I want to implement a CA using openssl and some (basic) bash scripting. I try to understand and conform with the standards. So I have started by reading RFC5280 [1]. I want to write a CPS and link to it from the CA using certificatePolicies cPSuri qualifier.
First thing I did was to generate an UUID OID following ITU-T instructions [2]. Afterwards I added to openssl.cnf the following: = = = = = = = = company_root_oid = 2.25.c8b2e2a0094b11e2936a0002a5d5c51b [ v3_ca ] certificatePolicies = ia5string,@company_ca_policy [ company_ca_policy ] policyIdentifier = 2.25.c8b2e2a0094b11e2936a0002a5d5c51b.2.5.29.32.1 CPS.1 = "http://pki.edoxx.net/cps/" userNotice.1 = @edoxx_ca_notice [ company_ca_notice ] explicitText=" Compnay Primary CA thrives to conform with latest PKIX RFCs. The Company Trust Network is operated as stated in the CPS: http://pki.company.net/cps/. We recommend you read it before trusting us." = = = = = = = = I feel compeled to tell you that company_ca_policy and company_ca_notice appear before v3_ca. I don't really know if the order matters. I have done this following the example provided on x509_config(5) [3] manual page. Next step was to generate the CA. wiz:CA/ (master???) $ openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/edoxx.ca.key -out certs/edoxx.ca.pem -config openssl.cnf problem creating object edoxx_root_oid=2.25.c8b2e2a0094b11e2936a0002a5d5c51b 28675:error:0D064082:asn1 encoding routines:a2d_ASN1_OBJECT:invalid digit:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/asn1/a_object.c:139: I know I'm doing something wrong but I don't know what. Can you please shed some light? [1]: http://tools.ietf.org/html/rfc5280 [2]: http://www.itu.int/ITU-T/asn1/uuid.html#registration [3]: http://www.openssl.org/docs/apps/x509v3_config.html Thanks. Cheers and Goodwill, v ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org