You know I started by trying to add extensions but I could not figure out how to get x509 to accept them.
Our company has OIDs assign, I thought that by using the oids_section = new_oids, I could make this work. I would love to use extensions, is there a way to do this without modifying the openssl code? Also, since I'm accepting a cert request from outside what section do I put the extensions in. My thinking was x509 when I take the cert request to create and sign the new certificate? It would be helpful to have an example to work with. Thanks again Charles, I'll figure this thing out sooner or later. OH, I'll grab the new docs and see what juicy morsels can be found! --- Charles Cranston <[EMAIL PROTECTED]> wrote: > OK, the problem you will run into is that the > Certificate > Signing Request (CSR) is a DN and Public Key > combination > that is signed by the private key. Since this is > done by > your client, you will not have access to the private > key. > > The OpenSSL software, as written, uses this signing > as > proof that the person making the request in fact has > the > private key. This is to keep just anybody from > trying > to attach their name to a public key they might find > on > the net. > > The problem is that you are trying to change the DN, > which to the software "looks like" you are (might > be) > changing the name to refer to a different person. > In fact, you are not, you are instead adding > information > without changing the identity, but the software is > stupid and doesn't know that. > > It is my belief that you could write a program > calling > the OpenSSL library to do signing with changes to > the DN, > the source code to the OpenSSL command line tools > would > give you a start on such a task. > > Alternatively, you could modify the source code to > the > OpenSSL command line signing tools to disable the > test > for validation on the signing of the CSR, then > process > the CSR submitted with the old DN into one > requesting > signing for the new DN. It would be signed by you > instead of the requestor, but you would disable the > test > that would recognize this. > > But, are you sure you couldn't do the same thing by > making a custom extension that would carry the same > information you're trying to add to the DN? > > Also check the most updated documentation on the > options > for OpenSSL command line tools -- seems to me I saw > some > new options pop up for modifying the DN in some set > of > circumstances. > > ray v wrote: > > > Yes, understood, but in this case someone will > send a > > certificate request via e-mail, I will not be > involved > > in making it. I will fill/sign that request and > send > > it back. The request will come with the standard > > information tucked away in the DN. > > > > I need to add information to the DN, something I > have > > been unable to do with out generating the request > > myself. According to the man info there are > extensions > > and x509_extensions I've tried both and I'm a bit > more > > confused now. > > > > I tried using the -extfile option but I can not > insert > > my own values into the DN. When I run openssl x509 > > -extfile I get "no" errors, the certificate is > > created. But upon viewing it the addition to the > DN > > are not there. > > > > I think that really I'm asking the wrong question. > > What I want to do is add information to a > certificate > > when its generated. The nature of which is > internal > > only. Is there a way to do this with out patching > > openssl's code? > > > > If yes, what would be your suggestion? > > > > > > > > > > > > > > --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> > wrote: > > > > > >>On Wed, Nov 10, 2004, ray v wrote: > >> > >> > >>>I wish to add something like > >>> > >>>1.3.6.1.4.1.9999.1 to the Distinguished name > >>>something like... > >>> > >>>CN=Me,O=FOO,OU=Bar,1.3.6.1.4.1.9999.1=stuff > >>> > >>>What's the best way to do this when you need to > >>>specify the -extfile option? Or is it really > >> > >>necessary > >> > >>>to use the -extfile ? > >>> > >> > >>Extfile is for certificate extensions. If you want > >>to add DN components you > >>need to add those to the appropriate section where > >>they will be prompted for > >>when a certificate request is made. > >> > >>This is in the section req_distinguished_name in > the > >>standard openssl > >>configuration file. > >> > >>Steve. > >>-- > >>Dr Stephen N. Henson. Email, S/MIME and PGP keys: > >>see homepage > >>OpenSSL project core developer and freelance > >>consultant. > >>Funding needed! Details on homepage. > >>Homepage: http://www.drh-consultancy.demon.co.uk > >> > > > > > ______________________________________________________________________ > > > >>OpenSSL Project > >>http://www.openssl.org > >>User Support Mailing List > >>[EMAIL PROTECTED] > >>Automated List Manager > >>[EMAIL PROTECTED] > >> > > > > > > > > > > > > __________________________________ > > Do you Yahoo!? > > Check out the new Yahoo! Front Page. > > www.yahoo.com > > > > > > > ______________________________________________________________________ > > OpenSSL Project > http://www.openssl.org > > User Support Mailing List > [EMAIL PROTECTED] > > Automated List Manager > [EMAIL PROTECTED] > > > > -- > Charles B. (Ben) Cranston > mailto:[EMAIL PROTECTED] > http://www.wam.umd.edu/~zben > > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
