Hello Erwann,

On Fri, Sep 28, 2012 at 02:53:35PM +0200, Erwann Abalea wrote:
> Strange, my previous answer was sent empty, and every try results in
> an empty mail stored in my postponed folder...
> Anyway.
> 
> Use decimal numbers for an OID.
> Yours will be 2.25.266774424501754920443129542379924997403

How did you transform the number from hex to decimal? I have been
looking to do this for an hour now to no avail.
Thanks for giving me the number.

Still it doesn't work. Another error now. But first, the changes I have
done are as follows:

openssl.cnf
===========

# This is at the beginning of the file
company_root_oid = 2.25.266774424501754920443129542379924997403

[ company_ca_policy ]
policyIdentifier = company_root_oid.2.5.29.32.1

[ company_v3_ca ]
certificatePolicies = ia5org,@company_ca_policy

===========

The error is the following:
wiz:CA/ (master) $ openssl req -new -x509 -days 3650 -extensions
company_v3_ca -keyout private/company.ca.key -out certs/company.ca.pem -config 
openssl.cnf

Error Loading extension section v3_ca
6198:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too
large:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/asn1/a_object.c:109:
6198:error:2208306E:X509 V3 routines:POLICY_SECTION:invalid object
identifier:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/x509v3/v3_cpols.c:211:section:company_ca_policy,name:policyIdentifier,value:company_root_oid.2.5.29.32.1
6198:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/x509v3/v3_conf.c:93:name=certificatePolicies,
value=ia5org,company_ca_policy

The OpenSSL version, if it matters is:
wiz:CA/ (master) $ openssl version
OpenSSL 0.9.8r 8 Feb 2011

I don't know what I am doing wrong. PKI is a vast topic with a lot of
things to grasp. I have to take it slow.

I do have one question though. In the link that Ryan Hurst suggested the
policyIdentifier is left out.

What is the difference between the two? Would I be RFC compliant if I
would use a policyIdentifier or none at all or it doesn't matter?

I have read somewhere that some applications cannot parse UUIDs. If
using a certificate policy without a policyIdentifier would keep me RFC
complaint I would choose to do that. I don't want to get in trouble with
applications.

Acquiring an OID for the company is not possible, at least for now. I
guess that would be the most elegant solution.

This is my first day with OpenSSL and CA stuff. I have read a good book
[1] on the topic, in the past. I have started reading it again plus the
RFCs. There is a lot of info to process, uderstand and apply so please
bare with me if my questions are rather stupid.

[1]: Understanding PKI Concepts, Standards And Deployment
Considerations - By: Carlisle Adams; Steve Lloyd

Thank you for your patience. Cheers and Goodwill,
v

> 
> And for your policyIdentifier, it should be easier to read if
> expressed as "company_root_oid.2.5.29.32.1".
> 
> -- 
> Erwann ABALEA
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to