New OID in openssl.cnf
Sandipan Gangopadhyay
The DC I want is the top level element in the Distinguished Name.
Ie. dc = cn, ou, o, dc
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
dc=?????
I have a few questions.
1. dc=dc does not work. dc=1.2.3.4 works.
2. What should I put after dc in the [new_oid] section in this case ?
3. It works fine if I say 1.2.3.4 - where can I find out what it means ?
4. 1.2.3.4 reads as such in the certificate ! Unlike the others E (for
email), O (for organization) and so on ...
So, its obvious that I am doing something wrong or totally ignorant here.
Please help !
Regards,
Sandipan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Richard Levitte - VMS Whacker
sandipan> [ new_oids ]
sandipan> # We can add new OIDs in here for use by 'ca' and 'req'.
sandipan> # Add a simple OID like this:
sandipan> # testoid1=1.2.3.4
sandipan> # Or use config file substitution like this:
sandipan> # testoid2=${testoid1}.5.6
sandipan> dc=?????
DC is already defined within OpenSSL. It also has the longer name
domainComponent. The OID is 0.9.2342.19200300.100.1.25.
--
Richard Levitte \ Spannvägen 38, II \ LeV...@stacken.kth.se
Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis -- po...@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
Dale Peakall
>
> The DC I want is the top level element in the Distinguished Name.
> Ie. dc = cn, ou, o, dc
>
> [ new_oids ]
> # Or use config file substitution like this:
> dc=?????
>
> I have a few questions.
>
> 1. dc=dc does not work. dc=1.2.3.4 works.
You need to specify an OID. An OID is a ordered list of numbers.
The name associated with an OID cn, dc whatever is just that a name
associated with the number. The name is never used in the ASN.1
representation of the certificate just the numbers.
> 2. What should I put after dc in the [new_oid] section in this case ?
An OID. OID's are arranged in a heirarchy.
Each national standards organisation runs a section of the heirarchy.
1.2.840 is run by ANSI
1.2.826 is run by BSI
These national standards organisations then allocate an ID to organisations
who then manage and subsidiary nodes.
e.g. 1.2.840.113549 is RSA's ID, they then allocate ID's beneath this for
things like PKCS standards (e.g. 1.2.840.113549.1.7 is PKCS#7).
> 3. It works fine if I say 1.2.3.4 - where can I find out what
> it means ?
http://www.alvestrand.no/harald/objectid/ is a good place to start.
(Lots more OID information here too).
> 4. 1.2.3.4 reads as such in the certificate ! Unlike the others E
> (for email), O (for organization) and so on ...
In the actual certificate, every OID is a numbered list. Software
generally uses known OID->name associations to make the data more
readable. Your OID is not known, and therefore has no associated
friendly name.
> So, its obvious that I am doing something wrong or totally
> ignorant here.
Totally ignorant I'm afraid ;)
Hope this helps.
- Dale.
Sandipan Gangopadhyay
I did :
[ new_oids ]
domainComponent=0.9.2342.19200300.100.1.25
and used domainComponent in the other sections as usual. It worked fine.
Also, when installed on IE, it recognised and marked up the domainComponent
value as DC !!!
Exactly, the way it should be!
Regards,
Sandipan
----- Original Message -----
From: "Richard Levitte - VMS Whacker" <lev...@stacken.kth.se>
To: <openss...@openssl.org>; <sand...@vsnl.com>
Sent: Friday, February 16, 2001 3:28 PM
Subject: Re: New OID in openssl.cnf
> From: "Sandipan Gangopadhyay" <sand...@vsnl.com>
>
> sandipan> [ new_oids ]
> sandipan> # We can add new OIDs in here for use by 'ca' and 'req'.
> sandipan> # Add a simple OID like this:
> sandipan> # testoid1=1.2.3.4
> sandipan> # Or use config file substitution like this:
> sandipan> # testoid2=${testoid1}.5.6
> sandipan> dc=?????
>
> DC is already defined within OpenSSL. It also has the longer name
> domainComponent. The OID is 0.9.2342.19200300.100.1.25.
>
> --
> Richard Levitte \ Spannvägen 38, II \ LeV...@stacken.kth.se
> Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
> Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
> Procurator Odiosus Ex Infernis -- po...@bofh.se
> Member of the OpenSSL development team: http://www.openssl.org/
> Software Engineer, Celo Communications: http://www.celocom.com/
>
> Unsolicited commercial email is subject to an archival fee of $400.
> See <http://www.stacken.kth.se/~levitte/mail/> for more info.
Stefan Mueller
I am away from the office until February, 27th.
Swiss-German clients can get support at support-de.realmedia.com,
Swiss-French clients can get support at support-fr.realmedia.com.
If Central Services are concerned, please contact support-eu.realmedia.com.
Kind regards,
Stefan Müller
Technical Support & Development
Real Media Technology SA
Victoria House
Route de la Pierre
CH - 1024 Ecublens
Tel : +41 21 695 97 40
Fax : +41 21 695 97 01
Stefan Mueller
Stefan Mueller
Stefan Mueller
Stefan Mueller
Sandipan Gangopadhyay
Regards,
Sandipan
----- Original Message -----
From: "Dale Peakall" <dale.p...@bit-arts.com>
To: <openss...@openssl.org>
Sent: Friday, February 16, 2001 3:33 PM
Subject: RE: New OID in openssl.cnf
> > I need a new OID in the certificate. This OID is DC
> >
> > The DC I want is the top level element in the Distinguished Name.
> > Ie. dc = cn, ou, o, dc
> >
> > [ new_oids ]
> > # We can add new OIDs in here for use by 'ca' and 'req'.
> > # Add a simple OID like this:
> > # testoid1=1.2.3.4
> > # Or use config file substitution like this:
Alberto Rubio
Pero tío ¿cómo se te ocurre poner eso de mensaje en una lista de
distribución?
are you crazy? Did you ever thought about answering automatically your own
mails in a mail list?
By saturday morning our email-counts will be collapsed.
----- Original Message -----
From: "Stefan Mueller" <smue...@realmedia.com>
To: <openss...@openssl.org>
Sent: Friday, February 16, 2001 4:12 PM
Subject: RE: RE: RE: RE: RE: RE: RE: RE: RE: RE: RE: Re: New OID in
openssl.cnf
> Hello,
>
> I am away from the office until February, 27th.
>
> Swiss-German clients can get support at support-de.realmedia.com,
> Swiss-French clients can get support at support-fr.realmedia.com.
>
> If Central Services are concerned, please contact
support-eu.realmedia.com.
>
> Kind regards,
>
> Stefan Müller
>
>
> Technical Support & Development
> Real Media Technology SA
>
> Victoria House
> Route de la Pierre
> CH - 1024 Ecublens
> Tel : +41 21 695 97 40
> Fax : +41 21 695 97 01
>
>
>
>
>
Richard Levitte - VMS Whacker
sandipan> I did :
sandipan> [ new_oids ]
sandipan> domainComponent=0.9.2342.19200300.100.1.25
Did you understand that you probably do not need to do that? It
should be built in to OpenSSL.
--
Richard Levitte \ Spannvägen 38, II \ LeV...@stacken.kth.se
Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis -- po...@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
Sandipan Gangopadhyay
Yes, I did understand so at first, but it didnt work without it :-(
I simply used domainComponent just as organizationalUnit is used without
definition under new_oids (because, of course, they are NOT NEW_oids),
But, when run, this happened -
Organization (domain) [zzz]:
Organizational Unit [Root CA Services]:
Common Name [www.zzz.com]:
Email Address [r...@zzz.com]:
That is, it ignored the domainComponent while prompting. This problem went
away when I defined it. Under new_oids.
Relevent portions of the .cnf: file are -
...
[ policy_anything ]
domainComponent = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
...
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
domainComponent_default = COM
domainComponent = Domain Component
domainComponent_min = 2
domainComponent_max = 4
0.organizationName_default = zzz
0.organizationName = Organization (domain)
...
I was happy to solve the problem by that probably extraneous oid definition
(time constraints, deadlines and all). But I appreciate that something could
be wrong somewhere. What do you think ?
My openssl is 0.9.4. I cant upgrade easily as I am making scripts around
this and these scripts will be run on a number of servers with
Apache/Mod_SSL with 0.9.4 in continents away by non-techchies. (So, I had to
make do without passin and passout.)
Regards,
Sandipan
----- Original Message -----
From: "Richard Levitte - VMS Whacker" <lev...@stacken.kth.se>