Hi, I would like to include some fields other than the usual CN, O, OU; for example title, street, sex, postal code and phone number.
As far as I got was editing the ra.conf.template with the following values: ADDITIONAL_REQUEST_ATTRIBUTES "department" "telephone" "sex" "title" "ST" "code" "L" ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE "Department" "Telephone" "Sex" "Title" "Street" "Code" "City" ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE "LATIN1_LETTERS" "LATIN1_LETTERS" "LATIN1_LETTERS" "LATIN1_LETTERS" "LATIN1_LETTERS" "NUMERIC" "LATIN1_LETTERS" In etc/servers/pub.conf.template, I inserted: DN_TYPE_SPKAC_SUBJECTALTNAMES "department" "telephone" "sex" "title" "ST" "code" "L" DN_TYPE_SPKAC_SUBJECTALTNAME_1 "Department" DN_TYPE_SPKAC_SUBJECTALTNAME_1_MINIMUM_LENGTH 3 DN_TYPE_SPKAC_SUBJECTALTNAME_1_REQUIRED "YES" DN_TYPE_SPKAC_SUBJECTALTNAME_2 "Telephone" DN_TYPE_SPKAC_SUBJECTALTNAME_2_MINIMUM_LENGTH 7 DN_TYPE_SPKAC_SUBJECTALTNAME_2_REQUIRED "YES" DN_TYPE_SPKAC_SUBJECTALTNAME_3 "Sex" DN_TYPE_SPKAC_SUBJECTALTNAME_3_MINIMUM_LENGTH 1 DN_TYPE_SPKAC_SUBJECTALTNAME_3_REQUIRED "YES" DN_TYPE_SPKAC_SUBJECTALTNAME_4 "Title" DN_TYPE_SPKAC_SUBJECTALTNAME_4_MINIMUM_LENGTH 2 DN_TYPE_SPKAC_SUBJECTALTNAME_4_REQUIRED "NO" DN_TYPE_SPKAC_SUBJECTALTNAME_5 "Street" DN_TYPE_SPKAC_SUBJECTALTNAME_5_MINIMUM_LENGTH 3 DN_TYPE_SPKAC_SUBJECTALTNAME_5_REQUIRED "YES" DN_TYPE_SPKAC_SUBJECTALTNAME_6 "Code" DN_TYPE_SPKAC_SUBJECTALTNAME_6_MINIMUM_LENGTH 5 DN_TYPE_SPKAC_SUBJECTALTNAME_6_REQUIRED "YES" DN_TYPE_SPKAC_SUBJECTALTNAME_7 "City" DN_TYPE_SPKAC_SUBJECTALTNAME_7_MINIMUM_LENGTH 2 DN_TYPE_SPKAC_SUBJECTALTNAME_7_REQUIRED "YES" [...] DN_TYPE_IE_SUBJECTALTNAMES "department" "telephone" "sex" "title" "ST" "code" "L" DN_TYPE_IE_SUBJECTALTNAME_1 "Department" DN_TYPE_IE_SUBJECTALTNAME_1_MINIMUM_LENGTH 3 DN_TYPE_IE_SUBJECTALTNAME_1_REQUIRED "YES" DN_TYPE_IE_SUBJECTALTNAME_2 "Telephone" DN_TYPE_IE_SUBJECTALTNAME_2_MINIMUM_LENGTH 7 DN_TYPE_IE_SUBJECTALTNAME_2_REQUIRED "YES" DN_TYPE_IE_SUBJECTALTNAME_3 "Sex" DN_TYPE_IE_SUBJECTALTNAME_3_MINIMUM_LENGTH 1 DN_TYPE_IE_SUBJECTALTNAME_3_REQUIRED "YES" DN_TYPE_IE_SUBJECTALTNAME_4 "Title" DN_TYPE_IE_SUBJECTALTNAME_4_MINIMUM_LENGTH 2 DN_TYPE_IE_SUBJECTALTNAME_4_REQUIRED "NO" DN_TYPE_IE_SUBJECTALTNAME_5 "Street" DN_TYPE_IE_SUBJECTALTNAME_5_MINIMUM_LENGTH 3 DN_TYPE_IE_SUBJECTALTNAME_5_REQUIRED "YES" DN_TYPE_IE_SUBJECTALTNAME_6 "Code" DN_TYPE_IE_SUBJECTALTNAME_6_MINIMUM_LENGTH 5 DN_TYPE_IE_SUBJECTALTNAME_6_REQUIRED "YES" DN_TYPE_IE_SUBJECTALTNAME_7 "City" DN_TYPE_IE_SUBJECTALTNAME_7_MINIMUM_LENGTH 2 DN_TYPE_IE_SUBJECTALTNAME_7_REQUIRED "YES" (By the way, it would make sense to have the option to generate the same values at least for IE and SPKAC and not having to enter both by hand). I inserted the values from ra.conf.template into ca.conf.template on the CA (on my OpenCA-LiveCD, see my previous post). I reconfigured both the RA and the CA with configure_etc.sh and restarted OpenCA. With the RA, I created the attached SPKAC for my example user. When I try to issue a certificate in the CA, I get the following error: Error 6761 General Error Error while issuing Certificate to Georg Lippold (filename: /usr/local/openca/OpenCA/var/tmp/05.req). OpenCA::OpenSSL returns errocode 7731075 (OpenCA::OpenSSL->issueCert: OpenSSL fails (7777067). Using configuration from /usr/local/openca/OpenCA/etc/openssl/openssl/User.conf DEBUG[load_index]: unique_subject = "yes" Check that the SPKAC request matches the signature Signature ok ERROR: adding extensions in section default 32569:error:22075075:X509 V3 routines:v2i_GENERAL_NAME:unsupported option:v3_alt.c:437:name=department.0 32569:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:92:name=subjectAltName, [EMAIL PROTECTED] error in ca ). It seems, as if the department is not supported. This is also true for most of my other fields. I got so far as to comment out the line [EMAIL PROTECTED] in my /usr/local/openca/OpenCA/etc/openssl/ext/User.ext (as well as the .template). The error is gone then, but my nice additional fields are missing in the certificate. How can I include and sign them successfully? Are there pre-defined names in openssl like countryName, stateOrProvinceName etc. (see http://www.openssl.org/docs/apps/ca.html#EXAMPLES in the "sample configuration file with the relevant sections for ca")? How do I make my own values? Greetings, Georg
-----BEGIN HEADER----- ADDITIONAL_ATTRIBUTE_DEPARTMENT = ADDITIONAL_ATTRIBUTE_EMAIL = ADDITIONAL_ATTRIBUTE_REQUESTERCN = ADDITIONAL_ATTRIBUTE_TELEPHONE = LOA = 30 NOTBEFORE = Thu Aug 18 14:36:12 2005 UTC PIN = 90575ada0abf54c3b3ed13c5b5169476bf388719 RA = Trustcenter itself ROLE = User SERIAL = 800 SUBJECT_ALT_NAME = department:Bremen,telephone:+49-176-24355873,sex:M,title:Herr,ST:Herderstr. 8,code:28203,L:Bremen TYPE = SPKAC -----END HEADER----- emailAddress = [EMAIL PROTECTED] CN = Georg Lippold OU = Partners O = National Medical Council C = BE SPKAC = MIICTDCCATQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+LkY1wai2hXregOOnYj6hp+7Njq9/a0u1+owbaq5xX1slu+oSMxzb9JaLd4pzQ4DzYqb3MVEq3Lngs+WKa9BY+NKoPGzpivZKH2xav03DacvuHwifGlHwiSPy6E2nxNsg3EVY8GII6dB7mxeLr3AHwl9/xggPQmxY610MGwxK1OS0L4SKGmlSrTAEmM5ebuB/Oa3ZQINWk7g0rtnKiBEZ6mqEe80LkWhwRg90C/tQL4nL3wfIo35s1oNV7geZbljhZSAPkudkPLbdb3zxN3F0k2WpN+o08dXa+YylEx3ZRb1hP6BR6QyZ/oiCdRdzdC76fcaw4c5TZIWoApnzIENlAgMBAAEWDE5PX0NIQUxMRU5HRTANBgkqhkiG9w0BAQQFAAOCAQEAXETnTVZDom6kY9fWP3J6RwaRQEv1vmOdMuKoUJTbptgzOLXUb0yk8VRt6PMLCQC2YpNRIIZX3SNsRLZjRXZfHTxmXfi3x3db7vU5QHk0z7gQSCifA1K+cP+IVbZ5doAZWHzXB5efuRtnYPVaFrZ/0+6RecI+/qjZ2oMHk/Fm6q+2p9ECL6wMuMPGHlD4NhNtYrvU+ntlNy1vNCe37wcWfHXIEnhb8GGxzAsvrNXm2oUSjGMXSW/rvUEqMtu4yAE35eI8huaUsmw3lFsKrWgmOtzEodPHTf/sFacHpG+SJUsd+ss1/ee80fn1wjkbYR1P1oxy2ufCx9bA5YitIdhf5A==
