Tony Finch said the following on 5/25/06 8:08 AM:
On Wed, 24 May 2006, Peter Saint-Andre wrote:I am working with a certification authority on adding XMPP support to the certificates they issue.Has anyone written a straightforward description of how to generate a proper XMPP cert with all of the id-on-xmppAddr stuff using OpenSSL? Given that our cert vendor is Thawte/Verisign, I suppose this is probably irrelevant to us and I should worry more about whether XMPP software has interoperable cn-based validation despite the fact that it isn't specified. Tony.
You can put whatever OIDs in the csr. The CA will determine if it will honor what you have requested.
== From the RFC http://www.ietf.org/rfc/rfc3920.txt If a JID for any kind of XMPP entity (e.g., client or server) is represented in a certificate, it MUST be represented as a UTF8String within an otherName entity inside the subjectAltName, using the [ASN.1] Object Identifier "id-on-xmppAddr" specified in Section 5.1.1 of this document. 5.1.1. ASN.1 Object Identifier for XMPP Address The [ASN.1] Object Identifier "id-on-xmppAddr" described above is defined as follows: id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) } id-on OBJECT IDENTIFIER ::= { id-pkix 8 } -- other name forms id-on-xmppAddr OBJECT IDENTIFIER ::= { id-on 5 } XmppAddr ::= UTF8String This Object Identifier MAY also be represented in the dotted display format as "1.3.6.1.5.5.7.8.5". ===Open up your openssl.cnf file and look for the new_oids section. They have an example there too. Oh and look at the man page for req. It has lots of examples of OIDs.
-Jonathan
smime.p7s
Description: S/MIME Cryptographic Signature