Put certificate on hold

Dear all,

I'm new to openssl and I've got a question about putting a certificate
"on hold". Maybe someone can please confirm or correct my thoughts
please?

As far as I understand things, you can either revoke a cert (which is
not reversible) and you can put a cert "on hold".

"Holding" a cert is a reversible process; meaning you can "un-hold"
the cert and use the SAME cert after it was un-holded. Is this true?
Putting a cert "on hold" is like revoking a cert, you only have to
provide the reason code "certificate Hold". Then an entry in the CRL
will be generated that looks like follows:

Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=DE/ST=by/L=muc/O=--/OU=--/CN=HK/emailAddress=xxxxxx
Last Update: Oct 13 07:40:50 2008 GMT
Next Update: Oct 13 07:40:50 2009 GMT
Revoked Certificates:
Serial Number: 01
Revocation Date: Oct 13 07:40:50 2008 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Certificate Hold
Serial Number: 03
Revocation Date: Oct 10 08:58:24 2008 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
Signature Algorithm: sha1WithRSAEncryption
97:68:89:05:c8:58:bd:a6:e4:c8:df:99:0c:25:f4:d6:b7 :98:
3e:56:c0:4d:98:d9:2e:c0:15:85:13:e3:2c:1e:77:a8:52 :00:
ce:00:7d:69:30:b7:87:a1:ae:b4:51:16:e0:5f:c8:c0:[...]

What I do not understand is, how to "un-hold" the cert. What do I have
to do? Theoretically "un-holding" would mean, that you remove the
serial number of the "holded" cert from the crl?

Best regards,
Martin
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Hello Martin,

Hodie III Id. Oct. MMVIII est, Martin Schneider scripsit:
> As far as I understand things, you can either revoke a cert (which is
> not reversible) and you can put a cert "on hold".

Right.

> "Holding" a cert is a reversible process; meaning you can "un-hold"
> the cert and use the SAME cert after it was un-holded. Is this true?
> Putting a cert "on hold" is like revoking a cert, you only have to
> provide the reason code "certificate Hold". Then an entry in the CRL
> will be generated that looks like follows:

In fact, the certificate is present in the CRL, but is not considered
"revoked" (as per the X.509 recommendation). It's on hold, as the
reason tells. For the majority of the applications, it's the same, the
behaviour won't be different. But if you wan't to provide signature
services that need to be verified far in the future, that's a point to
consider.

> What I do not understand is, how to "un-hold" the cert. What do I have
> to do? Theoretically "un-holding" would mean, that you remove the
> serial number of the "holded" cert from the crl?

Reading the X.509 recommendation (downloadable for free from the ITU-T
web site) tells us that a certificate can be "un-holded" by 2 means:
- either really revoke it, by changing the reason code while keeping
the date
- or completely remove it from the CRL, as you guessed.
If you plan to issue deltaCRLs, you MUST use the "removeFromCRL"
reason code for such certificates, only for the deltaCRLs.

--
Erwann ABALEA
-----
When you honestly believe you can compensate for a lack of skill by
doubling your efforts, there's no end to what you can't do.
Demotivators, 2001 calendar
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Put certificate on hold - Openssl

Thread: Put certificate on hold

LinkBack

Tools

Put certificate on hold

Re: [openssl-users] Put certificate on hold