Re: [openssl-users] An example issuing an intermediate CA with policy mappings?

[Dave Coombs]

> On Sep 25, 2018, at 14:34, Krehbiel, Richard  wrote:
> 
> For my testing I want to explore the behaviors of policies, policy 
> constraints, and policy mappings.  I have figured out how to request and 
> issue certs with custom policy OIDs, but I haven't yet seen a method of 
> granting an intermediate cert with policy mappings.   Can openssl do this?  
> How?  Thanks.

Yes, I've used "openssl ca" to make certs with policy mappings in the past.  
Try something like this in your openssl.cnf, for use with "openssl ca 
-extensions test_ext" for example.  (I haven't tested with these exact values, 
but it should be a starting point.)

[openssl_init]
oid_section = new_oids
...

[new_oids]
issuerOID = Issuer Domain Policy, 1.2.3.4.5
subjectOID = Subject Domain Policy, 1.3.5.7.9
...

[test_ext]
policyMappings = @policy_mappings
...

[policy_mappings]
issuerOID = subjectOID

And if you want to map more than one subject domain policy OID to the same 
issuer domain policy OID, you can use issuerOID.0, issuerOID.1, issuerOID.2, 
etc, to differentiate them in the policy_mappings section.

Good luck,
  -Dave

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] An example issuing an intermediate CA with policy mappings?

[Krehbiel, Richard]

For my testing I want to explore the behaviors of policies, policy constraints, 
and policy mappings.  I have figured out how to request and issue certs with 
custom policy OIDs, but I haven't yet seen a method of granting an intermediate 
cert with policy mappings.   Can openssl do this?  How?  Thanks.


KASTLE SYSTEMS

855.527.8531  |  KASTLE.COM


Follow us on LinkedIn or 
Twitter for Security Tips!
Click 
Here
 to see why the Washington Post is calling our Hands-Free Mobile Credential 
"the end of the badge."

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users