Hi,
I try to put a field MS GUID in a SubjectAltName (SAN) extension of a
CSR. This field MS GUID must contain 16 hexadecimal-octets.
I used OpenSSL 1.0.0d compiled on GNU/Linux (Kubuntu). And I try with
OpenSSL 0.9.8g (issued by the distribution)... and I have the same error.
My test.
File test-req.cnf:
[ req ]
default_md = sha256
req_extensions = ext_server
[ ext_server ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
#- MS GUID (OID: 1.3.6.1.4.1.311.25.1)
subjectAltName =
otherName:1.3.6.1.4.1.311.25.1;FORMAT:HEX,OCTETSTRING:3F2504E04F8911D39A0C0305E82C3301
The command with error:
$ openssl req -new -config test-req.cnf -sha256 -subj
"/C=FR/O=FOO/CN=foo.com" -key foo.com.key -out foo.com.csr
Error Loading request extension section ext_server
3077565144:error:220A4093:X509 V3 routines:A2I_GENERAL_NAME:othername
error:v3_alt.c:494:
3077565144:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:v3_conf.c:93:name=subjectAltName,
value=otherName:1.3.6.1.4.1.311.25.1;FORMAT:HEX,OCTETSTRING:3F2504E04F8911D39A0C0305E82C3301
With this other test:
subjectAltName =
otherName:1.3.6.1.4.1.311.25.1;OCTETSTRING:3F2504E04F8911D39A0C0305E82C3301
the command work, and generate a string with all the 32 characters. But
MS GUID must contain the 16 octets: e.g. 3F, 25, 04, etc.
I had tested a lot of cases, but the first syntax seems to be conform to
OpenSSL. My references for my test:
http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_
http://www.openssl.org/docs/crypto/ASN1_generate_nconf.html
Could you help me?
Have idea of tests that I can do?
Thanks.
Best regards,
David
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
