"Roach, Mark R." wrote:
>
> I can't sign any certificates if I have an LDAP address that includes commas
> (between dn components) under crlDistributionPoints... It works fine for
> http addresses and ldap addresses that don't have commas, but I'm stuck...
> Are there escape codes I need to use '\' didn't seem to work... out of
> ideas...
>
> the error is:
>
> Error Loading extension section usr_cert
> 27626:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME:missing
> value:v3_alt.c:335:
> 27626:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
> extensions:v3_conf.c:91:name=crlDistributionPoints,
> value=URI:ldap://10.13.1.129/cn=this,dc=is?atest
>
This is an unfortunate side effect of the way the CONF parser works and
I never got time to fix this. If you put a '\' in there it gets stripped
by the conf code before the extension routines even see it.
Try using the alternative form of the multivalue extensions.
Instead of doing
crlDirstributionPoints=URI:http://some/uri,URI:ldap://10.13.1.129/cn=this,dc=is?atest
try:
crlDirstributionPoints=@crldp_section
[ crldp_section ]
URI.1=http://some/uri
URI.2=ldap://10.13.1.129/cn=this,dc=is?atest
for more info see doc/openssl.txt
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
