Sorry to bother the list:
>
> > Why don't you try to add some validity rules
> > at the generation of the request?
>
> I am afraid I don't really understand this idea.
There is some software used by the user to generate the
request, so somehow the user adds a DN or whatever else
attribute, and maybe even the extensions.
This software can provide for some kind of validity checking.
>
> > Who is generating the request? A client, or do you
> > generate keys and requests in a server?
There are people who consider that letting a user generate
a private key by whatever obscure and uncontrollable piece
of software isn't a nice idea, and prefer to create them
centrally in a controlled area. It's not the place here
to discuss the benefits of any approach.
If you do it centrally, then you probably also have a
centrally managed server to handle the RA functionality,
this 'service' can have validity checking rules.
>
> As is the point of X.509, a person from some other department at the
> university generates his/her request, comes to my office with the diskette
> and I, after looking at the person's employee ID, generate the sign. It
> would be hard to ask somebody to go another 40 minutes to the other campus
> just because the format is not nice enough according to me.
You could consider creating a complete pkcs12 file importable by
any browser containing the key pair and additional CA certs. Which
might be an advantadge because users get motivated to the idea of
carrying around 'a token' usable in more than one place.
>
> The case that I'm trying to solve now, is even more confusing: the
> 'human-readable' part of the certificate request (generated with Microsoft's
> something-i-don't-know-what) contains an expected information, but 'openssl
> ca' displays something different.
As a said: Obscure :-)
> > As a principle, once a certificate request is done,
> > I strongly recommend not to modify it, but rather reject it,
> > otherwise you might get problems with the user who has not asked
> > exactly for that.
>
> Oh, I think I can agree it with my users. I have to talk to them in person
> and, fortunately, I got The License To Kill... :-) I mean to do some minor
> changes.
I may not sure whether this works with ca, but you might try to
- extract the DN information from the request
- allow you to modify it and do this as necessary
- set all dn attributs in environment variables or write a secific config file
where you set the values using the xxx_value options.
- run ca pointing the right config file and section.
This depends on what interface you are using to do the certification.
>
> > It is even questionable whether you should add extensions
> > about key usage or else.
>
> Once again, thanks for your note
you are welcome.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
