On Fri, May 29, 2009 at 10:21:16AM +0530, tito wrote:
> how to sign the CRMF request key i get in openssl ?
> if i am using keygen tag, i think it gives SPKAC format..can we sign SPKAC
> using openssl ?
> i am able to generate CRMF and SPKAC..but doesnt know how to sign those in
> openssl.please h
Hi Tito,
As far as I know you cannot set the format, you will have to deal with
all formats at the CA.
Cheers,
Anders
- Original Message -
From: tito
To: mozilla's crypto code discussion list
Sent: Friday, May 29, 2009 08:04
Subject: Re: how to sign CRMF/SPKAC using openssl
thnx anders..
i have posted in openssl forum my query..
can i make PKCS10 string using tag then ?
2009/5/29 Anders Rundgren
> I have two answers.
>
> 1. This is an OpenSSL question and should be directed to an OpenSSL forum
>
> 2. Browsers indeed have different key-generation methods but the
I have two answers.
1. This is an OpenSSL question and should be directed to an OpenSSL forum
2. Browsers indeed have different key-generation methods but they do have one
thing in common: the methods are completely useless, not even PIN protection
is a part of the plot unless you use pre-
Hi ,
I am making a CA site for my college project purpose.I learned that
different browsers use different methods to generate CSR.Making CSR in IE
was easy.For vista systems I used CertEnroll.dll methods and for non-vista
IE i used xenroll.dll.I generated CSR in javascript successfully using that.
Rich Megginson wrote:
I've been looking at the problem of different libraries/different
clients each with their own private key/cert db in a single process
(for example, the Thunderbird ldap/nss_ldap problem). In this case,
the user may want nss_ldap to keep its certs and keys (including ca
c
Frank Hecker wrote:
Nelson B Bolyard wrote:
However, Izenpe may want to consider only including the SHA1 root
because many of their customers may be using operating systems that
don’t yet support SHA256.
I think that covers all the considerations that would go into a decision
of whether to in
Nelson B Bolyard wrote:
However, Izenpe may want to consider only including the SHA1 root
because many of their customers may be using operating systems that
don’t yet support SHA256.
I think that covers all the considerations that would go into a decision
of whether to include only a SHA1-bas
Nelson B Bolyard wrote:
An SSL server that sends out a full chain with a SHA256 root could
conceivably cause a problem for a remote SSL client that does not understand
SHA256 signatures and that chooses to check the signature on the received
root cert rather than, or in addition to, relying on it
On 2009-05-28 10:52 PDT, Kathleen Wilson wrote:
> Just to make sure I understand…
>
> In the VeriSign case the MD2 roots expire on 2028-08-01, and the SHA1
> roots expire on 2028-08-02, so the SHA1 roots would take precedence in
> NSS. Therefore, there is no benefit in keeping the MD2 roots, and
Just to make sure I understand…
In the VeriSign case the MD2 roots expire on 2028-08-01, and the SHA1
roots expire on 2028-08-02, so the SHA1 roots would take precedence in
NSS. Therefore, there is no benefit in keeping the MD2 roots, and the
MD2 roots should be removed when the SHA1 roots are ad
Nelson B Bolyard wrote re retaining copies of old roots after their
replacement by new roots:
I recommend that for CAs whose newer root certs bear exactly the same
notBefore and notAfter dates as the older certs. In that case, it may be
necessary to retain all the relevant root certs, all marked
12 matches
Mail list logo
