Bonjour,
Le 28/09/2012 16:29, Valentin Bud a écrit :
On Fri, Sep 28, 2012 at 02:53:35PM +0200, Erwann Abalea wrote:
Strange, my previous answer was sent empty, and every try results in
an empty mail stored in my postponed folder...
Anyway.
Use decimal numbers for an OID.
Yours will be 2.25.266774424501754920443129542379924997403
How did you transform the number from hex to decimal? I have been
looking to do this for an hour now to no avail.
Thanks for giving me the number.
(echo "ibase=16"; echo "c8b2e2a0094b11e2936a0002a5d5c51b" | tr 'a-f'
'A-F') | bc -l
Still it doesn't work. Another error now. But first, the changes I have
done are as follows:
openssl.cnf
===========
# This is at the beginning of the file
company_root_oid = 2.25.266774424501754920443129542379924997403
[ company_ca_policy ]
policyIdentifier = company_root_oid.2.5.29.32.1
My fault here.
I'd use:
-----
oid_section = new_oids
[ new_oids ]
company_root_oid = 2.25.266774424501754920443129542379924997403
acceptable_cp = ${company_root_oid}.2.5.29.32.1
[ req ]
distinguished_name = mydn
[ mydn ]
[ company_v3_ca ]
certificatePolicies = @mypolicy
[ mypolicy ]
policyIdentifier = acceptable_cp
-----
Some pieces are still missing there, but with the command line you used
below, with the addition of a "-subj '/C=XX/O=Company/CN=Company Root'",
you'll have a certificate.
Since you're new to PKI, I don't think you've already created and
populated the .2.5.29.32 branch of your OID arc, and I'm guessing you
took this 2.5.29.32 from the RFC. If yes, forget about it and organize
your OID arc the way you want. For example have a .1 for all your
certificate policies, and dedicate one for the CP you want to declare here:
allcompanyCP = ${company_root_oid}.1
CPforwebservers = ${allcompanyCP}.1
and use CPforwebservers as the declared policyIdentifier.
[ company_v3_ca ]
certificatePolicies = ia5org,@company_ca_policy
===========
The error is the following:
wiz:CA/ (master) $ openssl req -new -x509 -days 3650 -extensions
company_v3_ca -keyout private/company.ca.key -out certs/company.ca.pem -config
openssl.cnf
Error Loading extension section v3_ca
6198:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too
large:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/asn1/a_object.c:109:
6198:error:2208306E:X509 V3 routines:POLICY_SECTION:invalid object
identifier:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/x509v3/v3_cpols.c:211:section:company_ca_policy,name:policyIdentifier,value:company_root_oid.2.5.29.32.1
6198:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/x509v3/v3_conf.c:93:name=certificatePolicies,
value=ia5org,company_ca_policy
The OpenSSL version, if it matters is:
wiz:CA/ (master) $ openssl version
OpenSSL 0.9.8r 8 Feb 2011
I don't know what I am doing wrong. PKI is a vast topic with a lot of
things to grasp. I have to take it slow.
I do have one question though. In the link that Ryan Hurst suggested the
policyIdentifier is left out.
What is the difference between the two? Would I be RFC compliant if I
would use a policyIdentifier or none at all or it doesn't matter?
For a root certificate, the certificatePolicies extension is generally
of no use. Some entities ask for this extension to be absent.
The normative validation algorithm doesn't take into account any
extension from the trust anchor (your root is a trust anchor), but some
implementations could eventually look at these and set parameters (used
by the algorithm). You may want to dig into RFC5280 section 6 or X.509
section 10 if you want to know more about it. Beware, it's insane.
I have read somewhere that some applications cannot parse UUIDs. If
using a certificate policy without a policyIdentifier would keep me RFC
complaint I would choose to do that. I don't want to get in trouble with
applications.
This has nothing to do with UUIDs here, as the relying party won't have
to parse this OID, it doesn't need to have any structure. The UUID is
used here to have a unique OID arc.
Acquiring an OID for the company is not possible, at least for now. I
guess that would be the most elegant solution.
It's always possible to get a private OID in the 1.3.6.1.4.1 branch.
Just send an email, and you'll have one.
Depending on your country, you may even already have one, based on your
company's unique registration number.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
