Alexey Kobozev wrote:
>
> > >
> > > Hi, All!
> > >
> > > I'm having a problem generating the certificate which can be
> > > used as client certificate on Windows XP. The problem is that
> > > client certificate must have the special MS's proprietary
> > > X509 V3 extension 'Certificate Template' with oid 1.3.6.1.4.1.311.20.2
> > > and has to treated as a string (similar to nsComment, for example).
> > >
> > > I've tried to add it to oid_section in the openssl.cnf, but it
> > > doesn't works, because (afaik) these new oids are for the rvalue
> > > only - I need lvalue.
> > >
> > > So, the question is how can I add such a non standard thing into
> > > the newly generated cert?
> > >
> >
> > Can you send me an example of a certificate with that extension.
>
> Sure. I've sent it to [EMAIL PROTECTED]
>
Thanks. The type of that extension is a BMPString not the IA5String that
Netscape comment uses. In this case if you do
openssl x509 -in a.cer -certopt ext_dump
you get (among other things)
1.3.6.1.4.1.311.20.2:
0000 - 1e 08 00 55 00 73 00 65-00 72
...U.s.e.r
So if you add the oid you should be able to do:
certTemplate=DER:1e:08:00:55:00:73:00:65:00:72
This isn't particularly friendly but it should work. I might extend the
unsupported extension syntax a bit so you can do things like:
certTemplate=BMPString:User
There's also an otherName extension in there which I've been meaning to
add support for too...
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
