Any chance you have grid-proxy-init aliased? Check "type -a grid-
proxy-init".
The output you showed looks a little bit like what happens if I run
"grid-proxy-init -draft". Then my extensions are:
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
1.3.6.1.4.1.3536.1.222: critical
0.0
..+.......
If I add a path-length, you can see that the row of dots gets longer:
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
1.3.6.1.4.1.3536.1.222: critical
0.0
..+............
Whereas "grid-proxy-init -rfc -path-length 2" gets me:
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
Proxy Certificate Information: critical
Path Length Constraint: 02
Policy Language: Inherit all
Anything change for you if you add -rfc?
Charles
On Aug 12, 2008, at 7:06 AM, I8abyte wrote:
On Mon, Aug 11, 2008 at 2:44 PM, Charles Bacon <[EMAIL PROTECTED]>
wrote:
On Aug 11, 2008, at 12:46 PM, I8abyte wrote:
2) Show us the command (and output) you're using to check the
extensions
grid-cert-info:
Is that just "grid-cert-info", or "grid-cert-info -file /path/to/
proxy"?
When I posted this it was the later, a plain: grid-cert-info -file
/tmp/x509up_u<UID>
I typically change the proxy's location to reside in my ~/.globus
directory. I get the same lingering result either way. My personal
cert (usercred.p12) does not have a pathlen set either.
And, when I grab a proxy via 'grid-prox-init -path-length <l>' where
"l" has been any positive integer the "pathlen" extension *never*
shows up. I was under the impression from an earlier comment you made
that was the option which would set that, but the option description
This stuff about trying to keep things secret is getting in the way
of
debugging, and I don't think the things you're hiding are things
you need to
keep secret. The only secret thing out of your hostname, DN,
public key,
private key is your private key.
I'm not trying to be difficult, I have to type in this stuff by hand
and I typically snip out the relevant bits in the interest of brevity.
I'm also testing with my personal account and it's not appropriate
for me to publish some of it.
"grid-cert-info" all by itself will not show a path-length
restriction.
Your certificate probably doesn't have one. But your proxy will.
Show
both the command and the output of:
openssl x509 -in /tmp/x509up_u`id -u` -noout -text
"pathlen" is *not* set anywhere in my personal and 'grid-proxy-init'
issued proxy certs:
openssl x509 -in /tmp/x509up_u`id -u` -noout -text
...
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
1.2.6.1.5.5.7.1.14: critical
0....0
...
My root CA has a pathlen of "3" and my second-level CA has a pathlen
"2". My personal cert does not have a pathlen set and never has any
of my proxy certs displayed one.
BTW, thanks for your help so far!
