Hi there; On July 14, 2008 11:36:34 am Oil Supply wrote: > I have been working on trying to add extenstions to a CA certificate > and coming up short. I read through doc/openssl.txt, as well as the > man pages for openssl, ca, and req. I also searched google and the > list archives. Maybe I am just dense. I don't believe I need to write > any code. I don't care about pretty printing. I am using openssl > 0.9.8b. The error message is below. > <snip> > #This is the extension I want to add > fooname=this is a block of text > basicConstraints = CA:true > keyUsage = cRLSign, keyCertSign > [ crl_ext ] > authorityKeyIdentifier=keyid:always,issuer:always
What is fooname? What is the encoding? An extension is represented (in the simplest form), as an OID (that identifies which extension it is, and a value that is encoded as per the RFC (or other document) rules for that extension. So, for instance, if fooname is an extension that corresponds to the OID '1.2.3.4', and it is of value UTF8String, then I think that the right way to encode it could be: 1.2.3.4 = UTF8:This is a block of text I've not tried the above, and Stephen or one of the others can give you a better answer than I, but I hope that gets you started in the right direction. One thing - DO NOT pull an OID out of thin air... register your OID properly with IANA. As an aside - populating certificates with "Private Extensions" is usually a "VERY BAD IDEA", since 100% of the applications that you try to use them with will, at the best, ignore the value, thus rendering the purpose of putting it in the certificate moot, or, at worst, try and interpret it, and crash. If you are just putting in extra text, I would suggest writing this text into the Subscriber agreement, or writing it into the CP, and referencing it indirectly via the certificatePolicy standard extension. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
