Dear Richard,
Does OpenSSL accept 1.3.6.1.4.1.3536.1.222 extension as proxyCertInfo in
"CN=1234567890" proxies?
Thanks.
Richard Levitte wrote:
In message <[EMAIL PROTECTED]> on Mon, 03 Mar 2008 18:31:47 +0300, Vladimir
Voznesensky <[EMAIL PROTECTED]> said:
vovic> Hello.
vovic>
vovic> I'm trying to use gLite (VOMS) proxy certificates with "CN=proxy" at the subject tail and X509v3 "Key Usage" extension to authenticate a client to a server.
vovic> Plain certificates signed by CA work well.
vovic> When I'm trying to use gLite-generated proxy certificate, the server responses
"Unknown ca" (verification error 20).
vovic> I use X509_STORE_set_flags(x509_store, X509_V_FLAG_ALLOW_PROXY_CERTS)
for server security context.
vovic> My OpenSSL version is 0x0090807fL .
vovic>
vovic> Does anybody know how to use grid proxy certificates in the right way?
vovic> Have anybody tried
vovic> http://www.openssl.org/docs/HOWTO/proxy_certificates.txt
vovic> to use gLite proxies?
OpenSSL supports proxy certificates according to RFC 3820, and thus
require that there is a proxyCertInfo extension to be accepted as
such.
You're talking about older style proxy certificates, which have not
been implemented in OpenSSL, and quite honestly, I hope noone does.
Cheers,
Richard
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]