Eric Sorenson wrote:
James -- you may already be onto this, but one thing I found last
time I did a home-rolled PKI (attempting chained CA certs for puppet)
was that the CA needs to be explicitly configured to accept extended
attributes from the CSR and put them into the issued certificate.
This is controlled by the 'copy_extensions' option in the openssl ca
config, but I'm not sure how that wends its way down into libcrypto
or the ruby openssl bindings.
Thanks!
In this case I'm primarily wanting to put the attributes on the CSR so
that people can use them to decide whether to sign the CSR or not - a
poor man's auth token model. But yes and buggered if I can work out
where to set that in the Ruby OpenSSL bindings. It's not a standard
extension setting.
Regards
James
--
James Turnbull
Puppet Labs
1-503-734-8571
--
You received this message because you are subscribed to the Google Groups "Puppet
Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.