I am trying to use OpenSSL as a CA but am running into some
problems. I am using the openssl.cnf and CA.sh to configure
and run it. Here are the issues I've come across.
1) Email usage in DN and subjectAltName:
I would like to put a person's email address in the
subjectAltName but NOT have it appear in the subject DN.
What do I need to put in the openssl.cnf file or modify
in the CA.sh file to do this?
2) Different Issuer and Subject DN paths:
I would like the Issuer DN to be of the form:
c=US, o=My Org, cn=My Root CA
While the Subject DN to be of the form:
c=US, o=My Org, ou=My Root CA, cn=Jane Doe
(Note: difference in "cn=My Root CA" and "ou=My Root CA")
The only way I can think of to do this would be:
1) modify openssl.cnf to use the Issuer DN format above
2) generate the CA root private key/certificate
3) modify openssl.cnf to use the Subject DN format above
Is there a simpler way that will not require modification
of the openssl.cnf file after the CA cert has been
self-signed?
�3) Serial number as MD5 hash of Public Key:
I would like to use an MD5 hash of the Public Key in
a cert request as the serial number rather than
incrementing from the last issued serial number.
Is there some way to specify this? Will this
require modifying the CA.sh script to make a call
(or two) to OpenSSL that will parse the cert req
and write the hash of the public key to the serial
file before the cert signing takes place?
4) IPSEC extended attributes
This question may be more appropriate for the -dev
list, but I'll ask here while I'm at it.
I would like to include some Extended Key Usage
attributes in the certificates. I have found
a number of the ones I need in
crypto/objects/object.h, including clientAuth,
emailProtection, and msEFS (part of the PKIX
Part 1 draft). However, a number of the
PKIX extended key usage attributes are missing:
ipsecEndSystem, ipsecTunnel, and ipsecUser.
Is there a reason why they are not included in
the header files? Will they be there in a future
release?
In the mean time, I have specified OIDs for these
missing attributes in the openssl.cnf file. Is
this the appropriate way to go about doing this?
Answers to any of these questions would be greatly
appreciated.
Best Regards.
-brahm
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
