On 02/07/2014 04:11 PM, Walter H. wrote: > On 07.02.2014 21:04, Tom Pfeifer wrote: >> ...which are required for Extended Validation (EV) certificates. >> I'm currently using openSSL 1.0.1e-fips on Fedora 20, and I have >> these OIDs specified in the [new_oids] section in openssl.cnf like >> this: >> >> jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1 >> jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2 >> >> >> jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3 >> >> Also, referring to this web page (from 2010): >> http://www.frank4dd.com/howto/openssl/add_oids_to_openssl.htm >> >> ...I looked in crypto/objects/objects.txt in the 1.0.1e source >> tree, and they were not listed in that file with other OIDs. I >> also looked at the 1.0.1f source tree with the same result. >> >> The issue I'm having is that they don't show up in the Subject >> line in the certificate when specified in the -subj string, while >> all other OIDs specified in the same -subj string do show up. They >> are just ignored, with no error message. > You have to expand the [ policy_default ] or other section of your > choice with something similar to > > jurisdictionOfIncorporationLocalityName = optional > jurisdictionOfIncorporationStateOrProvinceName = optional > jurisdictionOfIncorporationCountryName = optional > > Walter >
I've tried doing that with no success so far, most likely due my lack of understanding of how to set up policy sections in the config file (among other things). The basic failure I'm getting is demonstrated by the information at the link below. It shows the 'openssl' command line, the error output from it, and the openssl.cnf file used. https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt The [reg] and [req_issued_name] are the relevant sections for the 'req' command line being run in this case. If I comment out the 2 "jurisdictionOfIncorporation" lines in the [req_issued_name] section, the command runs without error, and the subject line contains all the other fields specified in that section. If anyone has any pointers about policy sections (or pointers to basic docs or tutorials about them) - or anything else that's obvious from looking at the openssl.cnf file - it would be very much appreciated. Thanks ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
