Hello Erwann, On Fri, Sep 28, 2012 at 02:53:35PM +0200, Erwann Abalea wrote: > Strange, my previous answer was sent empty, and every try results in > an empty mail stored in my postponed folder... > Anyway. > > Use decimal numbers for an OID. > Yours will be 2.25.266774424501754920443129542379924997403
How did you transform the number from hex to decimal? I have been looking to do this for an hour now to no avail. Thanks for giving me the number. Still it doesn't work. Another error now. But first, the changes I have done are as follows: openssl.cnf =========== # This is at the beginning of the file company_root_oid = 2.25.266774424501754920443129542379924997403 [ company_ca_policy ] policyIdentifier = company_root_oid.2.5.29.32.1 [ company_v3_ca ] certificatePolicies = ia5org,@company_ca_policy =========== The error is the following: wiz:CA/ (master) $ openssl req -new -x509 -days 3650 -extensions company_v3_ca -keyout private/company.ca.key -out certs/company.ca.pem -config openssl.cnf Error Loading extension section v3_ca 6198:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/asn1/a_object.c:109: 6198:error:2208306E:X509 V3 routines:POLICY_SECTION:invalid object identifier:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/x509v3/v3_cpols.c:211:section:company_ca_policy,name:policyIdentifier,value:company_root_oid.2.5.29.32.1 6198:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/x509v3/v3_conf.c:93:name=certificatePolicies, value=ia5org,company_ca_policy The OpenSSL version, if it matters is: wiz:CA/ (master) $ openssl version OpenSSL 0.9.8r 8 Feb 2011 I don't know what I am doing wrong. PKI is a vast topic with a lot of things to grasp. I have to take it slow. I do have one question though. In the link that Ryan Hurst suggested the policyIdentifier is left out. What is the difference between the two? Would I be RFC compliant if I would use a policyIdentifier or none at all or it doesn't matter? I have read somewhere that some applications cannot parse UUIDs. If using a certificate policy without a policyIdentifier would keep me RFC complaint I would choose to do that. I don't want to get in trouble with applications. Acquiring an OID for the company is not possible, at least for now. I guess that would be the most elegant solution. This is my first day with OpenSSL and CA stuff. I have read a good book [1] on the topic, in the past. I have started reading it again plus the RFCs. There is a lot of info to process, uderstand and apply so please bare with me if my questions are rather stupid. [1]: Understanding PKI Concepts, Standards And Deployment Considerations - By: Carlisle Adams; Steve Lloyd Thank you for your patience. Cheers and Goodwill, v > > And for your policyIdentifier, it should be easier to read if > expressed as "company_root_oid.2.5.29.32.1". > > -- > Erwann ABALEA > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org