Hi patrick
my goal would be to create an X509 certificate who carry those exstension that
i have described
Infact i need the certificate to test an application that i made in java wich
produce
SAML Assertion. In this certificate it's mhy job to take care of these custom
assertion, managung the new OID value ...
the real problem i have is how to configure openssl because i have looked for
some example aboutre creating custom extension but
i have not found yet. I can also put a default value in those extension, the
best wold be copy the value from an external source
(for example the new field i told that are in the certificate request ... is
possible using the in this sense ?)
Thank you
Omar
PS sorry for my bad english> Date: Sun, 16 Nov 2008 16:29:19 -0500> From:
[EMAIL PROTECTED]> To: openssl-users@openssl.org> Subject: Re: Create a new
extension> > Massive Cava wrote:> > Hi to all> > > > i nedd to configure
correctly he file openssl.cnf to create new extension, i can modify the config.
file and add some new field at the certificate request, for example date of
birth, uniqe ID of student and his level, but how can i switch these field to
X509 extension when i sign the certificate with the command "ca ..." ???> > >
Please tell me that you are not encoding these values into an extension> in the
certificate??? Unless you are doing Attribute Certificates,> encoding these
values in as arbitrary extensions is probably NOT what> would be considered
best practice, and will definitely cause> implementation details.> > First of
all, encoding some of those values (Student Birthdays, etc.) in> a format whose
design is to assist in making a value public (the Public> Key) is possibly
against the educational or general privacy laws in a> number of countries (US,
Canada, Most of Europe). What you most likely> want to do is either use
Attribute Certificates (not supported by very> many implementations of anything
outside of the US DoD), or Federated> Attributes using a technology like
WS-Fed, or the Liberty Alliance SAML> specifications. This would allow you to
only provide those attributes to> only those sources that you know have a
pre-existing relationship with> the student, and thus a "need to know" about
those attributes.> > On a more practical note, if you encode those kinds of
values as> arbitrary extensions in a certificate, then you would have to write
code> into your Relying party code, to correctly interpret those custom>
extensions. Most organisations that I know don't want to maintain their> own
mod_ssl patches or ISAPI filters (assuming that you are going to be> doing some
sort of web application with these certificates).> > All of that said, if you
DO want help to implement something like this,> then please provide the ASN.1
encoding that you would like to use for> the extensions, and we can probably
help you encode those custom extensions.> > Just some advice from someone who
has "been there, seen that, seen what> happens 6 months later".> > Patrick.> >
> ______________________________________________________________________>
OpenSSL Project http://www.openssl.org> User Support Mailing List
openssl-users@openssl.org> Automated List Manager [EMAIL PROTECTED]
_________________________________________________________________
Tutto il mondo MSN in un clic. Scarica la Toolbar!
http://toolbar.msn.com/overview.aspx?loc=it-it
