Non standard X509 V3 extension.
Hellan,Kim KHE
I'm just (very) curious.....
Where is it stated that Windows XP only accepts client certificates with the
X.509v3 extension 'Certificate Template'?
I really hope this is a mistake, since it means that all our current
certificates suddenly will be invalid on Windows XP.
Regards,
Kim Hellan
KMD / KMD-CA
-----Oprindelig meddelelse-----
Fra: Dr S N Henson [mailto:d...@celocom.com]
Sendt: 13. november 2001 14:14
Til: openss...@openssl.org
Emne: Re: Non standard X509 V3 extension.
Alexey Kobozev wrote:
>
> Hi, All!
>
> I'm having a problem generating the certificate which can be
> used as client certificate on Windows XP. The problem is that
> client certificate must have the special MS's proprietary
> X509 V3 extension 'Certificate Template' with oid 1.3.6.1.4.1.311.20.2
> and has to treated as a string (similar to nsComment, for example).
>
> I've tried to add it to oid_section in the openssl.cnf, but it
> doesn't works, because (afaik) these new oids are for the rvalue
> only - I need lvalue.
>
> So, the question is how can I add such a non standard thing into
> the newly generated cert?
>
Can you send me an example of a certificate with that extension.
The only current way to handle these in an unmodified OpenSSL is to
manually generate the hex DER encoding of the extension using something
like:
extensionName=DER:12:34:56
If this extension is really the same as nsComment then you can create a
dummy nsComment with the value you want and get the hex dump from that.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: she...@drh-consultancy.demon.co.uk
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: d...@celocom.com PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Dr S N Henson
>
> > >
> > > Hi, All!
> > >
> > > I'm having a problem generating the certificate which can be
> > > used as client certificate on Windows XP. The problem is that
> > > client certificate must have the special MS's proprietary
> > > X509 V3 extension 'Certificate Template' with oid 1.3.6.1.4.1.311.20.2
> > > and has to treated as a string (similar to nsComment, for example).
> > >
> > > I've tried to add it to oid_section in the openssl.cnf, but it
> > > doesn't works, because (afaik) these new oids are for the rvalue
> > > only - I need lvalue.
> > >
> > > So, the question is how can I add such a non standard thing into
> > > the newly generated cert?
> > >
> >
> > Can you send me an example of a certificate with that extension.
>
>
Thanks. The type of that extension is a BMPString not the IA5String that
Netscape comment uses. In this case if you do
openssl x509 -in a.cer -certopt ext_dump
you get (among other things)
1.3.6.1.4.1.311.20.2:
0000 - 1e 08 00 55 00 73 00 65-00 72
...U.s.e.r
So if you add the oid you should be able to do:
certTemplate=DER:1e:08:00:55:00:73:00:65:00:72
This isn't particularly friendly but it should work. I might extend the
unsupported extension syntax a bit so you can do things like:
certTemplate=BMPString:User
There's also an otherName extension in there which I've been meaning to
add support for too...
Rod Gilchrist
The -certopt command doesn't seem to be in either 0.9.6b or
in the snapshot from Nov 13.
Is it available somewhere else?
I'm wondering if there is a certTemplate for server
as well as client.
- Rod