Re: Extended Validation OIDS
On 02/10/2014 08:27 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Tom Pfeifer Sent: Monday, February 10, 2014 16:53 snip I've tried doing that with no success so far, most likely due my lack of understanding of how to set up policy sections in the config file (among other things). The policy section(s) is only for issuing certs with 'ca'. Your problem is creating the request, well before that. The basic failure I'm getting is demonstrated by the information at the link below. It shows the 'openssl' command line, the error output from it, and the openssl.cnf file used. https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt The new_oids functionality is generic for pretty much all functions that use a config file, unlike other config items which are function-specific. Thus the oid_section pointer must be in the 'default' section -- i.e. at the top of the config file before the first [sectname] divider. That was definitely a piece of information I was missing, and the error condition disappeared when I moved it to the top of the config file. This is the first time I have gotten it to recognize those jurisdictionOfIncorporation OIDs. If you use 'ca' you do also need to fix up a policy (either a provided one, or one you create) unless you specify preserve=yes in which case it will use the RDNs from the request even if not in policy. If you use 'x509 -req' there is no policy and it uses the name from the request. Small warning: 'req' and if used 'ca' a use a file and can get added OIDs. If you display the resulting cert(s) with 'x509 -text' that does not use any config file and thus must display the OIDs in numeric form. I noticed the numeric form when using 'x509 -text', and it helped to be expecting it. The config file still needs some work, but hopefully I'm on my way with this now. Thank you for the pointers - very much appreciated! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Extended Validation OIDS
On Tue, Feb 11, 2014, Tom Pfeifer wrote: On 02/10/2014 08:27 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Tom Pfeifer Sent: Monday, February 10, 2014 16:53 snip I've tried doing that with no success so far, most likely due my lack of understanding of how to set up policy sections in the config file (among other things). The policy section(s) is only for issuing certs with 'ca'. Your problem is creating the request, well before that. The basic failure I'm getting is demonstrated by the information at the link below. It shows the 'openssl' command line, the error output from it, and the openssl.cnf file used. https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt The new_oids functionality is generic for pretty much all functions that use a config file, unlike other config items which are function-specific. Thus the oid_section pointer must be in the 'default' section -- i.e. at the top of the config file before the first [sectname] divider. That was definitely a piece of information I was missing, and the error condition disappeared when I moved it to the top of the config file. This is the first time I have gotten it to recognize those jurisdictionOfIncorporation OIDs. If you use 'ca' you do also need to fix up a policy (either a provided one, or one you create) unless you specify preserve=yes in which case it will use the RDNs from the request even if not in policy. If you use 'x509 -req' there is no policy and it uses the name from the request. Small warning: 'req' and if used 'ca' a use a file and can get added OIDs. If you display the resulting cert(s) with 'x509 -text' that does not use any config file and thus must display the OIDs in numeric form. I noticed the numeric form when using 'x509 -text', and it helped to be expecting it. The config file still needs some work, but hopefully I'm on my way with this now. Thank you for the pointers - very much appreciated! Note that there are two ways to add OIDs. One if the version that works with the openssl utility but is lacking in some cases (e.g. x509) and the second is through the configuration module mechanism. This is described in the config(1) manual page and is more general. It should also work for the x509 utility if the add the OIDs to the default configuration file or set the OPENSSL_CONF environment variable to point to it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Extended Validation OIDS
On 02/11/2014 10:55 AM, Dr. Stephen Henson wrote: On Tue, Feb 11, 2014, Tom Pfeifer wrote: On 02/10/2014 08:27 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Tom Pfeifer Sent: Monday, February 10, 2014 16:53 snip I've tried doing that with no success so far, most likely due my lack of understanding of how to set up policy sections in the config file (among other things). The policy section(s) is only for issuing certs with 'ca'. Your problem is creating the request, well before that. The basic failure I'm getting is demonstrated by the information at the link below. It shows the 'openssl' command line, the error output from it, and the openssl.cnf file used. https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt The new_oids functionality is generic for pretty much all functions that use a config file, unlike other config items which are function-specific. Thus the oid_section pointer must be in the 'default' section -- i.e. at the top of the config file before the first [sectname] divider. That was definitely a piece of information I was missing, and the error condition disappeared when I moved it to the top of the config file. This is the first time I have gotten it to recognize those jurisdictionOfIncorporation OIDs. If you use 'ca' you do also need to fix up a policy (either a provided one, or one you create) unless you specify preserve=yes in which case it will use the RDNs from the request even if not in policy. If you use 'x509 -req' there is no policy and it uses the name from the request. Small warning: 'req' and if used 'ca' a use a file and can get added OIDs. If you display the resulting cert(s) with 'x509 -text' that does not use any config file and thus must display the OIDs in numeric form. I noticed the numeric form when using 'x509 -text', and it helped to be expecting it. The config file still needs some work, but hopefully I'm on my way with this now. Thank you for the pointers - very much appreciated! Note that there are two ways to add OIDs. One if the version that works with the openssl utility but is lacking in some cases (e.g. x509) and the second is through the configuration module mechanism. This is described in the config(1) manual page and is more general. It should also work for the x509 utility if the add the OIDs to the default configuration file or set the OPENSSL_CONF environment variable to point to it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org I did look into that, tried it, and it did work. It required just a few simple changes (as that man page spells out pretty clearly), and now those jurisdiction OIDs are displayed in text format (rather than numeric) when using 'x509 -text'. Thank you very much for the help! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Extended Validation OIDS
On 02/07/2014 04:11 PM, Walter H. wrote: On 07.02.2014 21:04, Tom Pfeifer wrote: ...which are required for Extended Validation (EV) certificates. I'm currently using openSSL 1.0.1e-fips on Fedora 20, and I have these OIDs specified in the [new_oids] section in openssl.cnf like this: jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1 jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2 jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3 Also, referring to this web page (from 2010): http://www.frank4dd.com/howto/openssl/add_oids_to_openssl.htm ...I looked in crypto/objects/objects.txt in the 1.0.1e source tree, and they were not listed in that file with other OIDs. I also looked at the 1.0.1f source tree with the same result. The issue I'm having is that they don't show up in the Subject line in the certificate when specified in the -subj string, while all other OIDs specified in the same -subj string do show up. They are just ignored, with no error message. You have to expand the [ policy_default ] or other section of your choice with something similar to jurisdictionOfIncorporationLocalityName = optional jurisdictionOfIncorporationStateOrProvinceName = optional jurisdictionOfIncorporationCountryName = optional Walter I've tried doing that with no success so far, most likely due my lack of understanding of how to set up policy sections in the config file (among other things). The basic failure I'm getting is demonstrated by the information at the link below. It shows the 'openssl' command line, the error output from it, and the openssl.cnf file used. https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt The [reg] and [req_issued_name] are the relevant sections for the 'req' command line being run in this case. If I comment out the 2 jurisdictionOfIncorporation lines in the [req_issued_name] section, the command runs without error, and the subject line contains all the other fields specified in that section. If anyone has any pointers about policy sections (or pointers to basic docs or tutorials about them) - or anything else that's obvious from looking at the openssl.cnf file - it would be very much appreciated. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Extended Validation OIDS
From: owner-openssl-us...@openssl.org On Behalf Of Tom Pfeifer Sent: Monday, February 10, 2014 16:53 snip I've tried doing that with no success so far, most likely due my lack of understanding of how to set up policy sections in the config file (among other things). The policy section(s) is only for issuing certs with 'ca'. Your problem is creating the request, well before that. The basic failure I'm getting is demonstrated by the information at the link below. It shows the 'openssl' command line, the error output from it, and the openssl.cnf file used. https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt The new_oids functionality is generic for pretty much all functions that use a config file, unlike other config items which are function-specific. Thus the oid_section pointer must be in the 'default' section -- i.e. at the top of the config file before the first [sectname] divider. If you use 'ca' you do also need to fix up a policy (either a provided one, or one you create) unless you specify preserve=yes in which case it will use the RDNs from the request even if not in policy. If you use 'x509 -req' there is no policy and it uses the name from the request. Small warning: 'req' and if used 'ca' a use a file and can get added OIDs. If you display the resulting cert(s) with 'x509 -text' that does not use any config file and thus must display the OIDs in numeric form. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Extended Validation OIDS
Hopefully this is a straight forward question: Are the jursidictionOfIncorporation OIDs supported in the current version of openSSL (Linux)? The ones I'm referring to are: 1.3.6.1.4.1.311.60.2.1.1 jurisdictionOfIncorporationLocalityName 1.3.6.1.4.1.311.60.2.1.2 jurisdictionOfIncorporationStateOrProvinceName 1.3.6.1.4.1.311.60.2.1.3 jurisdictionOfIncorporationCountryName ...which are required for Extended Validation (EV) certificates. I'm currently using openSSL 1.0.1e-fips on Fedora 20, and I have these OIDs specified in the [new_oids] section in openssl.cnf like this: jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1 jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2 jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3 Also, referring to this web page (from 2010): http://www.frank4dd.com/howto/openssl/add_oids_to_openssl.htm ...I looked in crypto/objects/objects.txt in the 1.0.1e source tree, and they were not listed in that file with other OIDs. I also looked at the 1.0.1f source tree with the same result. The issue I'm having is that they don't show up in the Subject line in the certificate when specified in the -subj string, while all other OIDs specified in the same -subj string do show up. They are just ignored, with no error message. I'm just trying to understand why these are required for an EV certificate, yet they don't seem to be supported by openSSL, at least on Linux. Any information that can help me clear this up would be appreciated. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Extended Validation OIDS
On 07.02.2014 21:04, Tom Pfeifer wrote: ...which are required for Extended Validation (EV) certificates. I'm currently using openSSL 1.0.1e-fips on Fedora 20, and I have these OIDs specified in the [new_oids] section in openssl.cnf like this: jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1 jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2 jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3 Also, referring to this web page (from 2010): http://www.frank4dd.com/howto/openssl/add_oids_to_openssl.htm ...I looked in crypto/objects/objects.txt in the 1.0.1e source tree, and they were not listed in that file with other OIDs. I also looked at the 1.0.1f source tree with the same result. The issue I'm having is that they don't show up in the Subject line in the certificate when specified in the -subj string, while all other OIDs specified in the same -subj string do show up. They are just ignored, with no error message. You have to expand the [ policy_default ] or other section of your choice with something similar to jurisdictionOfIncorporationLocalityName = optional jurisdictionOfIncorporationStateOrProvinceName = optional jurisdictionOfIncorporationCountryName = optional Walter smime.p7s Description: S/MIME Cryptographic Signature