I have a couple of subdomains that share the same private key. Baffled as to why the private key is not available when generating a new certificate I discovered this in the help file:
"For new requests or certificates the list of available keys is reduced to the keys with a use counter of 0."
So it is completely impossible in xca for me to use my key which has already been used (several times!) to create another new certificate, or am I misunderstanding?
The first question is: WHY do you use the same key for
Once again: Be sure what you are doing !! And think
if there is really no way to use different keys for different hosts.
If you can give a reasonable answer to this question you may proceed to step2.
Maybe I can show you a way to use differnt keys for different certificates. If you don't want to do it in public,
you may contact me by my private mail address.
export the certificate to a file and delete it from the DB.
Now xca sets the key-counter back to 0.
If after all you reimport all those "certificates-with-same-key" the key counter increases
accordingly and it does not harm.
Use the source, Luke:
replace in widgets/NewX509.cpp line 108 the get0PrivateDesc() by getPrivateDesc() as shown by the patch. Now xca always allows to use any key you want.
--- widgets/NewX509.cpp.orig 2005-02-09 12:03:46.000000000 +0100
+++ widgets/NewX509.cpp 2005-02-09 12:04:49.000000000 +0100
@@ -115,7 +115,7 @@
// are there any useable private keys ?
- strings = MainWindow::keys->get0PrivateDesc();
+ strings = MainWindow::keys->getPrivateDesc();
I was away so didn't see this response. What i ended up using good old command line openssl to create a CSR with the key (openssl doesn't care about the usage count)... imported that, and go from there.
And i noticed that xca notices the usage count increase in the key. <-;
I certainly could use different keys for the different servers, but it's just more stuff to keep track of. These servers are all running the same application... the only difference between the servers are the application version and subdomain name. So it's just convenient just to keep one key in a safe location which can be propagated to servers as needed. It's not a high security situation... so convenience wins. If i had to generate a new key every time my xca key list would be huge.... actually that's the main reason I don't want to generate more keys... keep the number of keys i have to manage to a minimum.
Anyhow something to consider. OpenSSL doesn't impose this restriction. Maybe xca should consider it a "warning: do you really want to do this?" confirmation rather than forbidding it entirely.
Anyhow, thanks for the response.