15 September 2009 15.54.33 Jehan PROCACCIA wrote:
Le 15/09/2009 09:37, Leif Johansson a écrit :
On Monday 14 September 2009 16.17.26 jehan procaccia wrote:
Indeed CSP is a version 0.34 since 2007, no updates since then ... but
perhaps the
jehan procaccia a écrit :
Peter Sylvester a écrit :
well, if one takes the standard configuration of openssl,
it sets the authoritykey_identifier both the hash and
issuer serial, no exception for the root. comment says
that pkix recommends that.
yes , and the thread you refered me on this list
17 matches
Mail list logo
