Massive Cava wrote: > Hi to all > > i nedd to configure correctly he file openssl.cnf to create new extension, i > can modify the config. file and add some new field at the certificate > request, for example date of birth, uniqe ID of student and his level, but > how can i switch these field to X509 extension when i sign the certificate > with the command "ca ..." ??? > Please tell me that you are not encoding these values into an extension in the certificate??? Unless you are doing Attribute Certificates, encoding these values in as arbitrary extensions is probably NOT what would be considered best practice, and will definitely cause implementation details.
First of all, encoding some of those values (Student Birthdays, etc.) in a format whose design is to assist in making a value public (the Public Key) is possibly against the educational or general privacy laws in a number of countries (US, Canada, Most of Europe). What you most likely want to do is either use Attribute Certificates (not supported by very many implementations of anything outside of the US DoD), or Federated Attributes using a technology like WS-Fed, or the Liberty Alliance SAML specifications. This would allow you to only provide those attributes to only those sources that you know have a pre-existing relationship with the student, and thus a "need to know" about those attributes. On a more practical note, if you encode those kinds of values as arbitrary extensions in a certificate, then you would have to write code into your Relying party code, to correctly interpret those custom extensions. Most organisations that I know don't want to maintain their own mod_ssl patches or ISAPI filters (assuming that you are going to be doing some sort of web application with these certificates). All of that said, if you DO want help to implement something like this, then please provide the ASN.1 encoding that you would like to use for the extensions, and we can probably help you encode those custom extensions. Just some advice from someone who has "been there, seen that, seen what happens 6 months later". Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
