Hi,
I've been trying to get Time Stamping working where the CA issuing the Time
Stamping certificate is issued by a Microsoft Windows Server 2003 Enterprise
CA.
I've had success in terms of being able to actually sign the digest and I
actually have a certificate with the purpose of Time Stamp Signing as YES.
I am however having issues when I try to verify a token against the
certificate.
error 34 at 0 depth lookup:unhandled critical extension
This also happens when:
openssl verify -Cafile ca.cer tsatest.cer
tsatest.cer: /C=AU/ST=NSW/L=Sydney/O=Test TSA/OU=TSA/CN=Mr
Test/emailAddress=tes
t...@test.com.au
error 34 at 0 depth lookup:unhandled critical extension
OK
Sure I can get this to ignore the critical extension:
openssl verify -ignore_critical -CAfile ca.cer tsatest.cer
tsatest.cer: OK
There is no way however to do this using the "ts" commands for verifying
RFC3161 tokens/responses.
Whilst I could modify the ts.c and set the ignore_critical flag in the X509
STORE, according to RFC3280.
Line from the verify help page for openssl:
"Normally if an unhandled critical extension is present which is not
supported by OpenSSL the certificate is rejected (as required by RFC3280 et
al). If this option is set critical extensions are ignored."
I'm guessing this has something to do with these stupid application
extensions it has put on the certificate when generated from the Microsoft
CA:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation
1.3.6.1.4.1.311.21.7:
0..&+.....7.....Y....../...z.....=...z...@..d...
X509v3 Extended Key Usage: critical
Time Stamping
1.3.6.1.4.1.311.21.10: critical
0.0
Does anyone out there have any experience with generating certificates from
Microsoft CA without these unknown extensions?
I'm guessing in this case it's the 1.3.6.1.4.1.311.21.10.
Application Policies extension -- same encoding as szOID_CERT_POLICIES
szOID_APPLICATION_CERT_POLICIES 1.3.6.1.4.1.311.21.10
^^ from some Microsoft page.
Any ideas??
Thanks,
Brad
