On Fri, Apr 03, 2009, Li, Zheng (TSG-GDCC-DL) wrote: > > I want to use openssl to create a cert whose subject like : > > emailaddress=hunte...@foxmail.com<mailto:emailaddress=hunte...@foxmail.com>, > CN=16.157.247.39, DNQ=s7028, OU=jdcc, O=tv-asahi >
You can't. That is an illegal form for the email address. It must be of the form u...@somehost.com . > So I edited openssl.cnf as blew : > > ?$B!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!& > [ new_oids ] > > # We can add new OIDs in here for use by 'ca' and 'req'. > # Add a simple OID like this: > dnq=1.2.3.4 > ... > # For the CA policy > [ policy_match ] > countryName = match > ... > dnq = optional > # For the 'anything' policy > # At this point in time, you must list all acceptable 'object' > # types. > [ policy_anything ] > countryName = optional > ... > dnq = optional > ... > [ req_distinguished_name ] > countryName = Country Name (2 letter code) > ... > dnq = DNQ > dnq_max = 64 > ?$B!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!&!& > > Then I use command 'openssl req -new -out c:\ca\client\client-req.csr -key > c:\ca\client\client-key.pem -config C:\openssl.cnf' to create my cert. > At first I thought it works, because it let me input the DNQ. After I get the > client-req.csr, I use my ca_key and ca_cert to sign it. > But when I get the subject from the cert ,the subject is like below: > > emailaddress=hunte...@foxmail.com<mailto:emailaddress=hunte...@foxmail.com>, > CN=16.157.247.39, 1.2.3.4=s7028, OU=jdcc, O=tv-asahi > > My openssl's version is 0.9.8g. How can I add my own tag to cert? > You can use the config module form to add OIDs in general to the OpenSSL utility and not just req, ca. However you are always putting 1.2.3.4 in the cert: it is only OpenSSl that translates that into a string. Applications not aware of that meaning will still use 1.2.3.4 . Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
