[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Alternate names in certificates
In message <016b01c349da$db943fd0$0e01a8c0@CELLO> on Mon, 14 Jul 2003 00:37:38 -0700, "Howard Chu" <hyc@highlandsun.com> said:
hyc> > -----Original Message-----
hyc> > From: owner-openldap-software@OpenLDAP.org
hyc> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
hyc> > Dave Horsfall
hyc>
hyc> > What will *not* work, apparently, is having the extension in
hyc> > the client
hyc> > configuration file; the CA has to be told to insert it, and
hyc> > this is where
hyc> > the messiness starts.
hyc>
hyc> This is a known limitation (bug) in OpenSSL 0.9.6. I don't recall
hyc> if it's been fixed in 0.9.7 or 0.9.8. (That is, extensions in the
hyc> cert request are not propagated into the signed certificate.) You
hyc> could browse the ChangeLogs and find out. But this is fodder for
hyc> the openssl-users mailing list...
See http://www.openssl.org/docs/apps/ca.html#item_copy_extensions
That option is new in 0.9.7.
Dno't forget to read the warnings in
http://www.openssl.org/docs/apps/ca.html#WARNINGS
--
Richard Levitte \ Tunnlandsvägen 3 \ LeViMS@stacken.kth.se
Redakteur@Stacken \ S-168 36 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- poei@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.