On 06/09/2017 19:34, Robert Moskowitz wrote:
On 09/06/2017 01:31 PM, Salz, Rich via openssl-users wrote:
…
$crlDP
$ocspIAI
This is not supported. You can only put variables in *values*
OK. But now I have to work out <null> values.
Bob
As previously, have a set of "certificate profiles" (other CA
products name), in the form of different [foo_ext] and [policy_foo]
sections in the CA's openssl.cnf, then run "openssl ca -extensions
foo_ext -policy policy_foo ..."
Since each CA needs its own directory anyway, each CA would have its
own openssl.cnf (generated by a script that sets up the CA).
For example, "foo" could be "server" (has crl and ocsp, plus other
relevant settings), "client" (has crl and ocsp, plus different
relevant settings), "ocsp-signer" (no crl, no ocsp, short lifespan,
other relevant settings), "ecu" (has crl and ocsp, plus different
settings again), etc. etc.
Very different certificate purposes should ideally have their own
SubCA's that can be managed differently, and have the CA cert
restricted.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
