Aw: RE: How to create indirect CRL using openssl ca command

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10.03.2022 20:17, Michael Ströder via openssl-users wrote:
> 
> Are you 100% sure all the software used by your relying participants is
> capable of handling the X509v3 extensions involved?
> 
> In practice I saw software miserably fail validating such certs and CRLs. Or
> also CAs failed to generate the certs and CRLs correctly. :-/
>  
 
That is a very good point you are making - thank you for this input.


On 10.03.2022 20:27, Michael Wojcik wrote:
> Personally, I'd be leery of using openssl ca for anything other than dev/test purposes, in which case frequent CRL generation seems unlikely to be a requirement. AIUI, openssl ca isn't really intended for production use.

I did see the RESTRICTIONS [1] and WARNINGs [2] sections in the openssl-ca documentation. I think that I can handle the problems described there but would still be interested if you have any concerns beyond those warnings and the functional limitations I am currently running into.
Also what (open source) ca software do you recommend instead?

Thanks again


[1] https://www.openssl.org/docs/man1.0.2/man1/ca.html#RESTRICTIONS
[2] https://www.openssl.org/docs/man1.0.2/man1/ca.html#WARNINGS






[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux