OK, the problem you will run into is that the Certificate Signing Request (CSR) is a DN and Public Key combination that is signed by the private key. Since this is done by your client, you will not have access to the private key.
The OpenSSL software, as written, uses this signing as proof that the person making the request in fact has the private key. This is to keep just anybody from trying to attach their name to a public key they might find on the net.
The problem is that you are trying to change the DN, which to the software "looks like" you are (might be) changing the name to refer to a different person. In fact, you are not, you are instead adding information without changing the identity, but the software is stupid and doesn't know that.
It is my belief that you could write a program calling the OpenSSL library to do signing with changes to the DN, the source code to the OpenSSL command line tools would give you a start on such a task.
Alternatively, you could modify the source code to the OpenSSL command line signing tools to disable the test for validation on the signing of the CSR, then process the CSR submitted with the old DN into one requesting signing for the new DN. It would be signed by you instead of the requestor, but you would disable the test that would recognize this.
But, are you sure you couldn't do the same thing by making a custom extension that would carry the same information you're trying to add to the DN?
Also check the most updated documentation on the options for OpenSSL command line tools -- seems to me I saw some new options pop up for modifying the DN in some set of circumstances.
ray v wrote:
Yes, understood, but in this case someone will send a
certificate request via e-mail, I will not be involved
in making it. I will fill/sign that request and send
it back. The request will come with the standard
information tucked away in the DN.
I need to add information to the DN, something I have been unable to do with out generating the request myself. According to the man info there are extensions and x509_extensions I've tried both and I'm a bit more confused now.
I tried using the -extfile option but I can not insert my own values into the DN. When I run openssl x509 -extfile I get "no" errors, the certificate is created. But upon viewing it the addition to the DN are not there.
I think that really I'm asking the wrong question. What I want to do is add information to a certificate when its generated. The nature of which is internal only. Is there a way to do this with out patching openssl's code?
If yes, what would be your suggestion?
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
On Wed, Nov 10, 2004, ray v wrote:
I wish to add something like
1.3.6.1.4.1.9999.1 to the Distinguished name something like...
CN=Me,O=FOO,OU=Bar,1.3.6.1.4.1.9999.1=stuff
What's the best way to do this when you need to specify the -extfile option? Or is it really
necessary
to use the -extfile ?
Extfile is for certificate extensions. If you want to add DN components you need to add those to the appropriate section where they will be prompted for when a certificate request is made.
This is in the section req_distinguished_name in the standard openssl configuration file.
Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
-- Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
