I want to add an Object ID to certificates, to offer a unique user id which
will show up in the Subject field of the Certificate.
In this case I have chosen the OID from the original X500 tree
0.9.2342.19200300.100.1.1 as user id.
Having read the documentation (but perhaps not understanding it all?) I went
off to modify my openssl.cnf file as follows:
Add the OID in the appropriate section:
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
uid=0.9.2342.19200300.100.1.1
Add uid to the list of requested data:
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
....... Deleted several lines here !
commonName = Common Name (eg, YOUR name)
commonName_max = 64
uid = UID:[Fred]
uid_max = 40
emailAddress = Email Address
emailAddress_max = 40
I then generate a CA key:
bin/openssl genrsa -des3 -out private/CAkey.pem -rand ./random-bits.txt
1024
Note: I just created random-bits.txt with vi, selecting insert, bashing the
keyboard for a while and saving. OK for a test I think.
Then self sign it:
bin/openssl req -new -x509 -days 3650 -key ./private/CAkey.pem -out
./private/CAcert.pem
The data requested included by "uid" addition - so it looks good and a cert
is written!
I moved the cert to NT and named it CAcert.crt where it is easily viewable
and it shows the following in the subject field:
Subject ............
E = test@test
0.9.2342.19200300.100.1.1 = test_123456
CN = Test CA
OU = Test unit
O = Test
L = London
S = GLC
C = GB
Great the CAcert has my uid OID shown
Thats the sucess bit, now for the failure:
I generated a key for user Test1:
bin/openssl genrsa -out certs/test1.key -rand ./random-bits.txt 1024
Then generated the cert request:
openssl req -new -key certs/test1.key -out certs/test1.req
The data requested included my "uid" addition - so again it looked good!
Then get the CA to sign it:
openssl ca -policy policy_anything -out certs/test1.crt -infiles
certs/test1.req
The dialog produced is shown below, and it has my uid field as entered!
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'GB'
stateOrProvinceName :PRINTABLE:'GLC'
localityName :PRINTABLE:'London'
organizationName :PRINTABLE:'Test'
organizationalUnitName:PRINTABLE:'Test1'
commonName :PRINTABLE:'test1'
uid :T61STRING:'test1_98765432'
emailAddress :IA5STRING:'test1@test'
Certificate is to be certified until Jul 17 16:26:17 2002 GMT (365 days)
Sign the certificate? [y/n]:y
But the certificate written out has no "uid:T61STRING:'test1_98765432'" or
the numeric OID 0.9.2342.19200300.100.1.
The Subject on the Test1 certificate only has the following:
E = test1@test
CN = test1
OU = Test1
O = Test
L = London
S = GLC
C = GB
I seem so close but yet so far away.
Any help is welcome - what am i missing?
Thanks
Keith McAlister
Logica
> Financial Services, UK
> tel: +44 (0)20 7446 65050
> mobile: +44 (0) 7788916740
> fax: +44 (0) 2076743566
> http://www.logica.com
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
