On Wednesday 31 January 2007 06:45, domi wrote: > Hello, > > I searched and tried a lot but wasn't able to solve the following problem: > > I have built my own little CA (with the help of the OpenSSL book of > O'Reilly). I can create certificate requests and issue certificate from > them. Now I want to do the following: > > The certificate request should include the crlDistributionPoints. (I'm able > to enter the DP under certificate_extensions) Thats no problem so far. > But now should the CA create the certificate without knowing the CRL DP in > the forefront. The CA should take CRL DP entered by the user and put it > into the certificate. Unfortunately I wasn't able to manage this. > I tried a lot of things like crlDistributionPoints=supplied for example but > nothing worked. > > Summary: The certificate shall include the crlDistributionPoints without > being written static into the openssl.cnf of the CA. > I'm not sure how this would be doable (I suppose "copy extensions" might be what you want), however, I also have no idea why you would ever want a subject to be defining the distribution point for the CA. If you are trying to roll over the CRLdp (for instance, if you are trying to have only a given number of certificates in a particular CRL), you might want to have an environment variable ($ENV::CRLNUMBER), and have that appended to the URI in the certificateDistributionPoint extension. i.e:
export CRLNUMBER=5 openssl ca -in certreq.pem -out cert.pem (where there is a usr_ext section in your stock openssl.cnf with the line: crlDistributionPoints = URI:http://www.example.com/someurl/$ENV::CRLNUMBER.crl However, with OpenSSL, this is probably a bit tricky, since you'll have to keep a mapping for the certificate, and parse that before you do the revoke so that you can do the right thing. -- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]