(I avoid HTML on lists, but editting this back to plaintext was too hard, sorry)
_____ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of ikuzar Sent: Wednesday, 09 March, 2011 08:38 To: openssl-users@openssl.org Subject: Re: convert x509 cert into string and store certs in cache add to previous post, I 'd like to know what is the best format for storing item in map. Item is here a struct which encapsulated certificate object ( as shown in previous message ). I think about DER format ... is it a good idea ? If you want sharing processes to use the cert, yes. (You need some serialized format for sharing; there are other serializations that could work in theory, but DER is by far the most convenient for openssl.) 2011/3/9 ikuzar <razuk...@gmail.com> <snip> => I want to make something like : template<class StrType> struct certificate : shared { StrType uri; StrType sn; StrType data; certificate(X509* cert) { char commonName[512]; subject_name = X509_get_subject_name(cert); X509_NAME_get_text_by_NID(subject_name, NID_commonName, commonName, 512); uri = commonName; sn = get_sn(cert);// I 'll deal with it later data = get_data(cert); // I 'll deal with it later } -- then, this certificate defined above is encapsulated in a cacheitem structure. -- In fact, map stores a range of cacheitem. Map will be read and written from different 'forked' childs : -- there is a class certmanager which manage these cacheitems ( add, get, delete items from cache, ...etc). I use URI as key for map. For example, I 'll search item which URI = 213...@etu-univ.com <snip> => I have to store in the certificate an URI which identify an user. this URI is like this : phone_number@domain. example : 0123456...@etu-univ.com ( this is a SIP uri ). I though I could store it in CN ... was I wrong ? have any other suggestion ? That could be the body of a subset of SIP URIs, but by itself is not a URI. If you are issuing the cert(s), you can put practically anything you want in CommonName. (Using control characters or escape sequences or suchlike would be a bad idea, but any normal data that identifies the subject is reasonable.) If you (or your users) are obtaining the cert(s) from a CA, it depends on the CA. You can request anything in the CSR, but it's up to the CA whether they approve it. Typically they demand you own or control the domain, address, or whatever.
