View Issue Details

IDProjectCategoryView StatusLast Update
0000775Main CAcert Websitecertificate issuingpublic2019-08-27 13:27
ReporterBas van den DikkenbergAssigned Todastrath 
PrioritynormalSeverityminorReproducibilityhave not tried
Status needs reviewResolutionopen 
Product Version2009 Q3 
Target Version2015 Q1Fixed in Version 
Summary0000775: A org ceritficate is only valild one year
DescriptionWhen i make an Organisational client certficate its only valid one year this must be two as far i can find in the policy. The policy doesn't specify that its not two year valid.

 
TagsNo tags attached.
Reviewed byTed
Test Instructions

Relationships

related to 0000897 closedUli60 Prerequisites to do code signing differ in About->Point System and CPS 

Activities

homer

2009-09-06 12:12

reporter   ~0001476

Hello Bas,

I guess you are right
http://www.cacert.org/index.php?id=19

Best regards,

Guillaume

homer

2009-09-11 20:14

reporter   ~0001477

Hello Bas,

I confirm the cert lifetime is one year what ever you choose codesigning or not (class 1 or 3 root).

Best regards,

Guillaume

homer

2009-09-11 20:15

reporter   ~0001478

confirmed Sept 11th 2009

Uli60

2011-07-05 02:17

updater   ~0002085

Last edited: 2011-07-05 11:49

View 7 revisions

added note regarding certs issued under Organisation Assurance program are valid for 12 months under
https://wiki.cacert.org/FAQ/Privileges
redirection fix is handled under
https://bugs.cacert.org/view.php?id=897

to update the text, you have to update
https://wiki.cacert.org/FAQ/Privileges

http://www.cacert.org/policy/CertificationPracticeStatement.php
lists Organisation SubRoot -> Expiry of Certificates -> 24 months
for the new root and
Assured Members -> Expiry of Certificates -> 24 months
for the "old" root

http://www.cacert.org/policy/OrganisationAssurancePolicy.php
refers to CPS about cert issuing

affected source code is starting in:
https://cacert1.it-sls.de/account.php?id=16 (client certs)
https://cacert1.it-sls.de/account.php?id=20 (server certs)

probably one of the CommModule scripts needs to be reviewed
eg client.pl (sub calculateDays($)) l.440 ff. counts days based on received assurance points. if >= 50 then 730 days otherwise 180 days.
Does receive organisation users receive assurance points over 50 ?

client.pl l.835 (sub HandleCerts($$)) displays correct calculation:
      my $days=$org?($server?(365*2):365):calculateDays($row{"memid"});
if org (is yes), if server cert then calculate #days = 2 x 365 days = 730
sub calculateDays() will not be called here

INOPIAE

2014-02-25 07:39

updater   ~0004603

I pushed a fix to https://github.com/INOPIAE/CAcert/tree/bug-775

BenBE

2015-01-21 21:51

updater   ~0005257

Patch applied to testserver.

The testserver always uses 30 days instead of 730 days.

INOPIAE

2015-01-21 22:24

updater   ~0005260

I just create a new org client cert. Duration is 2 years => ok
I just create a new org server cert. Duration is 2 years => ok
=>ok

Uli60

2015-01-21 22:30

updater   ~0005261

renewed Org.Server cert => now valid for 2 years
renewed Org.Client cert => now valid for 2 years

Ted

2019-07-17 07:42

administrator   ~0005816

There has been an explicit request on the support mailing list for longer lasting org certificates, so I'm trying to revive this case...

Ted

2019-07-21 21:15

administrator   ~0005817

The changes checked in by INOPIAE in his commit 900a6f2b9ea899bcf66cbc47848d6a8057bcaca0
 five years ago are quite minimal.

I guess the easiest way to get it compatible to the current code is to manually re-do those changes on the current release branch...

Ted

2019-07-21 21:25

administrator   ~0005818

Note that Org-server certificates already are valid for 2 years on the production system, only client certs are reduced to 1 year validity...

Ted

2019-07-21 21:57

administrator   ~0005819

Hmm, indeed rebasing the existing bug-775 worked fine, so I pushed the branch to the GitHub-repository. git.cacert.org is not (yet) updated.

Ted

2019-07-26 21:07

administrator   ~0005820

bug-775 is now merged into test-1442 and installed on the (old) testserver, so it may once more be tested...

Golffies

2019-08-22 15:20

updater   ~0005823

[Second attempt to submit the test report; previous drafted report got lost when submitting it, thanks to an "invalid authentication token" issue; some inaccuracies may have then been added to the present report, when re-writing it yet another time.]

Test report


1. Tested URL: https://test.cacert.org


2. Pre-requisites - Set #1:

2.1. having user's e-mail address been verified;
2.2. having been assured by other Assurers, up to 100 points;
2.3. being an Assurer, i.e having passed CATS;
2.4. being an Organisation Assurer.

All pre-requisites fulfilled by tuning existing user account registered on https://test.cacert.org through the Test Manager available at https://mgr.test.cacert.org:14843.


3. Pre-requisites - Set 0000002:

3.1. Having registered an Organisation;
3.2. Having defined yourself as an Administrator for that Organisation;
3.3. Having defined a Domain for that Organisation;

All prerequisites fulfilled by registering the related information on https://test.cacert.org.


4. Organisation Server Certificate - Steps which have been completed:

4.1. off-line preparing a CSR certificate with openssl;
4.2. requesting a new certificate under the Org Server Certs menu;
4.3. pasting the CSR in PEM format to the corresponding field;
4.4. choosing Class Root 1 as signing certificate;
4.5. choosing SHA512 as signature algorithm;
4.6. clicking on Submit button;
4.7. reviewing and confirming Organisation details on next screen;
4.8. getting a PEM on-screen copy of the Org Server generated certificate;
4.9. off-line reading the validity period of the certificate with openssl;
4.10. displaying the list of existing Server certificates under the Org Server Certs menu;
4.11. on-line reading the validity period of the considered certificate;
4.12. comparing the on-line (test.cacert.org) expiry dates with the off-line (openssl) expiry dates.

Results are given at the end of the report.


5. Organisation Client Certificate - steps completed:

5.1. off-line preparing a CSR certificate with openssl;
5.2. requesting a new certificate under the Org Client Certs menu;
5.3. entering required personal details;
5.4. keeping Class Root 3 (default) as signing certificate;
5.5. keeping SHA256 (default) as signature algorithm;
5.6. clicking on Next button;
5.7. pasting the same as previously CSR in PEM format to the corresponding field;
5.8. clicking on Submit CSR button;
5.9. getting a PEM on-screen copy of the Org Client generated certificate;
5.10. off-line reading the validity period of the certificate with openssl;
5.11. displaying the list of existing Client certificates under the Org Client Certs menu;
5.12. on-line reading the validity period of the considered certificate;
5.13. comparing the on-line (test.cacert.org) expiry dates with the off-line (openssl) expiry dates.

Results are given at the end of the report.


6. Observed results

6.1. Org Server Cert result to 0000004.9: [PASSED]

        Validity
            Not Before: Aug 22 09:54:00 2019 GMT
            Not After : Aug 21 09:54:00 2021 GMT

6.2. Org Server Cert result to 0000004.11: [PASSED]

        Expires
        2021-08-21 09:54:00

6.3. Org Server Cert result to 0000004.12: [PASSED]

        Not After : Aug 21 09:54:00 2021 GMT
        =
        2021-08-21 09:54:00


6.4 Org Client Cert result to 0000005.10: [PASSED]

        Validity
            Not Before: Aug 22 11:26:19 2019 GMT
            Not After : Aug 21 11:26:19 2021 GMT

6.5 Org Client Cert result to 0000005.12: [PASSED]

        Expires
        2021-08-21 11:26:19

6.6 Org Client Cert result to 0000005.13: [PASSED]

        Aug 21 11:26:19 2021 GMT
        =
        2021-08-21 11:26:19


7.1. Copy of the Org Server generated certificate:

7.1.1. Certificate in text format

$ openssl x509 -text -noout -in 2019-08-22_OrgaServCert.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 20697 (0x50d9)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Aug 22 09:54:00 2019 GMT
            Not After : Aug 21 09:54:00 2021 GMT
        Subject: C=FR, ST=Ile de France, L=Paris, O=Ellis BBS, CN=ellis.siteparc.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:96:67:e1:d1:6a:69:05:c8:f5:ea:2f:a9:0d:7a:
                    21:f6:57:2d:24:15:aa:2f:2c:c5:85:79:fe:6f:5a:
                    9a:8c:e6:d4:65:2e:63:b5:ac:39:19:56:53:f9:4d:
                    56:56:80:db:91:5a:d6:de:9d:80:63:e1:00:20:e8:
                    9c:3c:07:5b:1d:67:31:76:f4:06:bb:74:78:d5:57:
                    0e:c9:3c:73:4c:0c:ac:32:8b:0b:8b:20:9b:d5:6e:
                    76:e9:cb:7d:df:5a:07:91:d2:aa:9b:da:59:62:87:
                    d2:b1:fb:f9:42:54:c0:4c:b5:53:5e:2a:85:5a:c2:
                    00:f7:d6:11:db:62:6c:b6:00:92:36:d0:0e:37:43:
                    87:48:04:9f:f9:80:c6:9b:37:e5:6c:6f:e9:c4:5a:
                    3a:1e:2e:be:8c:8d:2d:ad:e6:4c:35:e2:eb:87:e3:
                    b7:50:f5:2d:71:a3:ae:f6:36:7e:53:72:d9:aa:45:
                    0d:4e:eb:4e:cb:ee:c8:9c:19:f8:7f:e9:13:6b:54:
                    df:8f:8e:8b:57:51:a3:c7:26:24:e1:6f:90:dd:e8:
                    3a:f1:a9:01:25:a4:f4:05:3c:73:07:dd:3d:6f:b6:
                    ec:27:a2:f0:c8:27:7a:9a:96:e3:cc:35:1c:1a:df:
                    45:6b:fd:4b:27:05:b1:74:49:b4:b4:f4:43:db:2c:
                    e0:07
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:ellis.siteparc.fr, othername:<unsupported>
    Signature Algorithm: sha512WithRSAEncryption
         b2:e5:64:26:21:82:f0:1c:4d:87:3c:b3:fe:27:91:6d:8b:66:
         4a:a5:88:ca:65:20:29:14:38:82:ea:cf:e8:94:2f:77:00:4e:
         f5:cb:d7:9f:1b:b7:f1:a9:3b:f4:81:35:7a:05:87:9d:c5:05:
         97:04:a2:16:f6:08:aa:be:6b:4b:61:9b:c5:93:4e:d0:ca:f8:
         bd:95:ab:43:59:13:d9:ff:b3:89:b5:8c:e3:bb:11:20:82:e4:
         e7:c8:02:66:53:88:08:e2:33:9c:3b:52:f0:ec:2e:b2:a4:fc:
         7f:cf:9b:9e:28:8a:2c:41:1a:74:1a:ba:06:32:1f:42:0a:01:
         60:a4:08:7f:71:ec:e0:b3:9a:33:2f:3d:6d:93:2d:01:e5:65:
         b4:07:e8:f7:dc:8b:96:43:c4:ff:17:16:38:79:ca:00:d6:0b:
         99:01:f8:ea:29:e7:7c:e3:e1:42:eb:d5:e5:3e:fd:76:fa:6b:
         f3:f1:fb:08:ab:58:56:fa:4b:e8:dc:ec:64:eb:4e:2b:fc:e2:
         0b:a0:85:56:f9:07:02:a4:64:1e:25:35:c2:35:b4:9a:e1:77:
         77:6e:28:4f:ac:a5:c0:7d:89:a6:4f:0a:4f:3c:b0:ab:c1:a1:
         52:da:2b:26:c2:bb:a8:15:09:c9:97:06:03:d8:87:98:ca:25:
         e5:90:cf:86:73:0a:79:f0:98:12:40:18:be:8d:44:f1:c6:f4:
         7c:79:d3:b0:67:5d:20:a8:35:c3:52:81:83:12:e0:62:90:db:
         a4:19:e1:34:42:7e:ed:9b:7a:cb:91:94:e6:16:be:b6:15:28:
         0f:c8:72:cd:fa:1a:b4:df:82:d5:4e:55:8f:d2:78:69:de:b5:
         f1:5f:87:3d:b3:d7:db:aa:09:4d:c7:02:5a:18:ac:ae:d0:86:
         3e:e3:56:a1:b5:6e:0b:d9:62:9e:a4:8f:fd:c1:65:1b:db:3d:
         f6:2c:92:ed:30:13:8f:31:d8:c0:92:6f:a9:c9:5d:ee:ab:ff:
         f3:d1:39:f8:67:74:45:f4:a9:18:26:20:ce:25:ce:1f:b8:67:
         9c:67:b8:16:f3:b1:0e:b5:cf:8b:96:88:12:2d:4b:5c:6e:61:
         00:d3:67:34:2d:08:51:a2:3f:5a:18:fe:e9:e7:9c:e4:b9:0e:
         07:1f:cc:82:e3:79:d7:b5:8d:cf:5c:dc:2e:ee:f0:48:8e:8f:
         3c:1c:65:da:9f:76:85:19:2a:5c:20:2b:59:d5:6c:9b:68:8c:
         b5:e3:ac:a6:91:95:df:92:fa:bc:72:61:ce:5f:a9:7a:a2:6a:
         66:ee:07:03:2d:61:fe:9b:64:88:46:dc:bd:9d:07:7e:22:cf:
         e5:90:bf:60:68:d8:5f:55

7.1.2. Certificate in PEM format

-----BEGIN CERTIFICATE-----
MIIFaDCCA1CgAwIBAgICUNkwDQYJKoZIhvcNAQENBQAwgYcxCzAJBgNVBAYTAkFV
MRgwFgYDVQQIEw9OZXcgU291dGggV2FsZXMxGjAYBgNVBAoTEUNBY2VydCBUZXN0
c2VydmVyMSEwHwYDVQQLExhodHRwOi8vY2FjZXJ0MS5pdC1zbHMuZGUxHzAdBgNV
BAMTFkNBY2VydCBUZXN0c2VydmVyIFJvb3QwHhcNMTkwODIyMDk1NDAwWhcNMjEw
ODIxMDk1NDAwWjBlMQswCQYDVQQGEwJGUjEWMBQGA1UECAwNSWxlIGRlIEZyYW5j
ZTEOMAwGA1UEBwwFUGFyaXMxEjAQBgNVBAoMCUVsbGlzIEJCUzEaMBgGA1UEAwwR
ZWxsaXMuc2l0ZXBhcmMuZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCWZ+HRamkFyPXqL6kNeiH2Vy0kFaovLMWFef5vWpqM5tRlLmO1rDkZVlP5TVZW
gNuRWtbenYBj4QAg6Jw8B1sdZzF29Aa7dHjVVw7JPHNMDKwyiwuLIJvVbnbpy33f
WgeR0qqb2llih9Kx+/lCVMBMtVNeKoVawgD31hHbYmy2AJI20A43Q4dIBJ/5gMab
N+Vsb+nEWjoeLr6MjS2t5kw14uuH47dQ9S1xo672Nn5TctmqRQ1O607L7sicGfh/
6RNrVN+PjotXUaPHJiThb5Dd6DrxqQElpPQFPHMH3T1vtuwnovDIJ3qaluPMNRwa
30Vr/UsnBbF0SbS09EPbLOAHAgMBAAGjgf4wgfswDAYDVR0TAQH/BAIwADAOBgNV
HQ8BAf8EBAMCA6gwNAYDVR0lBC0wKwYIKwYBBQUHAwIGCCsGAQUFBwMBBglghkgB
hvhCBAEGCisGAQQBgjcKAwMwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdo
dHRwOi8vb2NzcC5jYWNlcnQub3JnLzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8v
Y3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDA9BgNVHREENjA0ghFlbGxpcy5zaXRl
cGFyYy5mcqAfBggrBgEFBQcIBaATDBFlbGxpcy5zaXRlcGFyYy5mcjANBgkqhkiG
9w0BAQ0FAAOCAgEAsuVkJiGC8BxNhzyz/ieRbYtmSqWIymUgKRQ4gurP6JQvdwBO
9cvXnxu38ak79IE1egWHncUFlwSiFvYIqr5rS2GbxZNO0Mr4vZWrQ1kT2f+zibWM
47sRIILk58gCZlOICOIznDtS8OwusqT8f8+bniiKLEEadBq6BjIfQgoBYKQIf3Hs
4LOaMy89bZMtAeVltAfo99yLlkPE/xcWOHnKANYLmQH46innfOPhQuvV5T79dvpr
8/H7CKtYVvpL6NzsZOtOK/ziC6CFVvkHAqRkHiU1wjW0muF3d24oT6ylwH2Jpk8K
Tzywq8GhUtorJsK7qBUJyZcGA9iHmMol5ZDPhnMKefCYEkAYvo1E8cb0fHnTsGdd
IKg1w1KBgxLgYpDbpBnhNEJ+7Zt6y5GU5ha+thUoD8hyzfoatN+C1U5Vj9J4ad61
8V+HPbPX26oJTccCWhisrtCGPuNWobVuC9linqSP/cFlG9s99iyS7TATjzHYwJJv
qcld7qv/89E5+Gd0RfSpGCYgziXOH7hnnGe4FvOxDrXPi5aIEi1LXG5hANNnNC0I
UaI/Whj+6eec5LkOBx/MguN517WNz1zcLu7wSI6PPBxl2p92hRkqXCArWdVsm2iM
teOsppGV35L6vHJhzl+peqJqZu4HAy1h/ptkiEbcvZ0HfiLP5ZC/YGjYX1U=
-----END CERTIFICATE-----


7.2. Copy of the Org Client generated certificate:

7.2.1. Certificate in text format

$ openssl x509 -text -noout -in 2019-08-22_OrgaClientCert.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 23477 (0x5bb5)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Class 3
        Validity
            Not Before: Aug 22 11:26:19 2019 GMT
            Not After : Aug 21 11:26:19 2021 GMT
        Subject: C=FR, ST=Ile de France, L=Paris, O=Ellis BBS, OU=Gro\xC3\x9Fe Katastrophe, CN=John Doe (The Original!)/emailAddress=John.Doe@ellis.siteparc.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:96:67:e1:d1:6a:69:05:c8:f5:ea:2f:a9:0d:7a:
                    21:f6:57:2d:24:15:aa:2f:2c:c5:85:79:fe:6f:5a:
                    9a:8c:e6:d4:65:2e:63:b5:ac:39:19:56:53:f9:4d:
                    56:56:80:db:91:5a:d6:de:9d:80:63:e1:00:20:e8:
                    9c:3c:07:5b:1d:67:31:76:f4:06:bb:74:78:d5:57:
                    0e:c9:3c:73:4c:0c:ac:32:8b:0b:8b:20:9b:d5:6e:
                    76:e9:cb:7d:df:5a:07:91:d2:aa:9b:da:59:62:87:
                    d2:b1:fb:f9:42:54:c0:4c:b5:53:5e:2a:85:5a:c2:
                    00:f7:d6:11:db:62:6c:b6:00:92:36:d0:0e:37:43:
                    87:48:04:9f:f9:80:c6:9b:37:e5:6c:6f:e9:c4:5a:
                    3a:1e:2e:be:8c:8d:2d:ad:e6:4c:35:e2:eb:87:e3:
                    b7:50:f5:2d:71:a3:ae:f6:36:7e:53:72:d9:aa:45:
                    0d:4e:eb:4e:cb:ee:c8:9c:19:f8:7f:e9:13:6b:54:
                    df:8f:8e:8b:57:51:a3:c7:26:24:e1:6f:90:dd:e8:
                    3a:f1:a9:01:25:a4:f4:05:3c:73:07:dd:3d:6f:b6:
                    ec:27:a2:f0:c8:27:7a:9a:96:e3:cc:35:1c:1a:df:
                    45:6b:fd:4b:27:05:b1:74:49:b4:b4:f4:43:db:2c:
                    e0:07
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            Netscape Comment:
                To get your own certificate for FREE head over to http://www.CAcert.org
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                E-mail Protection, TLS Web Client Authentication, Microsoft Encrypted File System, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://test.cacert.org/test-class3-revoke.crl

            X509v3 Subject Alternative Name:
                email:John.Doe@ellis.siteparc.fr
    Signature Algorithm: sha256WithRSAEncryption
         c0:11:7f:12:84:96:65:b3:70:cc:6c:5b:c6:ca:9a:18:07:d6:
         1e:c5:58:34:46:0d:1d:e9:7d:40:40:a4:65:cf:51:17:d3:ec:
         8f:fa:a3:3c:d2:8b:69:d3:26:cb:4a:7e:a9:13:6c:67:b4:70:
         54:86:55:f8:20:08:49:47:db:2b:ba:f3:9a:aa:a2:0b:60:eb:
         b0:f2:70:70:c6:a5:4c:e4:ce:f0:db:77:48:8f:e5:3c:b4:7d:
         90:60:18:cd:41:d3:74:07:1b:1e:33:e8:bb:cd:2d:c9:5a:4a:
         8c:4a:61:3d:9c:c0:ea:6e:e4:9b:95:04:05:97:c0:40:96:3e:
         43:5b:ca:c5:2a:21:59:6f:79:22:d0:14:b0:72:97:30:56:07:
         3f:26:59:06:98:b4:cf:91:0b:38:b5:ea:26:a7:9b:a2:35:65:
         71:6b:38:c6:6d:54:59:44:bd:9a:71:a4:c0:64:c9:70:78:0e:
         2b:61:07:82:19:68:e9:46:70:fd:4e:73:78:0c:6c:9b:3e:2a:
         cb:d1:55:65:08:c9:b7:d5:d9:53:54:d1:af:d1:56:12:3c:eb:
         e6:b5:ad:e3:7b:0e:f6:10:1e:b6:e4:98:bf:46:9c:40:48:6f:
         b4:cb:c7:b2:9b:9b:2f:06:3d:0a:14:21:35:c5:88:73:75:52:
         a9:3d:ab:00:8a:6d:2d:d5:88:3c:01:2f:e6:33:5a:2a:db:c8:
         59:5e:02:e1:e7:3d:17:1a:0f:e3:54:eb:86:24:29:f5:fa:5c:
         c0:f0:e1:45:2f:78:62:0e:41:da:ca:e9:fd:b7:a3:92:78:0b:
         6a:0a:00:17:e9:d9:16:18:3f:d8:2e:71:cf:e8:62:e2:98:74:
         ab:90:be:7a:d3:2e:0c:f8:a0:05:72:9c:20:1a:da:2d:ed:4b:
         23:9c:2a:5f:4f:93:d8:5e:f2:0c:49:dc:ac:05:a8:5c:72:8d:
         c8:64:92:20:f1:87:4a:c4:93:ab:4d:e7:f3:f9:32:1d:75:e2:
         56:28:4e:62:8b:b7:e3:f2:49:09:c2:85:b8:37:2e:74:68:53:
         0d:35:0e:97:59:f5:cb:1d:e8:4b:87:0c:9a:f2:42:e2:86:18:
         27:dc:1e:7e:d9:80:63:7d:77:a7:2e:96:f7:f7:de:70:64:a0:
         5b:fc:e3:52:0a:7d:4a:af:2e:ad:21:b6:e1:a8:63:ad:89:50:
         cb:38:c4:d8:f2:c8:1e:79:ce:23:57:a9:85:56:f8:32:bb:04:
         b1:18:3f:61:3d:06:3d:c8:11:c2:26:d7:c6:89:f2:75:8a:b1:
         f6:e2:27:e6:64:be:50:44:2b:b1:b2:5f:19:56:ab:f4:8f:78:
         05:11:f4:c2:32:02:57:ac

7.2.2. Certificate in PEM format

-----BEGIN CERTIFICATE-----
MIIF7DCCA9SgAwIBAgICW7UwDQYJKoZIhvcNAQELBQAwYjEZMBcGA1UEChMQQ0Fj
ZXJ0IFRlc3RzZXZlcjEhMB8GA1UECxMYaHR0cDovL2NhY2VydDEuaXQtc2xzLmRl
MSIwIAYDVQQDExlDQWNlcnQgVGVzdHNlcnZlciBDbGFzcyAzMB4XDTE5MDgyMjEx
MjYxOVoXDTIxMDgyMTExMjYxOVowgbQxCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1J
bGUgZGUgRnJhbmNlMQ4wDAYDVQQHDAVQYXJpczESMBAGA1UECgwJRWxsaXMgQkJT
MRswGQYDVQQLDBJHcm/Dn2UgS2F0YXN0cm9waGUxITAfBgNVBAMMGEpvaG4gRG9l
IChUaGUgT3JpZ2luYWwhKTEpMCcGCSqGSIb3DQEJARYaSm9obi5Eb2VAZWxsaXMu
c2l0ZXBhcmMuZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWZ+HR
amkFyPXqL6kNeiH2Vy0kFaovLMWFef5vWpqM5tRlLmO1rDkZVlP5TVZWgNuRWtbe
nYBj4QAg6Jw8B1sdZzF29Aa7dHjVVw7JPHNMDKwyiwuLIJvVbnbpy33fWgeR0qqb
2llih9Kx+/lCVMBMtVNeKoVawgD31hHbYmy2AJI20A43Q4dIBJ/5gMabN+Vsb+nE
WjoeLr6MjS2t5kw14uuH47dQ9S1xo672Nn5TctmqRQ1O607L7sicGfh/6RNrVN+P
jotXUaPHJiThb5Dd6DrxqQElpPQFPHMH3T1vtuwnovDIJ3qaluPMNRwa30Vr/Usn
BbF0SbS09EPbLOAHAgMBAAGjggFXMIIBUzAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG
+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVh
ZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gw
QAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEE
AYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo
dHRwOi8vb2NzcC5jYWNlcnQub3JnMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly90
ZXN0LmNhY2VydC5vcmcvdGVzdC1jbGFzczMtcmV2b2tlLmNybDAlBgNVHREEHjAc
gRpKb2huLkRvZUBlbGxpcy5zaXRlcGFyYy5mcjANBgkqhkiG9w0BAQsFAAOCAgEA
wBF/EoSWZbNwzGxbxsqaGAfWHsVYNEYNHel9QECkZc9RF9Psj/qjPNKLadMmy0p+
qRNsZ7RwVIZV+CAISUfbK7rzmqqiC2DrsPJwcMalTOTO8Nt3SI/lPLR9kGAYzUHT
dAcbHjPou80tyVpKjEphPZzA6m7km5UEBZfAQJY+Q1vKxSohWW95ItAUsHKXMFYH
PyZZBpi0z5ELOLXqJqebojVlcWs4xm1UWUS9mnGkwGTJcHgOK2EHghlo6UZw/U5z
eAxsmz4qy9FVZQjJt9XZU1TRr9FWEjzr5rWt43sO9hAetuSYv0acQEhvtMvHspub
LwY9ChQhNcWIc3VSqT2rAIptLdWIPAEv5jNaKtvIWV4C4ec9FxoP41TrhiQp9fpc
wPDhRS94Yg5B2srp/bejkngLagoAF+nZFhg/2C5xz+hi4ph0q5C+etMuDPigBXKc
IBraLe1LI5wqX0+T2F7yDEncrAWoXHKNyGSSIPGHSsSTq03n8/kyHXXiVihOYou3
4/JJCcKFuDcudGhTDTUOl1n1yx3oS4cMmvJC4oYYJ9weftmAY313py6W9/fecGSg
W/zjUgp9Sq8urSG24ahjrYlQyzjE2PLIHnnOI1ephVb4MrsEsRg/YT0GPcgRwibX
xonydYqx9uIn5mS+UEQrsbJfGVar9I94BRH0wjICV6w=
-----END CERTIFICATE-----


8. Side note

Is it a OK for our application to let an Organisation Administrator to make use of the same private key / CSR, for generating both an Org Server Cert and an Org Client Cert?

Ted

2019-08-23 18:42

administrator   ~0005825

> 8. Side note
>
> Is it a OK for our application to let an Organisation Administrator to make use of the same private key / CSR,
> for generating both an Org Server Cert and an Org Client Cert?

IMHO it does not make much sense to use the same key for different types of certificates (client/server), but it should not pose a problem for CAcert. Though I did not do elaborate evaluations I don't see how this feature can be abused.

Of course it is extremly bad practice to use the same key for different certificates, regardless if they are of the same or of the different type.
The only (more or less) sensible use of a key in multiple certificates is when a certificate is renewed, when the certificate has the same relevant content (CN) and only differs in formal fields (expiration date and similar). I personally would advise against even this practice.

Ted

2019-08-23 18:44

administrator   ~0005826

This issue now needs to be reviewed. I'll do one review myself and hope Dirk will do the other one. Or is there any other Software Assessor out there?

Ted

2019-08-23 18:52

administrator   ~0005827

Reviewed commit ad77a681eda40a7a0331adffaf67bfb16986adac versus d328ebd6ad641a9caf4c80208a14d3b8f768edc0

The changes are very minimal, the review is PASSED

Issue History

Date Modified Username Field Change
2009-09-05 10:25 Bas van den Dikkenberg New Issue
2009-09-06 12:12 homer Note Added: 0001476
2009-09-11 20:14 homer Note Added: 0001477
2009-09-11 20:15 homer Note Added: 0001478
2009-09-11 20:15 homer Status new => confirmed
2011-04-14 01:33 Uli60 Relationship added related to 0000897
2011-07-05 02:17 Uli60 Note Added: 0002085
2011-07-05 02:17 Uli60 Note Edited: 0002085 View Revisions
2011-07-05 02:27 Uli60 Note Edited: 0002085 View Revisions
2011-07-05 02:28 Uli60 Note Edited: 0002085 View Revisions
2011-07-05 02:31 Uli60 Note Edited: 0002085 View Revisions
2011-07-05 03:05 Uli60 Note Edited: 0002085 View Revisions
2011-07-05 11:49 Uli60 Note Edited: 0002085 View Revisions
2014-02-25 07:38 INOPIAE Assigned To => INOPIAE
2014-02-25 07:39 INOPIAE Note Added: 0004603
2014-02-25 07:39 INOPIAE Status confirmed => fix available
2015-01-21 21:51 BenBE Reviewed by => BenBE
2015-01-21 21:51 BenBE Note Added: 0005257
2015-01-21 21:51 BenBE Assigned To INOPIAE => dastrath
2015-01-21 21:51 BenBE Status fix available => needs review & testing
2015-01-21 21:51 BenBE Product Version => 2009 Q3
2015-01-21 21:51 BenBE Target Version => 2015 Q1
2015-01-21 22:24 INOPIAE Note Added: 0005260
2015-01-21 22:30 Uli60 Note Added: 0005261
2015-02-10 20:36 BenBE Assigned To dastrath => NEOatNHNG
2015-02-10 20:36 BenBE Status needs review & testing => needs review
2019-07-17 07:42 Ted Note Added: 0005816
2019-07-17 07:42 Ted Assigned To NEOatNHNG => Ted
2019-07-21 21:15 Ted Note Added: 0005817
2019-07-21 21:25 Ted Note Added: 0005818
2019-07-21 21:57 Ted Note Added: 0005819
2019-07-26 21:07 Ted Note Added: 0005820
2019-08-22 15:20 Golffies Note Added: 0005823
2019-08-23 18:42 Ted Note Added: 0005825
2019-08-23 18:43 Ted Assigned To Ted => dastrath
2019-08-23 18:44 Ted Note Added: 0005826
2019-08-23 18:52 Ted Note Added: 0005827
2019-08-23 18:53 Ted Reviewed by BenBE => Ted