Thank Charles! This completely clears things up for me. AWESOME!
--- Charles B Cranston <[EMAIL PROTECTED]> wrote: > > Could someone be so kind as to post examples of > their > > extfile or extensions section? > > Here's an example of a shell script that generates > an entire > PKI: root, two intermediates, and one SSL (server) > end user. > > This is one of about 35 of these I did trying to > figure out > why the IBM HTTP Server and the Novell eDirectory > LDAP server > didn't like my original PKI design for my campus. > > #! /bin/sh > > # Test17 with KeyUsage extension in server cert > marked as critical (was > hyp1) > > OPENSSL="/usr/bin/openssl" > CONFFILE=conf.$$ > SNUMFILE=snum.$$ > CAV="18" > > # Generate the Root certificate > > cat <<@eof >$CONFFILE > oid_section = addoid > [addoid] # our local object IDs > umCPS = 1.3.6.1.4.1.99999.1.2.1 > [req] # openssl req params > prompt = no > distinguished_name = dn-param > x509_extensions = extend > [dn-param] # DN fields > C = US > ST = Maryland > O = University of Maryland > OU = College Park Campus > CN = University of Maryland Root CA $CAV > 1.DC = umd > 2.DC = edu > emailAddress = [EMAIL PROTECTED] > [extend] # openssl extensions > subjectAltName = > "DNS:umd.edu","email:[EMAIL PROTECTED]" > issuerAltName = > "DNS:umd.edu","email:[EMAIL PROTECTED]" > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always > basicConstraints = critical,CA:true > keyUsage = keyCertSign,cRLSign > nsCertType = sslCA,emailCA,objCA > nsComment = "See http://cert.umd.edu/root for > details." > certificatePolicies = ia5org,@policy > [policy] # certificate policy extension data > policyIdentifier = umCPS > CPS = "http://cert.umd.edu/certpolicy"; > @eof > > $OPENSSL req -config $CONFFILE -x509 -sha1 -newkey > rsa:2048 -days 365 \ > -passout pass:aaaaa -keyout root.key.pem > -out root.cert.pem > > # Generate the Intermediate certificate > # sort of sneaky use same file for config and > extensions > > cat <<@eof >$CONFFILE > # openssl x509 extfile params > extensions = extend > [req] # openssl req params > prompt = no > distinguished_name = dn-param > [dn-param] # DN fields > C = US > ST = Maryland > O = University of Maryland > OU = College Park Campus > CN = University of Maryland Inter $CAV > 1.DC = umd > 2.DC = edu > emailAddress = [EMAIL PROTECTED] > [extend] # openssl extensions > subjectAltName = > "DNS:umd.edu","email:[EMAIL PROTECTED]" > issuerAltName = > "DNS:umd.edu","email:[EMAIL PROTECTED]" > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always > basicConstraints = critical,CA:true > keyUsage = keyCertSign,cRLSign > nsCertType = sslCA,emailCA,objCA > nsComment = "See http://cert.umd.edu/inter for > details." > certificatePolicies = ia5org,@policy > [policy] # certificate policy extension data > policyIdentifier = 1.3.6.1.4.1.99999.1.2.1 > CPS = "http://cert.umd.edu/certpolicy"; > @eof > > echo 01 >$SNUMFILE > > $OPENSSL req -config $CONFFILE \ > -newkey rsa:2048 -passout pass:bbbbb -keyout > inter.key.pem | > > $OPENSSL x509 -req -sha1 -extfile $CONFFILE \ > -CAserial $SNUMFILE -days 364 -passin pass:aaaaa > \ > -CA root.cert.pem -CAkey root.key.pem -out > inter.cert.pem > > # Generate the server certificate signing > certificate > # sort of sneaky use same file for config and > extensions > > cat <<@eof >$CONFFILE > # openssl x509 extfile params > extensions = extend > [req] # openssl req params > prompt = no > distinguished_name = dn-param > [dn-param] # DN fields > C = US > ST = Maryland > O = University of Maryland > OU = College Park Campus > CN = University of Maryland SSL Signing $CAV > 1.DC = umd > 2.DC = edu > emailAddress = [EMAIL PROTECTED] > [extend] # openssl extensions > subjectAltName = > "DNS:umd.edu","email:[EMAIL PROTECTED]" > issuerAltName = > "DNS:umd.edu","email:[EMAIL PROTECTED]" > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always > basicConstraints = critical,CA:true > keyUsage = keyCertSign,cRLSign > extendedKeyUsage = clientAuth,serverAuth > nsCertType = sslCA > nsComment = "See http://cert.umd.edu/ssign for > details." > certificatePolicies = ia5org,@policy > [policy] # certificate policy extension data > policyIdentifier = 1.3.6.1.4.1.99999.1.2.1 > CPS = "http://cert.umd.edu/certpolicy"; > @eof > > echo 02 >$SNUMFILE > > $OPENSSL req -config $CONFFILE \ > -newkey rsa:2048 -passout pass:ccccc -keyout > ssign.key.pem | > > $OPENSSL x509 -req -sha1 -extfile $CONFFILE \ > -CAserial $SNUMFILE -days 363 -passin pass:bbbbb > \ > -CA inter.cert.pem -CAkey inter.key.pem -out > ssign.cert.pem > > # Generate a server certificate from CSR in csr.pem > > cat <<@eof >$CONFFILE > extensions = extend > [extend] # openssl extensions > subjectAltName = email:[EMAIL PROTECTED] > issuerAltName = > "DNS:umd.edu","email:[EMAIL PROTECTED]" > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always > basicConstraints = critical,CA:false > keyUsage = critical,Key Encipherment > extendedKeyUsage = serverAuth, clientAuth > nsCertType = SSL Server > nsComment = "See http://cert.umd.edu/server for > details." > certificatePolicies = ia5org,@policy > [policy] # certificate policy extension data > policyIdentifier = 1.3.6.1.4.1.4305.1.2.1 > CPS = "http://cert.umd.edu/certpolicy"; > @eof > > echo 13 >$SNUMFILE > > $OPENSSL x509 -req -sha1 -extfile $CONFFILE -in > csr.pem \ > -CAserial $SNUMFILE -days 362 -passin pass:ccccc > \ > -CA ssign.cert.pem -CAkey ssign.key.pem -out > server.cert.pem > > rm $CONFFILE $SNUMFILE > > === message truncated === __________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
