Dear readers
I'm trying to create certificates with OpenSSL that can be used to log into a Windows
Domain. I've read the Microsoft Knowledge Base Article 281245 and the discussions on
this list in the past. I'm using OpenSSL 0.9.8-dev from Snapshot 2004-09-23.
First I set
extendedKeyUsage = clientAuth, 1.3.6.1.4.1.311.20.2.2
subjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:[EMAIL PROTECTED]
in the openssl.cnf and created a certificate. But when I look into this certificate
with 'openssl x509 -text -i cert.pem' I always get the X.509v3 extensions:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
5F:29:73:D3:FA:F7:D2:1C:AF:01:14:F9:42:E9:55:E7:BD:C5:79:46
X509v3 Authority Key Identifier:
keyid:AC:33:F9:79:21:E5:1C:28:B2:CC:F5:CB:B6:4E:B8:D4:F4:E9:19:76
DirName:/C=DE/O=Test Company/CN=Test CA
serial:EA:0A:F4:63:99:40:2E:1F
X509v3 Issuer Alternative Name:
<EMPTY>
X509v3 Subject Alternative Name:
othername:<unsupported>
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, Microsoft Smartcardlogin
The Subject Alternative Name ist always "othername:<unsupported>".
Sice I read, that the above subjectAltName should be possible with OpenSSL 0.9.8-dev,
I'm not sure what I'm doing wrong.
Any help is welcome.
Best regards
Ulf
_______________________________
Ulf Leichsenring
Lufthansa Systems AS GmbH
Schützenwall 1
D-22844 Norderstedt
Tel: +49 40 5070 7859
Mobil: +49 172 4037882
mailto:[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
