On Mon, May 21, 2007, Shane wrote: > Hello all, > > I am attempting to write a script which generates csr > requests capable of submiting to www.symbiansigned.com to > generate a developer certificate. Currently to my > knowledge there is no Unix software to do this. I had a > look at the csr generated by the Symbian Windows software > and it's using a few custom extensions not recognized by > openssl. Two of these are common for all csr requests and > one is specific to the hardware device. I can generate the > extensions by using entries in openssl.cnf but I'm not sure > of what values to give the custom extensions. Here is the > output of req -text -noout of the Symbian-generated csr. > Attributes: > Requested Extensions: > 1.2.826.0.1.1796587.1.1.1.1: critical > 0...358811000018300 > 1.2.826.0.1.1796587.1.1.1.6: critical > ...-....... > Signature Algorithm: dsaWithSHA1 > > The first extension should be marked critical according to > this but has no value data, atleast none displayed by req. > The second again with no value data and the third with the > value shown as ...-..... I assume that the ...- bit is > because the value is non-displayable. Any way to have > openssl generate a hexdump of the value of these > extensions. Also, for extensions with no value, how would > one write that in openssl.cnf? If I write the extension as > xxx=critical, > openssl shokes or > xxx=critical,der: > chokes again it appears it needs something in the data > part. >
I'm not sure an empty extension is legal. The display OpenSSL uses for an unsupported extension by default isn't very informative but it is there for legacy reasons. Try including the option: -reqopt ext_parse which will put unsupported ASN1 extensions through the ASN1 parser. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
