Hi,
I've been trying to get Time Stamping working where the CA issuing the Time Stamping certificate is issued by a Microsoft Windows Server 2003 Enterprise CA. I've had success in terms of being able to actually sign the digest and I actually have a certificate with the purpose of Time Stamp Signing as YES. I am however having issues when I try to verify a token against the certificate. error 34 at 0 depth lookup:unhandled critical extension This also happens when: openssl verify -Cafile ca.cer tsatest.cer tsatest.cer: /C=AU/ST=NSW/L=Sydney/O=Test TSA/OU=TSA/CN=Mr Test/emailAddress=tes t...@test.com.au error 34 at 0 depth lookup:unhandled critical extension OK Sure I can get this to ignore the critical extension: openssl verify -ignore_critical -CAfile ca.cer tsatest.cer tsatest.cer: OK There is no way however to do this using the "ts" commands for verifying RFC3161 tokens/responses. Whilst I could modify the ts.c and set the ignore_critical flag in the X509 STORE, according to RFC3280. Line from the verify help page for openssl: "Normally if an unhandled critical extension is present which is not supported by OpenSSL the certificate is rejected (as required by RFC3280 et al). If this option is set critical extensions are ignored." I'm guessing this has something to do with these stupid application extensions it has put on the certificate when generated from the Microsoft CA: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation 1.3.6.1.4.1.311.21.7: 0..&+.....7.....Y....../...z.....=...z...@..d... X509v3 Extended Key Usage: critical Time Stamping 1.3.6.1.4.1.311.21.10: critical 0.0 Does anyone out there have any experience with generating certificates from Microsoft CA without these unknown extensions? I'm guessing in this case it's the 1.3.6.1.4.1.311.21.10. Application Policies extension -- same encoding as szOID_CERT_POLICIES szOID_APPLICATION_CERT_POLICIES 1.3.6.1.4.1.311.21.10 ^^ from some Microsoft page. Any ideas?? Thanks, Brad