dear Marco,
how could i insert certificate policies in a
certificate? using openssl 0.9.7
like your certificate
...
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.1.1
CPS: https://www.verisign.com/CPS
User Notice:
Organization: VeriSign, Inc.
Number: 1
Explicit Text: VeriSign's CPS
incorp. by reference liab. ltd. (c)97 VeriSign
...
best regards
antonio
--- Marco Rossi <[EMAIL PROTECTED]> escribió:
>
>
> --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
>
> > On Tue, Sep 26, 2006, Marco Rossi wrote:
> >
> > > Dear all,
> > >
> > > I'd need to change my certificate purpose
> allowing
> > it to used for SSL client authentication.
> > >
> > > I'm using openssl 0.9.8a on fedora core 5, I've
> > been following the man page about x509
> > http://www.openssl.org/docs/apps/x509.html
> > > at the section "TRUST SETTING".
> > >
> > > Before trying my cert purpose was
> > > # openssl x509 -in cert.pem -purpose
> > > Certificate purposes:
> > > SSL client : No
> > > SSL client CA : No
> > > SSL server : Yes
> > > SSL server CA : No
> > > Netscape SSL server : Yes
> > > Netscape SSL server CA : No
> > > S/MIME signing : No
> > > S/MIME signing CA : No
> > > S/MIME encryption : No
> > > S/MIME encryption CA : No
> > > CRL signing : Yes
> > > CRL signing CA : No
> > > Any Purpose : Yes
> > > Any Purpose CA : Yes
> > > OCSP helper : Yes
> > > OCSP helper CA : No
> > >
> > > I issued the command
> > > # openssl x509 -in cert.pem -addtrust
> clientAuth
> > -setalias "clientAuth" -out trust.pem
> > > (not sure if -addtrust requires a "", but I
> tried
> > with "clientAuth" too with the same result)
> > >
> > > But nothing changed
> > >
> >
> > It wont change. The purpose depends on the
> contents
> > of the extensions in the
> > certificate when it was created. If you look at:
> >
> > openssl x509 -in cert.pem -text -noout
> >
> > and compare that with the extensions lists
> mentioned
> > you may see why it SSL
> > client authentication isn't allowed. Then you need
> > to set the extensions
> > appropriately and create a new certificate.
> >
> > If that doesn't help post the results of the above
> > command.
> >
> > Steve.
>
> Maybe I don't understand what -purpose shows:
>
> If I issue the command you mention, I see on the
> field
> x509v3 extentions (ommiting the rest for brevity)
>
> # openssl x509 -in cert.pem -noout -text
> <omit>
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> X509v3 Certificate Policies:
> Policy: 2.16.840.1.113733.1.7.1.1
> CPS: https://www.verisign.com/CPS
> User Notice:
> Organization: VeriSign, Inc.
> Number: 1
> Explicit Text: VeriSign's CPS
> incorp. by reference liab. ltd. (c)97 VeriSign
>
> Netscape Cert Type:
> SSL Server
> X509v3 Extended Key Usage:
> Netscape Server Gated Crypto, TLS
> Web
> Server Authentication, TLS Web Client Authentication
> Authority Information Access:
> OCSP - URI:http://ocsp.verisign.com
>
> X509v3 CRL Distribution Points:
>
>
URI:http://crl.verisign.com/Class3InternationalServer.crl
> <omit>
>
> If i issue the command to the "-addtrust try"
> # openssl x509 -in trust.pem -noout -text
>
> <omit>
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> X509v3 Certificate Policies:
> Policy: 2.16.840.1.113733.1.7.1.1
> CPS: https://www.verisign.com/CPS
> User Notice:
> Organization: VeriSign, Inc.
> Number: 1
> Explicit Text: VeriSign's CPS
> incorp. by reference liab. ltd. (c)97 VeriSign
>
> Netscape Cert Type:
> SSL Server
> X509v3 Extended Key Usage:
> Netscape Server Gated Crypto, TLS
> Web
> Server Authentication, TLS Web Client Authentication
> Authority Information Access:
> OCSP - URI:http://ocsp.verisign.com
>
> X509v3 CRL Distribution Points:
>
>
URI:http://crl.verisign.com/Class3InternationalServer.crl
>
> Signature Algorithm: md5WithRSAEncryption
>
>
79:b1:23:b2:5e:27:ce:a2:cb:1c:e2:0b:a0:c9:66:93:1e:30:
>
>
d1:20:56:b5:77:c4:25:da:55:87:bd:0c:86:5c:12:47:d8:90:
>
>
cb:de:fa:8a:d6:a1:6c:84:c3:29:5a:5f:d0:50:bf:d5:0f:fb:
>
>
6c:10:bb:2d:a1:0a:ee:4a:9e:9f:70:03:e6:42:93:dd:2e:ca:
>
>
a3:2e:90:4b:8b:c4:55:9b:8d:81:4e:74:fb:7e:fc:6d:dd:fb:
>
>
9e:23:7d:53:e9:f8:0d:4e:6e:e2:7d:8d:1f:d0:81:74:2e:fc:
>
>
ab:a6:ce:42:dc:d1:5b:25:c4:8b:98:3b:33:6a:e4:96:57:45:
> c9:fe
> Trusted Uses:
> TLS Web Client Authentication
> No Rejected Uses.
> Alias: clientAuth
>
> But if I use -purpose on the cert
> # openssl x509 -in cert.pem -noout -purpose
> Certificate purposes:
> SSL client : No
> SSL client CA : No
>
> Thanks,
> Marco Rossi
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
>
______________________________________________________________________
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> openssl-users@openssl.org
> Automated List Manager
> [EMAIL PROTECTED]
>
__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
Regístrate ya - http://correo.espanol.yahoo.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
