Paul Keogh wrote:
>
> > xenroll control has KeySpec property that you can specity
> > before CreatePKCS10():
> > xenroll.KeySpec = 1 ' AT_KEYEXCHANGE
> > xenroll.KeySpec = 2 ' AT_SIGNATURE
> >
>
> Interesting. Anyone know the attribute syntax and OID used to carry this
> information in the generated PKCS#10 ?
>
Yes.
Oh you wanted to know the details too :-)
The latest OpenSSL snapshot can handle this, the 'req' program can now
parse and print extensions in certificate requests.
Basically there is an attribute which is a SEQUENCE OF Extension (using
X509/PKIX extensions). It uses the OID 1.3.6.1.4.1.311.2.1.14 for
Xenroll generated requests, there are a few other OIDs in use of which
pkcs-9,14 is now in the draft PKCS#9 revision so thats the nearest to a
"standard".
Anyway so far I've seen two separate extensions used. One is keyUsage
which has the digitalSignature and keyEncipherment bits set based on the
keyspec.
The OIDs you pass to the createPKCS10 method end up appearing verbatime
in an extended key usage extension in the request.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
