Hi !
Actually, I forgot to say that I am my own CA and running it internally only.
In fact, I'd like to have the Subject/DN of the user X.509v3 certificate to
be as close as possible to the LDAP DN of that user in my LDAP directory, and
I'd like to add a few attributes to the user certificate aside the subject to
allow the SSL/TLS aware applications to rely on that attributes for different
things (mainly access controls)... As long as I'm the CA that receives the CSR
and that signs it to deliver the certificate and even the programmer of those
applications, I can roughly say that I can rely on these attributes and their
respective values...
If can't manage to do that, the workaround I' beginning to look at is to make
the certificate Subject/DN a search key for those desired attributes/fields in
the LDAP directory (I'm the directory manager too), even though it would
require my applications to be both SSL/TLS and LDAP aware, which is not that a
big deal... and which shouldn't cost me too much overhead while determining the
access controls...
Thanks again,
Hubert Quarantel-Colombani,
UNIX is user friendly.
It's just selective about who its friends are.
-----Message d'origine-----
De : Quarantel, Hubert
Envoyé : mercredi 6 septembre 2006 14:46
À : 'openssl-users@openssl.org'
Objet : Including attributes in the signed certificate
Hi !
I'm trying to include attributes/fields in a signed certificate.
I've first issued a CSR with some extra attributes in it, here's what the CSR
looks like with openssl req -in test.csr -text -noout :
Certificate Request:
Data:
Version: 0 (0x0)
Subject: O=TEST, OU=Support, CN=TEST/[EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: dsaEncryption
DSA Public Key:
pub:
(snip)
P:
(snip)
Q:
(snip)
G:
(snip)
Attributes:
countryName :FR
localityName :Paris
uidNumber :4321
gidNumber :1234
uid :test
Signature Algorithm: dsaWithSHA1
(snip)
I'm very happy so far, as I the attributes/fields countryName, uid, uidNumber,
... I added in the [req_attribute] of the default openssl.cnf file, along with
their respective OIDs in the [new_oids] section.
But, when I sign the certificate request with that same openssl.cnf file,
either with openssl ca or with openssl x509, the produced certificate does not
include those attributes, as shown by
openssl x509 -text -in test.crt -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=TEST CA, O=TEST/[EMAIL PROTECTED]
Validity
Not Before: Sep 6 11:09:06 2006 GMT
Not After : Sep 7 11:09:06 2006 GMT
Subject: O=TEST, OU=Support, CN=TEST/[EMAIL PROTECTED] Subject
Public Key Info:
Public Key Algorithm: dsaEncryption
DSA Public Key:
pub:
(snip)
P:
(snip)
Q:
(snip)
G:
(snip)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
19:88:DF:ED:6C:82:86:BA:91:81:AA:1A:A4:55:A7:5C:20:7B:5A:62
X509v3 Authority Key Identifier:
keyid:CF:A8:E1:B1:BD:5C:B2:55:9B:20:F5:44:8E:36:D2:F4:E6:E9:10:FF
Signature Algorithm: sha1WithRSAEncryption
(snip)
Would anyone help me ? or at least tell me where I got wrong ?
Thanks for any kind of help,
Hubert,
UNIX is user friendly.
It's just selective about who its friends are.
********************************
Ce message et les pièces jointes sont confidentiels et établis à l'attention
exclusive de ses destinataires. Toute utilisation ou diffusion, même partielle,
non autorisée est interdite. Tout message électronique est susceptible
d'altération. Brink's décline toute responsabilité au titre de ce message s'il
a été altéré, déformé ou falsifié. Si vous n'êtes pas le destinataire de ce
message, merci de le détruire et d'avertir l'expéditeur.
This message and any attachments are confidential and intended solely for the
addressees. Any unauthorized use or disclosure, either whole or partial is
prohibited. E-mails are susceptible to alteration. Brink's shall not be liable
for the message if altered, changed or falsified. If you are not the intended
recipient of this message, please delete it and notify the sender.
*************************************
BEGIN:VCARD
VERSION:2.1
N:Quarantel;Hubert
FN:Quarantel, Hubert
ORG:Brink's Evolution Ile de France;Support
TEL;WORK;VOICE:01.55.07.61.47
ADR;WORK:;;;PARIS; ;75009;France
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:PARIS, 75009=0D=0AFrance
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20060706T144119Z
END:VCARD
