Hi list members, is there a possibility to specify the x509v3 extension privateKeyUsagePeriod in the openssl.conf file for the req and ca commands?
It seems, openssl knows the oid and asn1 structure of the extension but doesn't allow you to put it into certificates. When I specify privateKeyUsagePeriod = 365 or privateKeyUsagePeriod = notBefore:<timestamp1>,notAfter:<timestamp2> in my extension setting for the req command, req complains 17054:error:22097067:X509 V3 routines:DO_EXT_NCONF:extension setting not supported:v3_conf.c:163:name=privateKeyUsagePeriod I worked around the problem by specifying the extension in its arbitrary extension format: [ req ] x509_extensions = req_ext [ req_ext ] 2.5.29.16 = ASN1:SEQUENCE:privateKeyUsagePeriod [ privateKeyUsagePeriod ] notBefore = EXPLICIT:0,GENERALIZEDTIME:<timestamp1> notAfter = EXPLICIT:1,GENERALIZEDTIME:<timestamp2> which puts the extension into the certificate request, but is not really handy for a configuration file, because you have to explicitly give the two timestamps. So in case the arbitrary extension format is the only way of getting the privateKeyUsagePeriod extension into the certificate, is there a way to specify parameterized values for the timestamps in openssl.conf, e.g. via the backtick operator and the date command? Or would I have to wrap the openssl command into my own script that modifies the timestamps in openssl.conf appropriately in advance? I'm using OpenSSL 0.9.8k 25 Mar 2009. Thanks for your help, Patrick Eisenacher ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
