Hi Dirk: Dirk Reske wrote: > li...@kaiser.cx schrieb: >> Hi, >> >> On Tue, Mar 31, 2009 at 05:29:15PM +0200, Dirk Reske wrote: >> >> >>> We need to put some extra informations (simple strings) into the >>> certificates (e.g. year of birth, ...). >>> I have looked around the internet, but don't really find any usefull stuff. >>> >> define a private extension. See RFC3280, section 4.2 for an introduction >> to extensions. >> >> How do you create and read the certificates? From the command line or in >> your own software based on OpenSSL? >> >> Best regards, >> >> Martin >> > The project is still in planning phase, so not all things are clear. > We want to read out the custom values in an apache module.
If this is a web based project, I would recommend against using attributes in Certificates - first of all, there are a VERY small set of the "standard" RFC3280 extensions that the mod_ssl will parse out, and make easily available to any sort of web module or application, let alone make it easy for you to pull out any custom attribute. Second, it's just plain bad PKI to put attributes in Identity Certificates. I would suggest, instead, to use some form of Federation (WS-Fed, SAML, Cardspace, etc.) to handle your attributes. This allows you to have the certificates be long life, and not tied to attributes which may change over time. Have fun. Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
