Put certificate on hold - Openssl

This is a discussion on Put certificate on hold - Openssl ; Dear all, I'm new to openssl and I've got a question about putting a certificate "on hold". Maybe someone can please confirm or correct my thoughts please? As far as I understand things, you can either revoke a cert (which ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Put certificate on hold

  1. Put certificate on hold

    Dear all,

    I'm new to openssl and I've got a question about putting a certificate
    "on hold". Maybe someone can please confirm or correct my thoughts
    please?

    As far as I understand things, you can either revoke a cert (which is
    not reversible) and you can put a cert "on hold".

    "Holding" a cert is a reversible process; meaning you can "un-hold"
    the cert and use the SAME cert after it was un-holded. Is this true?
    Putting a cert "on hold" is like revoking a cert, you only have to
    provide the reason code "certificate Hold". Then an entry in the CRL
    will be generated that looks like follows:

    Certificate Revocation List (CRL):
    Version 2 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=DE/ST=by/L=muc/O=--/OU=--/CN=HK/emailAddress=xxxxxx
    Last Update: Oct 13 07:40:50 2008 GMT
    Next Update: Oct 13 07:40:50 2009 GMT
    Revoked Certificates:
    Serial Number: 01
    Revocation Date: Oct 13 07:40:50 2008 GMT
    CRL entry extensions:
    X509v3 CRL Reason Code:
    Certificate Hold
    Serial Number: 03
    Revocation Date: Oct 10 08:58:24 2008 GMT
    CRL entry extensions:
    X509v3 CRL Reason Code:
    Key Compromise
    Signature Algorithm: sha1WithRSAEncryption
    97:68:89:05:c8:58:bd:a6:e4:c8:df:99:0c:25:f4:d6:b7 :98:
    3e:56:c0:4d:98:d9:2e:c0:15:85:13:e3:2c:1e:77:a8:52 :00:
    ce:00:7d:69:30:b7:87:a1:ae:b4:51:16:e0:5f:c8:c0:[...]

    What I do not understand is, how to "un-hold" the cert. What do I have
    to do? Theoretically "un-holding" would mean, that you remove the
    serial number of the "holded" cert from the crl?

    Best regards,
    Martin
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: [openssl-users] Put certificate on hold

    Hello Martin,

    Hodie III Id. Oct. MMVIII est, Martin Schneider scripsit:
    > As far as I understand things, you can either revoke a cert (which is
    > not reversible) and you can put a cert "on hold".


    Right.

    > "Holding" a cert is a reversible process; meaning you can "un-hold"
    > the cert and use the SAME cert after it was un-holded. Is this true?
    > Putting a cert "on hold" is like revoking a cert, you only have to
    > provide the reason code "certificate Hold". Then an entry in the CRL
    > will be generated that looks like follows:


    In fact, the certificate is present in the CRL, but is not considered
    "revoked" (as per the X.509 recommendation). It's on hold, as the
    reason tells. For the majority of the applications, it's the same, the
    behaviour won't be different. But if you wan't to provide signature
    services that need to be verified far in the future, that's a point to
    consider.

    > What I do not understand is, how to "un-hold" the cert. What do I have
    > to do? Theoretically "un-holding" would mean, that you remove the
    > serial number of the "holded" cert from the crl?


    Reading the X.509 recommendation (downloadable for free from the ITU-T
    web site) tells us that a certificate can be "un-holded" by 2 means:
    - either really revoke it, by changing the reason code while keeping
    the date
    - or completely remove it from the CRL, as you guessed.
    If you plan to issue deltaCRLs, you MUST use the "removeFromCRL"
    reason code for such certificates, only for the deltaCRLs.

    --
    Erwann ABALEA
    -----
    When you honestly believe you can compensate for a lack of skill by
    doubling your efforts, there's no end to what you can't do.
    Demotivators, 2001 calendar
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread