On Fri, Aug 06, 2010, Bram Cymet wrote:
> On 08/06/2010 08:49 AM, Dr. Stephen Henson wrote:
> > On Wed, Aug 04, 2010, Bram Cymet wrote:
> >
> >
> >> HI,
> >>
> >> Give a configuration like the following:
> >>
> >> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
> >>
> >>
> >> # Copy subject details
> >>
> >> issuerAltName=issuer:copy
> >>
> >> [princ_name]
> >> realm = EXP:0, GeneralString:${ENV::REALM}
> >> principal_name = EXP:1, SEQUENCE:principal_seq
> >>
> >> [principal_seq]
> >> name_type = EXP:0, INTEGER:1
> >> name_string = EXP:1, SEQUENCE:principals
> >>
> >> [principals]
> >> princ1 = GeneralString:${ENV::CLIENT}
> >>
> >>
> >> Can someone give me an idea of how openssl would encode this, or at
> >> least point me at the code that would encode this so I can figure it out.
> >>
> >> I am trying to figure out the asn1 structures that would be created.
> >>
> >>
> > Well the ${ENV::xxx} stuff is environment variable expansion.
> >
> > If you want to see what structure is created your easiest option is to
> > create
> > a tets certificate using that configuration and check the subjectAltName
> > extension using asn1parse. There is also an option to asn1parse that uses
> > the
> > mini-ASN1 compiler with similar syntax.
> >
> > It's not too hard to figure out from the docs, for example:
> >
> > subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
> >
> > Is subjectAltName extension, using otherName option and that OID, the value
> > is
> > a SEQUENCE defined by the section "princ_name":
> >
> > [princ_name]
> > realm = EXP:0, GeneralString:${ENV::REALM}
> > principal_name = EXP:1, SEQUENCE:principal_seq
> >
> > From above that SEQUENCE consists of an explicit tag 0 GeneralString with
> > REALM environment variable value and another explicit tage 1 SEQUENCE
> > described by the section principal_seq, etc etc.
> >
> > Steve.
> > --
> > Dr Stephen N. Henson. OpenSSL project core developer.
> > Commercial tech support now available see: http://www.openssl.org
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager majord...@openssl.org
> >
> Thanks,
>
> The only problem is (and I have sent a separate email to the list about
> this. Is whenever I try to create a cert I get
>
> "Error Loading extension section <section>"
>
>
> Is there any way I could get a more specific error message. Maybe
> recompile with some debug option?
>
That is the complete error message? What section does it complain about, the
whole extension section or some subsection?
Can you post the complete configuration file that produces this?
What version of OpenSSL are you using?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
