Re: SV: More X.509v3 extension problems

Tue, 27 Feb 2001 12:40:20 -0800 

"Hellan,Kim KHE" wrote:
> 
> >You supply the relevant certificate(s) or requests in the X509V3_CTX
> >structure using X509V3_set_ctx().
> 
> Works great.... and I finally found out what X509V3_CTX is for :-)
> A small "practical" problem:
> When creating a CA certificate I'm not sure how to add
> authorityKeyIdentifier to this cert, since X509V3_set_ctx() takes a X509*.
> But I don't have a X509* yet, as the CA cert is selfsigned and I'm in the
> process of creating it.
> All I have at that moment is the private/public key.
> Any ideas?
> 

You can feed in the incomplete X509 structure and it will use that.
Typically you will only add extensions just before you actually sign the
certificate then almost everything is in the certificate and the
extension code can access it.

For authorityKeyIdentifier you should add also add the
subjectKeyIdentifier extension first if you intend to copy the value
from that.

> >> I would, however, like to add a crlReason extension
> >For CRL reason the structure is ASN1_ENUMERATED.
> 
> Thanks....it worked.
> Just curious.....
> All these different ways of creating extensions, is it something that you
> just know by experience or is there somehow even I can figure out what
> approach to use?
> I seem to get stuck, everytime I'm trying to handle a new extension.
> 

Well I have an unfair advantage: I wrote that code :-) You can get a
fair idea by checking the various source files in crypto/x509v3. Most of
the extensions are very similar its just that you've picked three
different types which each have to be handled differently.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to