On Tue, Sep 21, 1999, Michael O'Sullivan wrote:
> I'm trying to generate a test Global ID certifcate. I'm using
> mod_ssl-2.4.2-1.3.9 on solaris.
>
> I've read the instructions on hw to generate a test GlobalId server certifcate
> (README.GlobalID). They detail using gid-mkcert.sh, which is not needed now as
> far as I can see by reading the
> http://www.drh-consultancy.demon.co.uk/ca-fix.html.
>
> I have read openssl-0.9.4/doc/openssl.txt on v3 extensions and attempted to add
> the necessary details to the openssl.cnf file, but when I try and sign the
> certifcate (which is where I think the extKeyUsage field is added) I get the
> error below.
>
> openssl ca -config etc/openssl.cnf -out certs/wholesale-dev.crt -infiles
> csr/wholesale-dev.csr
> Using configuration from etc/openssl.cnf
> Enter PEM pass phrase:
> Error Loading extension section usr_cert
> 8600:error:2207C082:X509 V3 routines:DO_EXT_CONF:unknown extension
> name:v3_conf.c:121:
> 8600:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
> extension:v3_conf.c:91:name=extKeyUsage, value=2.16.840.1.113730.4.1,
> 1.3.6.1.4.1.311.10.3.3
>
> I added the extkeyUsage field to the user_cert section of the openssl.cnf file.
> as below.
>
> [ usr_cert ]
> ...
> extKeyUsage=2.16.840.1.113730.4.1,1.3.6.1.4.1.311.10.3.3
The correct syntax is:
extendedKeyUsage = RID:2.16.840.1.113730.4.1,RID:1.3.6.1.4.1.311.10.3.3
or more symbolically:
extendedKeyUsage = msSGC,nsSGC
I've upgraded the gid-mkcert.sh script now for mod_ssl 2.4.3.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
