Re: how to add an extension to a X509 certificate ?

Mon, 09 Jun 2008 01:09:00 -0700 

Dr. Stephen Henson wrote:

On Fri, Jun 06, 2008, delcour.pierre wrote:


Hello everyone,
I have a different problem now. I want to add a "X509v3 Authority Key Identifier" field in a x509v3 certificate. 
This field must have these three parts :
- keyid (the keyid of the issuer)
- dirname (the same string as issuer field)
- serial (of issuer)



Actually that's not true. If must have keyid and/or both dirname and serial.
It is quite acceptable (and a good idea) to just use keyid.


int type =  NID_authority_key_identifier;
char* value = ""keyid:A6:40:81:F6:3E:4A:AC:08:E7:76:17:01:91:CD:DF:39:D7:CB:FC:14, DirName:O=O, OU=OU, CN=CN/dnQualifier=pkCB9j5KrAjndhcBkc3fOdfL/BQ=, serial:01\n"; // here i m not sure how to write it. X509_EXTENSION *ex; X509V3_CTX ctx; X509V3_set_ctx_nodb(&ctx); X509V3_set_ctx(&ctx, _d_cert , _d_cert, NULL, NULL, 0); // self signed 
ex = X509V3_EXT_conf_nid(NULL, &ctx, type , value);
if (ex == NULL)
throw Odici_exception(DEV_NULL_ERR,"Error in Certificate::setV3Extention(), Extensions can't be set"); X509_add_ext(_d_cert,ex, -1) ; X509_EXTENSION_free(ex); // free temp extension
With this value, if there is no exception thrown, i only have the keyid part... 

How can i set this extension ??


If you really want to have both you need to include the appropriate
issuer certificate in the session context, then it is used automatically if
you use the correct value syntax.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]



Hello,
Thank's for your answer. In my case i really need the 3 fields. But if i want to use this function with a self signed certificate, how can i do ? 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to