Thanks for e-mail, Peter,
> Why don't you try to add some validity rules
> at the generation of the request?
I am afraid I don't really understand this idea.
> Who is generating the request? A client, or do you
> generate keys and requests in a server?
As is the point of X.509, a person from some other department at the
university generates his/her request, comes to my office with the diskette
and I, after looking at the person's employee ID, generate the sign. It
would be hard to ask somebody to go another 40 minutes to the other campus
just because the format is not nice enough according to me.
The case that I'm trying to solve now, is even more confusing: the
'human-readable' part of the certificate request (generated with Microsoft's
something-i-don't-know-what) contains an expected information, but 'openssl
ca' displays something different.
> As a principle, once a certificate request is done,
> I strongly recommend not to modify it, but rather reject it,
> otherwise you might get problems with the user who has not asked
> exactly for that.
Oh, I think I can agree it with my users. I have to talk to them in person
and, fortunately, I got The License To Kill... :-) I mean to do some minor
changes.
> It is even questionable whether you should add extensions
> about key usage or else.
Once again, thanks for your note
Ivan Dolezal
VSB-Technical University of Ostrava
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
