Hi, The -certopt command doesn't seem to be in either 0.9.6b or in the snapshot from Nov 13.
Is it available somewhere else? I'm wondering if there is a certTemplate for server as well as client. - Rod Dr S N Henson wrote: > Alexey Kobozev wrote: > > > > > > > > > > Hi, All! > > > > > > > > I'm having a problem generating the certificate which can be > > > > used as client certificate on Windows XP. The problem is that > > > > client certificate must have the special MS's proprietary > > > > X509 V3 extension 'Certificate Template' with oid 1.3.6.1.4.1.311.20.2 > > > > and has to treated as a string (similar to nsComment, for example). > > > > > > > > I've tried to add it to oid_section in the openssl.cnf, but it > > > > doesn't works, because (afaik) these new oids are for the rvalue > > > > only - I need lvalue. > > > > > > > > So, the question is how can I add such a non standard thing into > > > > the newly generated cert? > > > > > > > > > > Can you send me an example of a certificate with that extension. > > > > Sure. I've sent it to [EMAIL PROTECTED] > > > > Thanks. The type of that extension is a BMPString not the IA5String that > Netscape comment uses. In this case if you do > > openssl x509 -in a.cer -certopt ext_dump > > you get (among other things) > > 1.3.6.1.4.1.311.20.2: > 0000 - 1e 08 00 55 00 73 00 65-00 72 > ...U.s.e.r > > So if you add the oid you should be able to do: > > certTemplate=DER:1e:08:00:55:00:73:00:65:00:72 > > This isn't particularly friendly but it should work. I might extend the > unsupported extension syntax a bit so you can do things like: > > certTemplate=BMPString:User > > There's also an otherName extension in there which I've been meaning to > add support for too... > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: [EMAIL PROTECTED] > Senior crypto engineer, Gemplus: http://www.gemplus.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: [EMAIL PROTECTED] PGP key: via homepage. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
