Re: UUID OID and certificatePolicies routines:a2d_ASN1_OBJECT:invalid digit

[Jakob Bohm]

Simple really:

The OID must be written in decimal, not hexadecimal.

Please refer to the ITU-T page you referenced to figure out
how the bytes and bits of your UUID map to numeric parts of
the OID and then write those out in decimal.

On 9/28/2012 1:24 PM, Valentin Bud wrote:

I want to implement a CA using openssl and some (basic) bash scripting.

I try to understand and conform with the standards. So I have started by
reading RFC5280 [1]. I want to write a CPS and link to it from the CA
using certificatePolicies cPSuri qualifier.

First thing I did was to generate an UUID OID following ITU-T
instructions [2].

Afterwards I added to openssl.cnf the following:

= = = = = = = =

company_root_oid = 2.25.c8b2e2a0094b11e2936a0002a5d5c51b

[ v3_ca ]

certificatePolicies = ia5string,@company_ca_policy

[ company_ca_policy ]
policyIdentifier = 2.25.c8b2e2a0094b11e2936a0002a5d5c51b.2.5.29.32.1
CPS.1 = "http://pki.edoxx.net/cps/";
userNotice.1 = @edoxx_ca_notice

[ company_ca_notice ]

explicitText=" Compnay Primary CA thrives to conform with latest PKIX RFCs. The Company Trust Network is operated as stated in the CPS: http://pki.company.net/cps/. We recommend you read it before trusting us."

= = = = = = = =

I feel compeled to tell you that company_ca_policy and company_ca_notice
appear before v3_ca. I don't really know if the order matters.

I have done this following the example provided on x509_config(5) [3]
manual page.

Next step was to generate the CA.

wiz:CA/ (master) $ openssl req -new -x509 -days 3650 -extensions v3_ca
-keyout private/edoxx.ca.key -out certs/edoxx.ca.pem -config openssl.cnf

problem creating object
edoxx_root_oid=2.25.c8b2e2a0094b11e2936a0002a5d5c51b
28675:error:0D064082:asn1 encoding routines:a2d_ASN1_OBJECT:invalid
digit:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/asn1/a_object.c:139:

I know I'm doing something wrong but I don't know what. Can you please
shed some light?

[1]: http://tools.ietf.org/html/rfc5280
[2]: http://www.itu.int/ITU-T/asn1/uuid.html#registration
[3]: http://www.openssl.org/docs/apps/x509v3_config.html

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org