Re: More: Anybody can help?

Thu, 19 Aug 1999 08:31:49 -0700 

I have a guess:

>From openssl.cnf:


####################################################################
[ ca ]

default_ca  = foo                  # The default ca section

####################################################################
[foo]

dir             = <snip>                  # Where everything is kept
certs           = $dir/certs              # Where the issued certs are
kept
crl_dir         = $dir/crl                # Where the issued crl are
kept
database        = $dir/index.txt          # database index file.
new_certs_dir   = $dir/newcerts           # default place for new certs.

certificate     = $dir/cacert.pem         # The CA certificate
serial          = $dir/serial             # The current serial number
crl             = $dir/crl.pem            # The current CRL
private_key     = $dir/private/cakey.pem  # The private key
RANDFILE        = $dir/private/.rand      # private random number file


x509_extensions = usr_cert                # The extentions to add to the
cert

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
For the ca command using the ca "foo" (which it will use unless you use
the "openssl cs -name [another ca name]"
because of the line "default_ca  = foo") the extensions will come from
the [usr_cert] section.

Modify the line above to read
x509_extensions = server_cert

and then the ca named "foo" will look for extensions in the
[server_cert] section

Best of luck.

-Mike



Roberto Lopez Navarro wrote:
> 
> Well folks, I have found something curious. I have already sign my server
> cert, but something extrange happened.... the ca utility always used the
> "user_cert" profile for adding extensions when singing.
> 
> Although I insisted in using the "server_cert" profile, somehow it did not
> work. But if I modified the "user_cert" profile just to make it a fake
> "server_cert" profile (i.e, nsCertType =server), it worked.
> 
> Anybody have a hint about this behaviour?
> Thanx
> --------------------------------------------
> Roberto López Navarro
> [mailto:[EMAIL PROTECTED]]
> SGI Soluciones Globales Internet
> [http://www.esegi.es]
> Tel. +34 91 806 46 40
> Fax. +34 91 806 46 41
> --------------------------------------------
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to