On Tue, Mar 25, 2014 at 10:54 AM, Erwann Abalea <erwann.aba...@keynectis.com> wrote: > >> 2. I couldn't figure out what the [additional_oids] section of the >> Expert example's root-ca.conf file is for - either through research or >> going through the commit history. Could you elaborate on what that >> accomplishes? >> >> https://pki-tutorial.readthedocs.org/en/latest/expert/root-ca.conf.html > > The OIDs are used in the CertificatePolicies extension of a subordinate CA > of this root CA. > For a policyId to be acceptable for an end-user certificate, this same > policyId (or the special value anyPolicy) MUST be present in all CAs between > this end-user cert and the root CA. The root CA is special in that it > doesn't need to contain any CertificatePolicies extension.
So these are used to group or link the certificate chain together? Is there guidance for generating and naming this OID? Given an OID in this form: 1.3.6.1.4.1.X.Y.Z I'm assuming that you would register the top level number (X) with the IANA (or other appropriate issuing body), but is there guidance to setting Y and Z, which are 7 and 8 or 9 respectively in the Expert example? >> 3. Is there a reason to not set a pathLen in the basicConstraints >> section of the Root CA's (to 1, to allow a maximum of one layer of >> CA's below the Root), but to do so on the Intermediate CA's? > > Because it's not used by the standardized validation algorithm (RFC5280 > section 6, X.509 section 10). I looked through RFC5280 section 6.1.4 (m), and it appears that setting the pathLen would apply to the Root CA, and would cause section (l) to fail on CA's created beyond the depth specified. Am I interpreting the RFC incorrectly? Thanks, Zack ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
