On 02/10/2014 08:27 PM, Dave Thompson wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of Tom Pfeifer >> Sent: Monday, February 10, 2014 16:53 > <snip> >> I've tried doing that with no success so far, most likely due my lack of >> understanding of how to set up policy sections in the config file (among >> other things). >> > The policy section(s) is only for issuing certs with 'ca'. > Your problem is creating the request, well before that. > >> The basic failure I'm getting is demonstrated by the information at the >> link below. It shows the 'openssl' command line, the error output from >> it, and the openssl.cnf file used. >> >> https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt >> > The new_oids functionality is generic for pretty much all functions that > use a config file, unlike other config items which are function-specific. > Thus the oid_section pointer must be in the 'default' section -- i.e. > at the top of the config file before the first [sectname] divider.
That was definitely a piece of information I was missing, and the error condition disappeared when I moved it to the top of the config file. This is the first time I have gotten it to recognize those "jurisdictionOfIncorporation" OIDs. > > If you use 'ca' you do also need to fix up a policy (either a provided > one, or one you create) unless you specify preserve=yes in which case > it will use the RDNs from the request even if not in policy. If you use > 'x509 -req' there is no policy and it uses the name from the request. > > Small warning: 'req' and if used 'ca' a use a file and can get added OIDs. > If you display the resulting cert(s) with 'x509 -text' that does not use > any config file and thus must display the OIDs in numeric form. > I noticed the numeric form when using 'x509 -text', and it helped to be expecting it. The config file still needs some work, but hopefully I'm on my way with this now. Thank you for the pointers - very much appreciated! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
