On Tue, Feb 11, 2014, Tom Pfeifer wrote: > On 02/10/2014 08:27 PM, Dave Thompson wrote: > >> From: owner-openssl-us...@openssl.org On Behalf Of Tom Pfeifer > >> Sent: Monday, February 10, 2014 16:53 > > <snip> > >> I've tried doing that with no success so far, most likely due my lack of > >> understanding of how to set up policy sections in the config file (among > >> other things). > >> > > The policy section(s) is only for issuing certs with 'ca'. > > Your problem is creating the request, well before that. > > > >> The basic failure I'm getting is demonstrated by the information at the > >> link below. It shows the 'openssl' command line, the error output from > >> it, and the openssl.cnf file used. > >> > >> https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt > >> > > The new_oids functionality is generic for pretty much all functions that > > use a config file, unlike other config items which are function-specific. > > Thus the oid_section pointer must be in the 'default' section -- i.e. > > at the top of the config file before the first [sectname] divider. > > > That was definitely a piece of information I was missing, and the error > condition disappeared when I moved it to the top of the config file. > This is the first time I have gotten it to recognize those > "jurisdictionOfIncorporation" OIDs. > > > > > > If you use 'ca' you do also need to fix up a policy (either a provided > > one, or one you create) unless you specify preserve=yes in which case > > it will use the RDNs from the request even if not in policy. If you use > > 'x509 -req' there is no policy and it uses the name from the request. > > > > Small warning: 'req' and if used 'ca' a use a file and can get added OIDs. > > If you display the resulting cert(s) with 'x509 -text' that does not use > > any config file and thus must display the OIDs in numeric form. > > > > I noticed the numeric form when using 'x509 -text', and it helped to be > expecting it. The config file still needs some work, but hopefully I'm > on my way with this now. Thank you for the pointers - very much appreciated! >
Note that there are two ways to add OIDs. One if the version that works with the openssl utility but is lacking in some cases (e.g. x509) and the second is through the configuration module mechanism. This is described in the config(1) manual page and is more general. It should also work for the x509 utility if the add the OIDs to the default configuration file or set the OPENSSL_CONF environment variable to point to it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
