Michael wrote:
>
>
> Thanks for replying, I have all the above. I've even had requests for
> what I've accumulated. However, a comprehensive description of the
> config items and there proper useage is badly needed for some of us
> openssl or ssleay to do more than simply generate csr's and keys. In
> particular, the new x509_extensions are particularly troublesome
> because they cause some clients to not function properly if
> incorrectly included in certificates. I can't find any descripton of
> x509_extensions attributes or their use.
>
There is a reference in the documentation to PKIX, which is now RFC2459
which gives descriptions of X509V3 extensions and their use. If you
combine that with the documentation in openssl.txt it might make a bit
more sense.
The other reference:
http://home.netscape.com/eng/security/certs.html
includes a description of Netscape's handling.
As for other clients it depends. Manufacturers tend to be reluctant to
mention if their product doesn't do proper extension checking because it
is a major security hole (and several do not). Some mention supporting
extensions which they either don't support at all or interpret
incorrectly.
In general there are very few extensions that need to be set. A bare
minimum would be just basicConstraints. As the documentation says you
should have CA:TRUE for CA certificates and CA:FALSE for end user
certificates. Thats enough for almost all purposes: its only when you
want to restrict the usage of the certificates that the other extensions
need to be set.
I can include a "typical values" section in the main documentation if
that would help.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
