Hi Johnny, thank you for the description. I take it that I can also use existing OIDs like in
http://www.alvestrand.no/objectid/2.5.4.html ? There, I found some matching fields. I guess I just have to rename my (uncommon) fields, e.g. code to id-at-postalCode and then it works? Greetings, Georg Johnny Gonzalez wrote: > Hello Georg, > > I had a similar case, but we only use PKCS#10 > requests, so I haven't done any changes to the PUBLIC > interface, but I guess it must be as you told us. But > what I surely did was to use new OIDs in the OpenSSL > files. > > In my case we use the OIDs for the new fields to store > in the certificate, for example, we have something > that we called NIT and its registered OID for our > company is: 1.3.6.1.4.1.4710.1.3.2. How did I did it? > > 1. Edit your openssl.cnf file: The file you will edit > depends on to whom are you issuing certs, lets say: > User.cnf. > > 2. look for the [ new_oids ] section and there you > have to register your oids like this: > nit = 1.3.6.1.4.1.4710.1.3.2 > > 3. Then go to the: [ policy_match ] section and bellow > existing info in that section, write something like > this: > nit = optional > #Depends on your special needs > > 4. Go to [ req_distinguished_name ] section, and write > something like this: > nit = Nit > #The second name appears when creating new request > from #console and OpenSSL. > > Some special aspects you should know: > > - I don't know if you have OIDs for each of those > fields or if those fields have a standard OID, You > need that info to personalise your User.cnf file > > - You cannot upload those certificates with special > OIDs to LDAP automatically, you have first to change > the DN and delete special OIDs, however, if you MUST > upload them with all fields, that's a different thing > and I don't know how to do it, I tryed it but I gave > up. > > - Maybe you will obtain some bad characters in those > special fields, if that is the case I have a patch for > it. > > > HTH, > > Johnny > > --- Georg Lippold <[EMAIL PROTECTED]> escribió: > > >>Hi, >> >>I would like to include some fields other than the >>usual CN, O, OU; for >>example title, street, sex, postal code and phone >>number. >> >>As far as I got was editing the ra.conf.template >>with the following values: >> >>ADDITIONAL_REQUEST_ATTRIBUTES "department" >>"telephone" "sex" "title" >>"ST" "code" "L" >>ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE "Department" >>"Telephone" "Sex" >>"Title" "Street" "Code" "City" >>ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE >>"LATIN1_LETTERS" >>"LATIN1_LETTERS" "LATIN1_LETTERS" "LATIN1_LETTERS" >>"LATIN1_LETTERS" >>"NUMERIC" "LATIN1_LETTERS" >> >>In etc/servers/pub.conf.template, I inserted: >> >>DN_TYPE_SPKAC_SUBJECTALTNAMES "department" >>"telephone" "sex" "title" >>"ST" "code" "L" >> >>DN_TYPE_SPKAC_SUBJECTALTNAME_1 "Department" >>DN_TYPE_SPKAC_SUBJECTALTNAME_1_MINIMUM_LENGTH 3 >>DN_TYPE_SPKAC_SUBJECTALTNAME_1_REQUIRED "YES" >> >>DN_TYPE_SPKAC_SUBJECTALTNAME_2 "Telephone" >>DN_TYPE_SPKAC_SUBJECTALTNAME_2_MINIMUM_LENGTH 7 >>DN_TYPE_SPKAC_SUBJECTALTNAME_2_REQUIRED "YES" >> >>DN_TYPE_SPKAC_SUBJECTALTNAME_3 "Sex" >>DN_TYPE_SPKAC_SUBJECTALTNAME_3_MINIMUM_LENGTH 1 >>DN_TYPE_SPKAC_SUBJECTALTNAME_3_REQUIRED "YES" >> >>DN_TYPE_SPKAC_SUBJECTALTNAME_4 "Title" >>DN_TYPE_SPKAC_SUBJECTALTNAME_4_MINIMUM_LENGTH 2 >>DN_TYPE_SPKAC_SUBJECTALTNAME_4_REQUIRED "NO" >> >>DN_TYPE_SPKAC_SUBJECTALTNAME_5 "Street" >>DN_TYPE_SPKAC_SUBJECTALTNAME_5_MINIMUM_LENGTH 3 >>DN_TYPE_SPKAC_SUBJECTALTNAME_5_REQUIRED "YES" >> >>DN_TYPE_SPKAC_SUBJECTALTNAME_6 "Code" >>DN_TYPE_SPKAC_SUBJECTALTNAME_6_MINIMUM_LENGTH 5 >>DN_TYPE_SPKAC_SUBJECTALTNAME_6_REQUIRED "YES" >> >>DN_TYPE_SPKAC_SUBJECTALTNAME_7 "City" >>DN_TYPE_SPKAC_SUBJECTALTNAME_7_MINIMUM_LENGTH 2 >>DN_TYPE_SPKAC_SUBJECTALTNAME_7_REQUIRED "YES" >> >>[...] >> >>DN_TYPE_IE_SUBJECTALTNAMES "department" >>"telephone" "sex" "title" "ST" >>"code" "L" >> >>DN_TYPE_IE_SUBJECTALTNAME_1 "Department" >>DN_TYPE_IE_SUBJECTALTNAME_1_MINIMUM_LENGTH 3 >>DN_TYPE_IE_SUBJECTALTNAME_1_REQUIRED "YES" >> >>DN_TYPE_IE_SUBJECTALTNAME_2 "Telephone" >>DN_TYPE_IE_SUBJECTALTNAME_2_MINIMUM_LENGTH 7 >>DN_TYPE_IE_SUBJECTALTNAME_2_REQUIRED "YES" >> >>DN_TYPE_IE_SUBJECTALTNAME_3 "Sex" >>DN_TYPE_IE_SUBJECTALTNAME_3_MINIMUM_LENGTH 1 >>DN_TYPE_IE_SUBJECTALTNAME_3_REQUIRED "YES" >> >>DN_TYPE_IE_SUBJECTALTNAME_4 "Title" >>DN_TYPE_IE_SUBJECTALTNAME_4_MINIMUM_LENGTH 2 >>DN_TYPE_IE_SUBJECTALTNAME_4_REQUIRED "NO" >> >>DN_TYPE_IE_SUBJECTALTNAME_5 "Street" >>DN_TYPE_IE_SUBJECTALTNAME_5_MINIMUM_LENGTH 3 >>DN_TYPE_IE_SUBJECTALTNAME_5_REQUIRED "YES" >> >>DN_TYPE_IE_SUBJECTALTNAME_6 "Code" >>DN_TYPE_IE_SUBJECTALTNAME_6_MINIMUM_LENGTH 5 >>DN_TYPE_IE_SUBJECTALTNAME_6_REQUIRED "YES" >> >>DN_TYPE_IE_SUBJECTALTNAME_7 "City" >>DN_TYPE_IE_SUBJECTALTNAME_7_MINIMUM_LENGTH 2 >>DN_TYPE_IE_SUBJECTALTNAME_7_REQUIRED "YES" >> >>(By the way, it would make sense to have the option >>to generate the same >>values at least for IE and SPKAC and not having to >>enter both by hand). >> >>I inserted the values from ra.conf.template into >>ca.conf.template on the >>CA (on my OpenCA-LiveCD, see my previous post). I >>reconfigured both the >>RA and the CA with configure_etc.sh and restarted >>OpenCA. With the RA, I >>created the attached SPKAC for my example user. >> >>When I try to issue a certificate in the CA, I get >>the following error: >> >>Error 6761 >> General Error Error while issuing Certificate to >>Georg Lippold >>(filename: /usr/local/openca/OpenCA/var/tmp/05.req). >> >> >> OpenCA::OpenSSL returns errocode 7731075 >>(OpenCA::OpenSSL->issueCert: >>OpenSSL fails (7777067). Using configuration from >> > > /usr/local/openca/OpenCA/etc/openssl/openssl/User.conf > >> DEBUG[load_index]: unique_subject = "yes" >> Check that the SPKAC request matches the signature >> Signature ok >> ERROR: adding extensions in section default >> 32569:error:22075075:X509 V3 >>routines:v2i_GENERAL_NAME:unsupported >>option:v3_alt.c:437:name=department.0 >> 32569:error:2206B080:X509 V3 >>routines:X509V3_EXT_conf:error in >>extension:v3_conf.c:92:name=subjectAltName, >>[EMAIL PROTECTED] >> error in ca >> ). >> >>It seems, as if the department is not supported. >>This is also true for >>most of my other fields. >> >>I got so far as to comment out the line >> >>[EMAIL PROTECTED] >> >>in my >>/usr/local/openca/OpenCA/etc/openssl/ext/User.ext >>(as well as the >>.template). The error is gone then, but my nice >>additional fields are >>missing in the certificate. >> >>How can I include and sign them successfully? Are >>there pre-defined >>names in openssl like countryName, >>stateOrProvinceName etc. (see >> >>http://www.openssl.org/docs/apps/ca.html#EXAMPLES >> >>in the "sample configuration file with the relevant >>sections for ca")? >>How do I make my own values? >> >>Greetings, >> >>Georg >> >>>-----BEGIN HEADER----- >> >>ADDITIONAL_ATTRIBUTE_DEPARTMENT = >>ADDITIONAL_ATTRIBUTE_EMAIL = >>ADDITIONAL_ATTRIBUTE_REQUESTERCN = >>ADDITIONAL_ATTRIBUTE_TELEPHONE = >>LOA = 30 >>NOTBEFORE = Thu Aug 18 14:36:12 2005 UTC >>PIN = 90575ada0abf54c3b3ed13c5b5169476bf388719 >>RA = Trustcenter itself >>ROLE = User >>SERIAL = 800 >>SUBJECT_ALT_NAME = >> > > department:Bremen,telephone:+49-176-24355873,sex:M,title:Herr,ST:Herderstr. > >>8,code:28203,L:Bremen >>TYPE = SPKAC >>-----END HEADER----- >>emailAddress = [EMAIL PROTECTED] >>CN = Georg Lippold >>OU = Partners >>O = National Medical Council >>C = BE >>SPKAC = >> > > MIICTDCCATQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+LkY1wai2hXregOOnYj6hp+7Njq9/a0u1+owbaq5xX1slu+oSMxzb9JaLd4pzQ4DzYqb3MVEq3Lngs+WKa9BY+NKoPGzpivZKH2xav03DacvuHwifGlHwiSPy6E2nxNsg3EVY8GII6dB7mxeLr3AHwl9/xggPQmxY610MGwxK1OS0L4SKGmlSrTAEmM5ebuB/Oa3ZQINWk7g0rtnKiBEZ6mqEe80LkWhwRg90C/tQL4nL3wfIo35s1oNV7geZbljhZSAPkudkPLbdb3zxN3F0k2WpN+o08dXa+YylEx3ZRb1hP6BR6QyZ/oiCdRdzdC76fcaw4c5TZIWoApnzIENlAgMBAAEWDE5PX0NIQUxMRU5HRTANBgkqhkiG9w0BAQQFAAOCAQEAXETnTVZDom6kY9fWP3J6RwaRQEv1vmOdMuKoUJTbptgzOLXUb0yk8VRt6PMLCQC2YpNRIIZX3SNsRLZjRXZfHTxmXfi3x3db7vU5QHk0z7gQSCifA1K+cP+IVbZ5doAZWHzXB5efuRtnYPVaFrZ/0+6RecI+/qjZ2oMHk/Fm6q+2p9ECL6wMuMPGHlD4NhNtYrvU+ntlNy1vNCe37wcWfHXIEnhb8GGxzAsvrNXm2oUSjGMXSW/rvUEqMtu4yAE35eI8huaUsmw3lFsKrWgmOtzEodPHTf/sFacHpG+SJUsd+ss1/ee80fn1wjkbYR1P1oxy2ufCx9bA5YitIdhf5A== > > > > > > ______________________________________________ > Renovamos el Correo Yahoo! > Nuevos servicios, más seguridad > http://correo.yahoo.es > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, downloads, discussions, > and more. http://solutions.newsforge.com/ibmarch.tmpl > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > > ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
