David aka SpanskA wrote:
>
> Hi,
> I seen that some certificates have the fields friendly name, enhanced key
> usage filled and only some purposes checked. I tried for about 2 days to do
> it but nothing was successful.
>
> I saw that (apparently) the only type of certificate the permits it with
> openssl was PKCS12. I seached the web, but nothing. Nothing was talking
> about how I could use a friendly name with a X.509 CA. I'm know asking here
> if somebody would know a way to do it. I also tried to edit the openssl.cnf
> and ssleay.cnf files. I would like to add a friendly name, the enhanced key
> usage and ONLY some purposes to my CAs.
>
The "friendly name" is added when a certificate is imported as a PKCS#12
file. PKCS#12 BTW is not a certificate type it is a way of packaging
private keys and certificates.
The friendly name of a user certificate is set with the -name option of
the pkcs12 utility. CA certificates need the -caname option. Both are
documented.
Friendly name is not part of the certificate itself, just "baggage" in
the PKCS#12 file.
Enhanced key usage is another matter: it is an extension that is part of
the certificate. Check the file doc/openssl.txt for information about
adding it: this involves editing openssl.cnf and creating the
certificate using 'req -x509' or something similar for a CA. You can use
the -text option of the x509 utility to check the extension is present.
If you add a CA certificate to MSIE by any method that includes the
enhanced key usage extension the relevant purposes should be checked.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]