RE: [certtest] Certification test portal ready for testing

Hi Do Duc Huy,

Thanks for your response to our mail.

Hi all,

For three interfaces (create, request and view), they are well done in my test. But I have some points need help to clarify here:

- Can we select the range of resource for each certificate? In this state of testing, all certificate have same resource range and I can not see any interface for select resource corresponding with certificate.

At the moment, all resources will be added to the certificate. Whether this will change in the future will be a policy question. However, when signing your own resource certificate, i.e. in the case of ROA’s, it will be possible to specify the range of resources. Note, however, that ROA’s are currently not supported and will be added in a future version.

- There are only 5 fields in resource certificate (Serial, Subject...), so I wonder if they are enough for deploy resource certificate system? Because as I know, in global infrastructure (http://tools.ietf.org/html/draft-ietf-sidr-arch-03) there are many fields needed in certificate content

At the moment, we don’t support AIA and SIA fields, and we do not show the key usage. In the future we will support these fields, but at the moment, they are not available in the system. Are there any other fields you’re missing?

- How to validate a certificate that download from certtest

Currently, there’s no easy way to validate a certificate. This doesn’t mean it’s not possible, just that it’s not easy to do out-of-the-box. OpenSSL 0.9.8e includes a patch which can validate the RFC3779 extension. The patch, however, is disabled by default and you have to manually enable it (probably by recompiling OpenSSL with the ‘enable-rfc3779’ flag, as described here: http://viewvc.hactrn.net/subvert-rpki.hactrn.net/openssl/README?revision=1676&view=markup)

I hope this answers your questions, if you need more information, please let us know.

Regards,

Erik Pragt

RIPE NCC