On Fri, 2009-06-19 at 12:46 -0400, blain...@gdls.com wrote: > > Hi all, > > I read the section in the "documentation" about adding attributes to > the certificate and I am still a little unclear. So I am hoping for a > sanity check. I have 3 attributes I am adding but I'll just provide an > example of one to give you an idea. I have added them to the > browser_req.xml.template like so: > > Under User Data Section.... > > <input> > <name>ADDITIONAL_ATTRIBUTE_EIN</name> > <label>Employee Number</label> > <type>textfield</type> > <charset>NUMERIC</charset> > <value></value> > <minlen>6</minlen> > <required>YES</required> > </input> > > I'm not sure if it should be added to the DN or the SUBJALT section > farther down in the template (or both)???????? > > > I then modified the server_req.xml.template (since we usually do > server-side generation) > > > <input> > <name>ADDITIONAL_ATTRIBUTE_EIN</name> > <label>employeeID</label> > <type>textfield</type> > <charset>NUMERIC</charset> > <value></value> > <minlen>6</minlen> > <required>YES</required> > </input> > > ADDITIONAL_REQUEST_ATTRIBUTES "requestercn" "email" "employeeID" > "company" "department" "telephone" "citizenship" > ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE "Name (first and Last name)" > "Email" "Employee Number" "Company" "Department" "Telephone" > "Citizenship" > ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE "LATIN1_LETTERS" "EMAIL" > "NUMERIC" "LATIN1_LETTERS" "LATIN1_LETTERS" "LATIN1_LETTERS" > "LATIN1_LETTERS" > > > Similar changes were made to servers/pub.conf.template > > I made the following to servers/ra.conf.template > > DN_TYPE_SPKAC_ELEMENTS "emailAddress" "CN" "OU" "DC" "DC" "DC" > "employeeID" "company" "citizenship" > > DN_TYPE_SPKAC_ELEMENT_4 "Employee Number" > DN_TYPE_SPKAC_ELEMENT_4_MINIMUM_LENGTH 6 > DN_TYPE_SPKAC_ELEMENT_4_REQUIRED "YES" > DN_TYPE_SPKAC_ELEMENT_4_CHARACTERSET "NUMERIC" > > DN_TYPE_IE_ELEMENTS "emailAddress" "CN" "OU" "DC" "DC" "DC" > "employeeID" "company" "citizenship" > > DN_TYPE_IE_ELEMENT_4 "Employee Number" > DN_TYPE_IE_ELEMENT_4_MINIMUM_LENGTH 6 > DN_TYPE_IE_ELEMENT_4_REQUIRED "YES" > DN_TYPE_IE_ELEMENT_4_CHARACTERSET "NUMERIC" > > Similar changes were made to servers/ca.conf.template > > Then I went into the openssl.cnf stuff modifying the specific profile > as (in this case VPN_User.conf.template): > > [ new_oids ] > > pseudonym=2.5.4.65 > domainComponent=0.9.2342.19200300.100.1.25 > employeeID=1.3.6.1.4.1.5643.2.0.4 > citizenship=1.3.6.1.5.5.7.9.4 > company=1.2.840.113549.1.9.2 > > [ req_attributes ] > > employeeID = Employee Number (eg, EIN) > employeeID_max = 6 > > citizenship = country of Citizenship > ctizenship_max = 2 > > company > > > Does that look like I'm on the right path???? Am I missing something or doing > anything wrong?<snip> I'm quite out of my depth here so I'll ask more questions than give answers. I assume all the additional fields will be usable even in non-standard because of your addition of oids for them. That's not anything I've ever attempted.
I don't think you want to edit server_req.xml.template for server side key generation. I believe that is for when you are providing a PKCS#10 request generated by the requestor. We do server side key generation using browser_req.xml. I'm guessing since these are non-standard fields, putting them in DN or SubjAltName will depend on how your application is going to use them. That is a guess :) In ra.conf, are the element numbers in order of the element list? Thus SPAK_ELEMENT_4 in your case would be the first DC field I believe. Sorry I can't be more definitive but I hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
