Hi Steve, You're right, thanks for hinting me to the openssl.txt - file. There really should be a link to this file on the openssl.org-pages. It's a great doc, kudos, but I could only find it by looking for "openssl.txt" at Google.
When printing the certificate with openssl x509 -in cert.pem -text indeed extension values looked like they were supposed to be. MS IE5 interprets the certificate in another way, like it is supposed to support all certificate usages. Limiting certificate usage -at least according to IE5- can be done by adding a line to the proper extension sections: extendedKeyUsage=serverAuth,msSGC,codeSigning or something like that. Pity this line and comments are missing in the default openssl.cnf file that comes with Mandrake (and many other distros, I guess). Best regards, Huibert Quoting Dr S N Henson <[EMAIL PROTECTED]>: > Huibert Kivits wrote: > > > > > > According to the documentation, if one does not mention any extensions > section > > in the command above, the x509_extensions section is used. Which leads to > the > > v3_ca section. In the end, I had everything linked to this section: > > extensions = v3_ca > > In the [CA_default] and the [req] section: > > x509_extensions = v3_ca > > > > BTW: we also tried the -extensions option in the command. > > > > This v3_ca section now contains the following details: > > basicConstraints = critical, CA:true > > keyUsage = cRLSign, keyCertSign > > nsCertType = sslCA, objCA > > subjectAltName=email:copy > > issuerAltName=issuer:copy > > > > Still, we get certificates that can be used for a lot of purposes. > > A test public root certificate is enclosed. > > > > As I mentioned in the response: > > > > > > > > When you add a CA certificate manually then you get to choose between > > > all possible usages. You can restrict this using the extended key usage > > > extension. > > > > > So I suggest you try some extended key usage values and see if that > works, syntax in doc/openssl.txt > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: [EMAIL PROTECTED] > Senior crypto engineer, Gemplus: http://www.gemplus.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: [EMAIL PROTECTED] PGP key: via homepage. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
