Re: Env variables in config file to add a whole line

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/09/2017 19:34, Robert Moskowitz wrote:

On 09/06/2017 01:31 PM, Salz, Rich via openssl-users wrote:
…

     $crlDP
     $ocspIAI

This is not supported.  You can only put variables in *values*
OK.  But now I have to work out <null> values.

Bob

As previously, have a set of "certificate profiles" (other CA
products name), in the form of different [foo_ext] and [policy_foo]
sections in the CA's openssl.cnf, then run "openssl ca -extensions
foo_ext -policy policy_foo ..."

Since each CA needs its own directory anyway, each CA would have its
own openssl.cnf (generated by a script that sets up the CA).

For example, "foo" could be "server" (has crl and ocsp, plus other
relevant settings), "client" (has crl and ocsp, plus different
relevant settings), "ocsp-signer" (no crl, no ocsp, short lifespan,
other relevant settings), "ecu" (has crl and ocsp, plus different
settings again), etc. etc.

Very different certificate purposes should ideally have their own
SubCA's that can be managed differently, and have the CA cert
restricted.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux