On Tue, Mar 01, 2011, David CARELLA wrote: > > File test-req.cnf: > [ req ] > default_md = sha256 > req_extensions = ext_server > [ ext_server ] > keyUsage = critical, digitalSignature, keyEncipherment > extendedKeyUsage = serverAuth > #- MS GUID (OID: 1.3.6.1.4.1.311.25.1) > subjectAltName = > otherName:1.3.6.1.4.1.311.25.1;FORMAT:HEX,OCTETSTRING:3F2504E04F8911D39A0C0305E82C3301 > > > The command with error: > $ openssl req -new -config test-req.cnf -sha256 -subj > "/C=FR/O=FOO/CN=foo.com" -key foo.com.key -out foo.com.csr > Error Loading request extension section ext_server > 3077565144:error:220A4093:X509 V3 > routines:A2I_GENERAL_NAME:othername error:v3_alt.c:494: > 3077565144:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in > extension:v3_conf.c:93:name=subjectAltName, > value=otherName:1.3.6.1.4.1.311.25.1;FORMAT:HEX,OCTETSTRING:3F2504E04F8911D39A0C0305E82C3301 > > > With this other test: > subjectAltName = > otherName:1.3.6.1.4.1.311.25.1;OCTETSTRING:3F2504E04F8911D39A0C0305E82C3301 > the command work, and generate a string with all the 32 characters. > But MS GUID must contain the 16 octets: e.g. 3F, 25, 04, etc. > > I had tested a lot of cases, but the first syntax seems to be > conform to OpenSSL. My references for my test: > http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ > http://www.openssl.org/docs/crypto/ASN1_generate_nconf.html >
See: http://www.openssl.org/docs/apps/x509v3_config.html#NOTES Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
