On Wed, Mar 10, 2004, Bommareddy, Satish (Satish) wrote: > Here is what i am trying to do... > > Config file has these lines: > [ CA_default ] > .. > x509_extensions = usr_cert > > [ usr_cert ] > > basicConstraints=CA:FALSE > > keyUsage = digitalSignature, keyEncipherment > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid,issuer:always > > # Certificate Policies > certificatePolicies = ia5org,@capol > > [ capol ] > ##################################################### > # Generic Certificate Policies > ##################################################### > [capol] > policyIdentifier=avayaCPS > CPS.1= https:// <https://www.foo.com> www.foo.com; > [EMAIL PROTECTED] > > [capoln] > explicitText="Please visit http://www.foo.com for details."; > organization="Product CA" > noticeNumbers=1 > > > It fails at X509V3_EXT_add_nconf. when i comment out the line containing the > policy identifier (@capol) it works fine. > > am i missing something??? >
Actually OpenSSL is missing something. It should give an extension error if the policy identifier is not present. If avayaCPS isn't a valid OID name then this will fail as the error code should indicate. You need to add a *valid* OID for that name (i.e one belonging to your organization). Looking at the rest of the extension I'm not sure what you intend to convey by those fields but they look strange... Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]