Re: modifying Certificate purposes

Tue, 22 Feb 2005 16:19:17 -0800 

Hi Michael,

Thanks for responding.

My problem is a little more involved then that. I'm
the CA, err using openssl can creating a CA
certificate using the v3_ca extension. I have quite a
number of certificate being used by our servers.
Recently we wanted to start generating user
certificates but we also want to restrict the purpose
field to just "ssl client". We don't want to include
ssl server, netscape*, objsign, or e-mail. ... just
ssl client.

There must be a way to do this during CSR signing but
I'm just not sure what to look for?




--- Michael Weiner <[EMAIL PROTECTED]> wrote:

> ray v wrote:
> > Hello all!
> > 
> > I'm looking for ways to turn off and on features
> in
> > the "Certificate purposes" are of a certificate.
> I've
> > read over extfile and extension plus looked at
> > basicContraints. 
> > 
> > I'm unclear by the documentation written for
> openssl,
> > x509, ca, etc., just how to do this. Can someone
> > please point me in the right direction?
> 
> Having just gone through a similar exercise in a
> round-about-way, this 
> is controlled via the CA that signed the
> certificate. For example, in my 
> world i use VeriSign's PKI and gen a cert for my
> apache server, and have 
> VeriSign sign it. However, my apache server root CA,
> only permitted 
> Secure Server, when i needed Client Authentication
> as well. Well, i 
> looked at the Verisign/RSA Secure Server CA
> Certificate in the root, and 
> sure enough, client auth was NOT enabled, so any
> certificate presented 
> would also have the same eku. I called my VeriSign
> rep, he sent me a 
> modified Verisign CA to replace the one above, and
> sure enough that 
> fixed my problem.
> 
> The solution actually is as simple as pulling the CA
> in to a browser and 
> looking at and modifying what yuu need, saving that
> and exporting it out 
> for use by the server you have the SSL certs
> installed on.
> 

> ATTACHMENT part 2 application/x-pkcs7-signature
name=smime.p7s




                
__________________________________ 
Do you Yahoo!? 
All your favorites on one personal page – Try My Yahoo!
http://my.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to