On Fri, Sep 18, 2009, Eisenacher, Patrick wrote: > Hi list members, > > is there a possibility to specify the x509v3 extension privateKeyUsagePeriod > in the openssl.conf file for the req and ca commands? > > It seems, openssl knows the oid and asn1 structure of the extension but > doesn't allow you to put it into certificates. >
Yes that's correct. Setting isn't supported at present, at the time it was added the advice was that the extension should not be used, that has since been relaxed. > I worked around the problem by specifying the extension in its arbitrary > extension format: > > [ req ] x509_extensions = req_ext > > [ req_ext ] 2.5.29.16 = ASN1:SEQUENCE:privateKeyUsagePeriod > > [ privateKeyUsagePeriod ] notBefore = > EXPLICIT:0,GENERALIZEDTIME:<timestamp1> notAfter = > EXPLICIT:1,GENERALIZEDTIME:<timestamp2> > > which puts the extension into the certificate request, but is not really > handy for a configuration file, because you have to explicitly give the two > timestamps. > > So in case the arbitrary extension format is the only way of getting the > privateKeyUsagePeriod extension into the certificate, is there a way to > specify parameterized values for the timestamps in openssl.conf, e.g. via > the backtick operator and the date command? Or would I have to wrap the > openssl command into my own script that modifies the timestamps in > openssl.conf appropriately in advance? > > I'm using OpenSSL 0.9.8k 25 Mar 2009. > You could use environment variable substitution in the config file and include appropriate values for environment variables in a script. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
