Dr S N Henson wrote:
> The best solution is to include extensions in the certificate request
> and have the 'ca' program add them. There are all sorts of things which
> might appear in there other than subjectAltName, such as requesting
> certain keyUsage bits (e.g. signing only) or extended key usage values.
> Unfortunately the highly variable syntax for these extensions makes it
> hard to just prompt for their values in a general way. One possible
> solution would be to use a scipting language (e.g. perl) to build up a
> config file based on the values and use that to generate the request.
>
It's also possible to define a plug-in interface that allows users
to add and register extension's handler.
The ca command may parse an extensions configuration file that contains
(for each supported exstension) 2 plug-in.
A view-plug-in can be defined as a perl script that
receives the DER encoded extension and that outputs it in a
user-readable
format.
In the same way an input-plug-in can be defined to request all
information to the user and output a DER representation of the object.
Instead of a configuration file it is also possible to use a directory
containing
all plug-in with the following name convention:
ext-plugins/
<OID>-view.pl
<OID>-input.pl
What do U think about?
--
FERDINANDO RICCHIUTI
Research & Development
CSP s.c. a r.l.
____________________________________________
Villa Gualino
Viale Settimo Severo, 63 - 10133 Torino [IT]
e-mail [EMAIL PROTECTED]
mob +39 (0)348 6023959
tel +39 (0)11 3165401
____________________________________________
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
