GOMEZ Henri wrote:
>
> Hi.
>
> Since openssl 0.9.3, ca-fix seems to be no more supported.
> Since I've got to generate CA cert and user certs (with pkcs12), I use a
> script
> modified from mca.sh found in mod_ssl.
>
> Question : How did I replace patches with ca-fix ?
>
> Thanks
>
The way you have things set you can use the -extfile option to 'x509' to
add extensions at the same time as you use 'x509' to sign a request.
What you need to do is to generate a temporary config file with the
required extensions in it. For example:
> $cafix \
> -caset \
> -nscertype 0x07 \
> -nobscrit \
> -pathlen 0 \
> -in $sslcrtdir/ca.crt \
> -inkey $sslkeydir/ca.key \
> -out $sslcrtdir/ca-new.crt
>
becomes:
basicConstraints=CA:TRUE,pathlen:0
nscertType=sslCA,emailCA,objCA
and:
> $cafix \
> -nscertype 0xB0 \
> -nobscrit \
> -pathlen 0 \
> -in $sslcrtdir/$user.crt \
> -inkey $sslkeydir/$user.key \
> -nosign \
> -out $sslcrtdir/$user-tmp.crt
probably means:
nsCertType=client, email, objsign
basicConstraints=CA:FALSE
the actual extensions ca-fix would generate for this command line are
contradictory: pathlen is only used in CA certificates but the netscape
certificate type options say it is a client certificate.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
