Kerberos PKINIT and subjectAltName

Thu, 10 Jun 2004 11:13:20 -0700 

Hi,
I am trying to get PKINIT compliant X509 certificates according to
this:
""""""""""""""""""""""
Otherwise, if the certificate contains a SubjectAltName
       extension with a Kerberos name in the otherName field,
       it uses that name. The otherName field (of type AnotherName)
in
       the SubjectAltName extension MUST contain the following:


       The type-id is:


       krb5PrincipalName OBJECT IDENTIFIER ::= { iso (1) org (3) dod
(6)
       internet (1) security (5) kerberosv5 (2) 2 }


       The value is:


       KRB5PrincipalName ::= SEQUENCE {
           realm                   [0] Realm,
           principalName           [1] PrincipalName
       }
""""""""""""""""""""""""
This is taken from the latest draft of the PKINIT
(draft-ietf-cat-kerberos-pk-init-19.txt). So I read the thread
regarding the earlier draft of PKINIT and tried changing the
openssl.cnf file in following way:
----------------------------
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name

[princ_name]
realm = EXP:0, GeneralString:MY.REALM
principal_name = EXP:1, SEQUENCE:principal_seq

[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQWRAP, GeneralString:bob
----------------------------

But this doesnt work it gives me following errors when I try to
request a certificate.
----------------------------
Error Loading extension section v3_ca
15504:error:22075075:X509 V3 routines:v2i_GENERAL_NAME:unsupported
option:v3_alt.c:436:name=otherName
15504:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
extension:v3_conf.c:92:name=subjectAltName,
value=otherName:1.3.6.1.5.2;SEQUENCE:princ_name
----------------------------

So, I am wondering if there is anything wrong with the syntax I used.
Also, I am using openssl-0.9.7-stable-SNAP-20040520. I figured there
are two ways to get it working: first using above approach (but that
doesnt work) and now my last chance is to get DER encoding and see if
that works. But I just wanted to ask for opinions. Any help will be
appreciated.

Regards,
- Mayur 

Mayur Patel
Academic and Research Computing
Rensselaer Polytechnic Institute
Troy, NY 12180

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to