Hello Georg, I had a similar case, but we only use PKCS#10 requests, so I haven't done any changes to the PUBLIC interface, but I guess it must be as you told us. But what I surely did was to use new OIDs in the OpenSSL files.
In my case we use the OIDs for the new fields to store in the certificate, for example, we have something that we called NIT and its registered OID for our company is: 1.3.6.1.4.1.4710.1.3.2. How did I did it? 1. Edit your openssl.cnf file: The file you will edit depends on to whom are you issuing certs, lets say: User.cnf. 2. look for the [ new_oids ] section and there you have to register your oids like this: nit = 1.3.6.1.4.1.4710.1.3.2 3. Then go to the: [ policy_match ] section and bellow existing info in that section, write something like this: nit = optional #Depends on your special needs 4. Go to [ req_distinguished_name ] section, and write something like this: nit = Nit #The second name appears when creating new request from #console and OpenSSL. Some special aspects you should know: - I don't know if you have OIDs for each of those fields or if those fields have a standard OID, You need that info to personalise your User.cnf file - You cannot upload those certificates with special OIDs to LDAP automatically, you have first to change the DN and delete special OIDs, however, if you MUST upload them with all fields, that's a different thing and I don't know how to do it, I tryed it but I gave up. - Maybe you will obtain some bad characters in those special fields, if that is the case I have a patch for it. HTH, Johnny --- Georg Lippold <[EMAIL PROTECTED]> escribió: > Hi, > > I would like to include some fields other than the > usual CN, O, OU; for > example title, street, sex, postal code and phone > number. > > As far as I got was editing the ra.conf.template > with the following values: > > ADDITIONAL_REQUEST_ATTRIBUTES "department" > "telephone" "sex" "title" > "ST" "code" "L" > ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE "Department" > "Telephone" "Sex" > "Title" "Street" "Code" "City" > ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE > "LATIN1_LETTERS" > "LATIN1_LETTERS" "LATIN1_LETTERS" "LATIN1_LETTERS" > "LATIN1_LETTERS" > "NUMERIC" "LATIN1_LETTERS" > > In etc/servers/pub.conf.template, I inserted: > > DN_TYPE_SPKAC_SUBJECTALTNAMES "department" > "telephone" "sex" "title" > "ST" "code" "L" > > DN_TYPE_SPKAC_SUBJECTALTNAME_1 "Department" > DN_TYPE_SPKAC_SUBJECTALTNAME_1_MINIMUM_LENGTH 3 > DN_TYPE_SPKAC_SUBJECTALTNAME_1_REQUIRED "YES" > > DN_TYPE_SPKAC_SUBJECTALTNAME_2 "Telephone" > DN_TYPE_SPKAC_SUBJECTALTNAME_2_MINIMUM_LENGTH 7 > DN_TYPE_SPKAC_SUBJECTALTNAME_2_REQUIRED "YES" > > DN_TYPE_SPKAC_SUBJECTALTNAME_3 "Sex" > DN_TYPE_SPKAC_SUBJECTALTNAME_3_MINIMUM_LENGTH 1 > DN_TYPE_SPKAC_SUBJECTALTNAME_3_REQUIRED "YES" > > DN_TYPE_SPKAC_SUBJECTALTNAME_4 "Title" > DN_TYPE_SPKAC_SUBJECTALTNAME_4_MINIMUM_LENGTH 2 > DN_TYPE_SPKAC_SUBJECTALTNAME_4_REQUIRED "NO" > > DN_TYPE_SPKAC_SUBJECTALTNAME_5 "Street" > DN_TYPE_SPKAC_SUBJECTALTNAME_5_MINIMUM_LENGTH 3 > DN_TYPE_SPKAC_SUBJECTALTNAME_5_REQUIRED "YES" > > DN_TYPE_SPKAC_SUBJECTALTNAME_6 "Code" > DN_TYPE_SPKAC_SUBJECTALTNAME_6_MINIMUM_LENGTH 5 > DN_TYPE_SPKAC_SUBJECTALTNAME_6_REQUIRED "YES" > > DN_TYPE_SPKAC_SUBJECTALTNAME_7 "City" > DN_TYPE_SPKAC_SUBJECTALTNAME_7_MINIMUM_LENGTH 2 > DN_TYPE_SPKAC_SUBJECTALTNAME_7_REQUIRED "YES" > > [...] > > DN_TYPE_IE_SUBJECTALTNAMES "department" > "telephone" "sex" "title" "ST" > "code" "L" > > DN_TYPE_IE_SUBJECTALTNAME_1 "Department" > DN_TYPE_IE_SUBJECTALTNAME_1_MINIMUM_LENGTH 3 > DN_TYPE_IE_SUBJECTALTNAME_1_REQUIRED "YES" > > DN_TYPE_IE_SUBJECTALTNAME_2 "Telephone" > DN_TYPE_IE_SUBJECTALTNAME_2_MINIMUM_LENGTH 7 > DN_TYPE_IE_SUBJECTALTNAME_2_REQUIRED "YES" > > DN_TYPE_IE_SUBJECTALTNAME_3 "Sex" > DN_TYPE_IE_SUBJECTALTNAME_3_MINIMUM_LENGTH 1 > DN_TYPE_IE_SUBJECTALTNAME_3_REQUIRED "YES" > > DN_TYPE_IE_SUBJECTALTNAME_4 "Title" > DN_TYPE_IE_SUBJECTALTNAME_4_MINIMUM_LENGTH 2 > DN_TYPE_IE_SUBJECTALTNAME_4_REQUIRED "NO" > > DN_TYPE_IE_SUBJECTALTNAME_5 "Street" > DN_TYPE_IE_SUBJECTALTNAME_5_MINIMUM_LENGTH 3 > DN_TYPE_IE_SUBJECTALTNAME_5_REQUIRED "YES" > > DN_TYPE_IE_SUBJECTALTNAME_6 "Code" > DN_TYPE_IE_SUBJECTALTNAME_6_MINIMUM_LENGTH 5 > DN_TYPE_IE_SUBJECTALTNAME_6_REQUIRED "YES" > > DN_TYPE_IE_SUBJECTALTNAME_7 "City" > DN_TYPE_IE_SUBJECTALTNAME_7_MINIMUM_LENGTH 2 > DN_TYPE_IE_SUBJECTALTNAME_7_REQUIRED "YES" > > (By the way, it would make sense to have the option > to generate the same > values at least for IE and SPKAC and not having to > enter both by hand). > > I inserted the values from ra.conf.template into > ca.conf.template on the > CA (on my OpenCA-LiveCD, see my previous post). I > reconfigured both the > RA and the CA with configure_etc.sh and restarted > OpenCA. With the RA, I > created the attached SPKAC for my example user. > > When I try to issue a certificate in the CA, I get > the following error: > > Error 6761 > General Error Error while issuing Certificate to > Georg Lippold > (filename: /usr/local/openca/OpenCA/var/tmp/05.req). > > > OpenCA::OpenSSL returns errocode 7731075 > (OpenCA::OpenSSL->issueCert: > OpenSSL fails (7777067). Using configuration from > /usr/local/openca/OpenCA/etc/openssl/openssl/User.conf > DEBUG[load_index]: unique_subject = "yes" > Check that the SPKAC request matches the signature > Signature ok > ERROR: adding extensions in section default > 32569:error:22075075:X509 V3 > routines:v2i_GENERAL_NAME:unsupported > option:v3_alt.c:437:name=department.0 > 32569:error:2206B080:X509 V3 > routines:X509V3_EXT_conf:error in > extension:v3_conf.c:92:name=subjectAltName, > [EMAIL PROTECTED] > error in ca > ). > > It seems, as if the department is not supported. > This is also true for > most of my other fields. > > I got so far as to comment out the line > > [EMAIL PROTECTED] > > in my > /usr/local/openca/OpenCA/etc/openssl/ext/User.ext > (as well as the > .template). The error is gone then, but my nice > additional fields are > missing in the certificate. > > How can I include and sign them successfully? Are > there pre-defined > names in openssl like countryName, > stateOrProvinceName etc. (see > > http://www.openssl.org/docs/apps/ca.html#EXAMPLES > > in the "sample configuration file with the relevant > sections for ca")? > How do I make my own values? > > Greetings, > > Georg > > -----BEGIN HEADER----- > ADDITIONAL_ATTRIBUTE_DEPARTMENT = > ADDITIONAL_ATTRIBUTE_EMAIL = > ADDITIONAL_ATTRIBUTE_REQUESTERCN = > ADDITIONAL_ATTRIBUTE_TELEPHONE = > LOA = 30 > NOTBEFORE = Thu Aug 18 14:36:12 2005 UTC > PIN = 90575ada0abf54c3b3ed13c5b5169476bf388719 > RA = Trustcenter itself > ROLE = User > SERIAL = 800 > SUBJECT_ALT_NAME = > department:Bremen,telephone:+49-176-24355873,sex:M,title:Herr,ST:Herderstr. > 8,code:28203,L:Bremen > TYPE = SPKAC > -----END HEADER----- > emailAddress = [EMAIL PROTECTED] > CN = Georg Lippold > OU = Partners > O = National Medical Council > C = BE > SPKAC = > MIICTDCCATQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+LkY1wai2hXregOOnYj6hp+7Njq9/a0u1+owbaq5xX1slu+oSMxzb9JaLd4pzQ4DzYqb3MVEq3Lngs+WKa9BY+NKoPGzpivZKH2xav03DacvuHwifGlHwiSPy6E2nxNsg3EVY8GII6dB7mxeLr3AHwl9/xggPQmxY610MGwxK1OS0L4SKGmlSrTAEmM5ebuB/Oa3ZQINWk7g0rtnKiBEZ6mqEe80LkWhwRg90C/tQL4nL3wfIo35s1oNV7geZbljhZSAPkudkPLbdb3zxN3F0k2WpN+o08dXa+YylEx3ZRb1hP6BR6QyZ/oiCdRdzdC76fcaw4c5TZIWoApnzIENlAgMBAAEWDE5PX0NIQUxMRU5HRTANBgkqhkiG9w0BAQQFAAOCAQEAXETnTVZDom6kY9fWP3J6RwaRQEv1vmOdMuKoUJTbptgzOLXUb0yk8VRt6PMLCQC2YpNRIIZX3SNsRLZjRXZfHTxmXfi3x3db7vU5QHk0z7gQSCifA1K+cP+IVbZ5doAZWHzXB5efuRtnYPVaFrZ/0+6RecI+/qjZ2oMHk/Fm6q+2p9ECL6wMuMPGHlD4NhNtYrvU+ntlNy1vNCe37wcWfHXIEnhb8GGxzAsvrNXm2oUSjGMXSW/rvUEqMtu4yAE35eI8huaUsmw3lFsKrWgmOtzEodPHTf/sFacHpG+SJUsd+ss1/ee80fn1wjkbYR1P1oxy2ufCx9bA5YitIdhf5A== > ______________________________________________ Renovamos el Correo Yahoo! Nuevos servicios, más seguridad http://correo.yahoo.es ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
