Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Non standard X509 V3 extension.

326 views
Skip to first unread message

Hellan,Kim KHE

unread,
Nov 13, 2001, 8:39:15 AM11/13/01
to
Hi

I'm just (very) curious.....
Where is it stated that Windows XP only accepts client certificates with the
X.509v3 extension 'Certificate Template'?
I really hope this is a mistake, since it means that all our current
certificates suddenly will be invalid on Windows XP.

Regards,
Kim Hellan
KMD / KMD-CA

-----Oprindelig meddelelse-----
Fra: Dr S N Henson [mailto:d...@celocom.com]
Sendt: 13. november 2001 14:14
Til: openss...@openssl.org
Emne: Re: Non standard X509 V3 extension.


Alexey Kobozev wrote:
>
> Hi, All!
>
> I'm having a problem generating the certificate which can be
> used as client certificate on Windows XP. The problem is that
> client certificate must have the special MS's proprietary
> X509 V3 extension 'Certificate Template' with oid 1.3.6.1.4.1.311.20.2
> and has to treated as a string (similar to nsComment, for example).
>
> I've tried to add it to oid_section in the openssl.cnf, but it
> doesn't works, because (afaik) these new oids are for the rvalue
> only - I need lvalue.
>
> So, the question is how can I add such a non standard thing into
> the newly generated cert?
>

Can you send me an example of a certificate with that extension.

The only current way to handle these in an unmodified OpenSSL is to
manually generate the hex DER encoding of the extension using something
like:

extensionName=DER:12:34:56

If this extension is really the same as nsComment then you can create a
dummy nsComment with the value you want and get the hex dump from that.

Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: she...@drh-consultancy.demon.co.uk
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: d...@celocom.com PGP key: via homepage.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Dr S N Henson

unread,
Nov 13, 2001, 8:28:51 PM11/13/01
to
Alexey Kobozev wrote:
>
> > >
> > > Hi, All!
> > >
> > > I'm having a problem generating the certificate which can be
> > > used as client certificate on Windows XP. The problem is that
> > > client certificate must have the special MS's proprietary
> > > X509 V3 extension 'Certificate Template' with oid 1.3.6.1.4.1.311.20.2
> > > and has to treated as a string (similar to nsComment, for example).
> > >
> > > I've tried to add it to oid_section in the openssl.cnf, but it
> > > doesn't works, because (afaik) these new oids are for the rvalue
> > > only - I need lvalue.
> > >
> > > So, the question is how can I add such a non standard thing into
> > > the newly generated cert?
> > >
> >
> > Can you send me an example of a certificate with that extension.
>
> Sure. I've sent it to she...@drh-consultancy.demon.co.uk
>

Thanks. The type of that extension is a BMPString not the IA5String that
Netscape comment uses. In this case if you do

openssl x509 -in a.cer -certopt ext_dump

you get (among other things)

1.3.6.1.4.1.311.20.2:
0000 - 1e 08 00 55 00 73 00 65-00 72
...U.s.e.r

So if you add the oid you should be able to do:

certTemplate=DER:1e:08:00:55:00:73:00:65:00:72

This isn't particularly friendly but it should work. I might extend the
unsupported extension syntax a bit so you can do things like:

certTemplate=BMPString:User

There's also an otherName extension in there which I've been meaning to
add support for too...

Rod Gilchrist

unread,
Nov 14, 2001, 3:17:02 PM11/14/01
to
Hi,

The -certopt command doesn't seem to be in either 0.9.6b or
in the snapshot from Nov 13.

Is it available somewhere else?

I'm wondering if there is a certTemplate for server
as well as client.

- Rod

0 new messages