[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Alternate names in certificates



In message <016b01c349da$db943fd0$0e01a8c0@CELLO> on Mon, 14 Jul 2003 00:37:38 -0700, "Howard Chu" <hyc@highlandsun.com> said:

hyc> > -----Original Message-----
hyc> > From: owner-openldap-software@OpenLDAP.org
hyc> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
hyc> > Dave Horsfall
hyc> 
hyc> > What will *not* work, apparently, is having the extension in
hyc> > the client
hyc> > configuration file; the CA has to be told to insert it, and
hyc> > this is where
hyc> > the messiness starts.
hyc> 
hyc> This is a known limitation (bug) in OpenSSL 0.9.6. I don't recall
hyc> if it's been fixed in 0.9.7 or 0.9.8. (That is, extensions in the
hyc> cert request are not propagated into the signed certificate.) You
hyc> could browse the ChangeLogs and find out. But this is fodder for
hyc> the openssl-users mailing list...


See http://www.openssl.org/docs/apps/ca.html#item_copy_extensions
That option is new in 0.9.7.

Dno't forget to read the warnings in
http://www.openssl.org/docs/apps/ca.html#WARNINGS

-- 
Richard Levitte   \ Tunnlandsvägen 3  \ LeViMS@stacken.kth.se
Redakteur@Stacken  \ S-168 36  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- poei@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.