I am trying to get my CA to issue a user certificate with the privateKeyUsagePeriod extention (2.5.29.16). This extension includes a notBefore and notAfter GeneralizedTime attribute. I saw in the openssl.cnf file that I can specify attributes with DER encoded data. I tried this for 2.5.29.16 in my x509_extentions section but it got encoded into the certificate as an OCTET STRING.
In the new_oids section I added: privateKeyUsagePeriod=2.5.29.16
In the section referenced as the x509_extentions from the 'CA' section I have:
keyUsage = critical,digitalSignature:true
2.5.29.16 = DER:30:1E:17:0D:30:34:31:30:32:32:30:39:34:32:30:31:5A:17:0D:30:35:30:31:32:32:30:39:34:32:30:31:5A
As you can see this is the exact data that I would have expected to see in the certificate for the 2.5.29.16 extention, but in the cert just after the DER encoded OID is
04:20:30:1E....5A
I dont' really want to see the 04:20 as it is not what I would have expected.
Secondly is there a way to specify additional extensions from the command line? The privateKeyUsagePeriod should be specified by the user p10 request because I don't want to edit my openssl.cnf file for each certificate.
Thanks for any help available.
Craig.
--
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
