Raul Gutierrez wrote:
> I want to add some fields to the certificate that i want to create, for
> example i want to put
> in the Certificate the date of birth of the person that resquest a
> Certificate.
We had the same problem - where to put something different than "usual"
data like country, organization, etc. It was a registration number in
our case.
We tried to stick to standards - especially RFC 2459 Internet X.509
Public Key Infrastructure, Certificate and CRL Profile. At the same
time, we tried to be correct from the LDAP point of view - to choose the
Subject attributes as attributes of a defined object class. Finally, we
wanted all the attributes to be visible in ordinary browsers - Netscape
and MSIE.
Unfortunately, those conditions showed to be contradictory. We
decided to give the priority to the RFC 2459 and choose an attribute
from those that should be supported by implementations sticking to the
RFC:
Country
Organization
OU
dnQualifier
ST
CN
L
Title
Surname
GivenName
Initials
GenerationQualifier
We chose dnQualifier as the "right" place for the registration number.
It has one disadvantage - the value is not visible in the View
Certificate function in Netscape. MSIE is happy with it.
Technically, you have to edit openssl.cnf. See bellow:
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
RANDFILE = $ENV::HOME/.rnd
oid_file = $ENV::HOME/.oid
oid_section = new_oids
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
dnQualifier = 2.5.4.46
surName = 2.5.4.4
givenName = 2.5.4.42
initials = 2.5.4.43
generationQualifier = 2.5.4.44
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
.....
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
localityName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
dnQualifier = optional
surName = optional
givenName = optional
initials = optional
generationQualifier = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
dnQualifier = supplied
surName = supplied
givenName = supplied
initials = supplied
generationQualifier = supplied
####################################################################
[ req ]
default_bits = 512
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CZ
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
0.commonName = Common Name (eg, YOUR name)
0.commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
dnQualifier = Reg.Number (123456789)
dnQualifier_default = 76543289
surName = surName
givenName = givenName
initials = initials
generationQualifier = generationQualifier
# SET-ex3 = SET extension number 3
.....
Best regards,
--
Vlasta Joskova <[EMAIL PROTECTED]>
ICZ a.s.
Zirovnicka 6/3133
106 00 Praha 10, Czech Republic
Tel.: +420(2)7276 0326
Fax : +420(2)7276 0322
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
