> From: owner-openssl-us...@openssl.org On Behalf Of Tom Pfeifer > Sent: Monday, February 10, 2014 16:53 <snip> > I've tried doing that with no success so far, most likely due my lack of > understanding of how to set up policy sections in the config file (among > other things). > The policy section(s) is only for issuing certs with 'ca'. Your problem is creating the request, well before that.
> The basic failure I'm getting is demonstrated by the information at the > link below. It shows the 'openssl' command line, the error output from > it, and the openssl.cnf file used. > > https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt > The new_oids functionality is generic for pretty much all functions that use a config file, unlike other config items which are function-specific. Thus the oid_section pointer must be in the 'default' section -- i.e. at the top of the config file before the first [sectname] divider. If you use 'ca' you do also need to fix up a policy (either a provided one, or one you create) unless you specify preserve=yes in which case it will use the RDNs from the request even if not in policy. If you use 'x509 -req' there is no policy and it uses the name from the request. Small warning: 'req' and if used 'ca' a use a file and can get added OIDs. If you display the resulting cert(s) with 'x509 -text' that does not use any config file and thus must display the OIDs in numeric form. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org