On Fri, Nov 17, 2006, Thomas Bleek wrote: > On Fri, 17 Nov 2006, Dr. Stephen Henson wrote: > > > > What technique have you used to create the certificate? The simplest way is > > to > > use the CA.pl script which will create a v3 certificate by default. Various > > ancient and/or broken "cookbooks" can suggest all manner of weird commands. > > Hello Steve, > > thanks for your kind response. I have created the certificate with > plain openssl commands: > # creation of private ca key > openssl genrsa -des3 -out ca.key 4096 > # creation of the ca certificate > openssl req -new -x509 -days 3650 -key ca.key -out ca.crt > # creation of the certificate of the ldap-server, the cert for the > # acs was created the same way > openssl x509 -req -days 3650 -in ldap1.csr -CA ca.crt -CAkey ca.key > -set_serial 01 -out ldap1.crt > > I assume, that I have to set some opton in the config file but I did not > find the infos anywhere. >
Well by default the x509 utility will not use any extensions see: http://www.openssl.org/docs/apps/x509.html#SIGNING_OPTIONS that results in a v1 certificate. You need to specify the config file with the -extfile and -extensions section. The usr_cert section is OK for this. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
