Re: [openssl-users] Put certificate on hold
Hodie III Id. Oct. MMVIII est, Martin Schneider scripsit:[color=blue]
> As far as I understand things, you can either revoke a cert (which is
> not reversible) and you can put a cert "on hold".[/color]
> "Holding" a cert is a reversible process; meaning you can "un-hold"
> the cert and use the SAME cert after it was un-holded. Is this true?
> Putting a cert "on hold" is like revoking a cert, you only have to
> provide the reason code "certificate Hold". Then an entry in the CRL
> will be generated that looks like follows:[/color]
In fact, the certificate is present in the CRL, but is not considered
"revoked" (as per the X.509 recommendation). It's on hold, as the
reason tells. For the majority of the applications, it's the same, the
behaviour won't be different. But if you wan't to provide signature
services that need to be verified far in the future, that's a point to
> What I do not understand is, how to "un-hold" the cert. What do I have
> to do? Theoretically "un-holding" would mean, that you remove the
> serial number of the "holded" cert from the crl?[/color]
Reading the X.509 recommendation (downloadable for free from the ITU-T
web site) tells us that a certificate can be "un-holded" by 2 means:
- either really revoke it, by changing the reason code while keeping
- or completely remove it from the CRL, as you guessed.
If you plan to issue deltaCRLs, you MUST use the "removeFromCRL"
reason code for such certificates, only for the deltaCRLs.
Erwann ABALEA <firstname.lastname@example.org>
When you honestly believe you can compensate for a lack of skill by
doubling your efforts, there's no end to what you can't do.
Demotivators, 2001 calendar
OpenSSL Project [url]http://www.openssl.org[/url]
User Support Mailing List [email]email@example.com[/email]
Automated List Manager [email]firstname.lastname@example.org[/email]