On 02/11/2014 10:55 AM, Dr. Stephen Henson wrote: > On Tue, Feb 11, 2014, Tom Pfeifer wrote: > >> On 02/10/2014 08:27 PM, Dave Thompson wrote: >>>> From: [email protected] On Behalf Of Tom Pfeifer >>>> Sent: Monday, February 10, 2014 16:53 >>> <snip> >>>> I've tried doing that with no success so far, most likely due >>>> my lack of understanding of how to set up policy sections in >>>> the config file (among other things). >>>> >>> The policy section(s) is only for issuing certs with 'ca'. Your >>> problem is creating the request, well before that. >>> >>>> The basic failure I'm getting is demonstrated by the >>>> information at the link below. It shows the 'openssl' command >>>> line, the error output from it, and the openssl.cnf file used. >>>> >>>> https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt >>>> >>> The new_oids functionality is generic for pretty much all >>> functions that use a config file, unlike other config items >>> which are function-specific. Thus the oid_section pointer must be >>> in the 'default' section -- i.e. at the top of the config file >>> before the first [sectname] divider. >> >> >> That was definitely a piece of information I was missing, and the >> error condition disappeared when I moved it to the top of the >> config file. This is the first time I have gotten it to recognize >> those "jurisdictionOfIncorporation" OIDs. >> >> >>> >>> If you use 'ca' you do also need to fix up a policy (either a >>> provided one, or one you create) unless you specify preserve=yes >>> in which case it will use the RDNs from the request even if not >>> in policy. If you use 'x509 -req' there is no policy and it uses >>> the name from the request. >>> >>> Small warning: 'req' and if used 'ca' a use a file and can get >>> added OIDs. If you display the resulting cert(s) with 'x509 >>> -text' that does not use any config file and thus must display >>> the OIDs in numeric form. >>> >> >> I noticed the numeric form when using 'x509 -text', and it helped >> to be expecting it. The config file still needs some work, but >> hopefully I'm on my way with this now. Thank you for the pointers >> - very much appreciated! >> > > Note that there are two ways to add OIDs. One if the version that > works with the openssl utility but is lacking in some cases (e.g. > x509) and the second is through the configuration module mechanism. > > This is described in the config(1) manual page and is more general. > It should also work for the x509 utility if the add the OIDs to the > default configuration file or set the OPENSSL_CONF environment > variable to point to it. > > Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org
I did look into that, tried it, and it did work. It required just a few simple changes (as that man page spells out pretty clearly), and now those "jurisdiction" OIDs are displayed in text format (rather than numeric) when using 'x509 -text'. Thank you very much for the help! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
