Re: [openssl-users] Certificate template information
Hi Jakob, Thanks for the feedback, what you say makes sense, so I'll try and avoid the non-standard Microsoft thing. Apologies for the top - posting, I get so used to pressing reply. Kinds regards, Andy ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate template information
Thanks Rich, Jakob.
So, can I use openssl as it is to query the values of the extension on an
existing certificate do you think? The usual issue seems that people want to
use openssl to form a request and insert the ms CA template name in there
otherwise it complains. I don't want to do that, I want to take a presented
certificate (to freeradius) and perform something in the shell that will check
against acceptable template names (and that the certificate chains properly,
but that's not a problem).
I can't find anything on google citing that someone has achieved it so far.
Thanks again.
Andy
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jakob Bohm
Sent: 28 April 2015 04:17
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Certificate template information
On 28/04/2015 02:59, Salz, Rich wrote:
I have need to identify a Microsoft generated certificate's template name, I
believe as part of oid 1.3.6.1.4.1.311.21.7
Where, in a cert OtherName field?
It is an extension. Microsoft certificate server (their
bundled CA software) puts the name of the certificate
template (analogous to an openssl.cnf section) in a
certificate extension, and a few other Microsoft tools
unfortunately check this name in addition to more
relevant conditions such as EKU values etc.
The form I know of can be implemented as follows in
openssl.cnf (in the [sometemplatename_cert] section of
the file):
# enrollCerttypeExtension (1 3 6 1 4 1 311 20 2)
# OCTET STRING, encapsulates {
# BMPString 'SomeTemplateName'
# }
# }
1.3.6.1.4.1.311.20.2 = ASN1:BMP:SomeTemplateName
I am not sure about the 1.3.6.1.4.1.311.21.7 OID, but it
might be similar.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate template information
(top posting because OP did so)
Note that as I already said, checking the template name
is usually a mistake, unless you happen to know that
some other software will reject certificates without
specific template names.
It is much more relevant (and should be done even if
the template name is also checked) to check all the
specific certificate properties (extensions, basic
settings, name forms etc.) against the requirements.
Tests such as:
Does it include the required set of key usages and
extended key usages?
Does it include any neither required nor optional
(and thus unwanted) key usages or extended key
usages?
Does the Subject Name have the required form and
the required fields?
Does it include any required Subject Alternate
Names.
Does it include any unwanted Subject Alternate
Names.
Is the key of the required type and size?
Is the signature on the certificate of the required
type and size?
Etc. Etc.
Basically, look at valid certificates and create a
test for each of the fields/attributes.
This way, unless some other broken software tests the
template name, the testing will be correct even if at
some later stage a variant template is created for
some subset of the certificates used for this purpose.
For example, a special template for servers in the HR
department.
On 28/04/2015 10:08, Franks Andy (IT Technical Architecture Manager) wrote:
Thanks Rich, Jakob.
So, can I use openssl as it is to query the values of the extension on an
existing certificate do you think? The usual issue seems that people want to
use openssl to form a request and insert the ms CA template name in there
otherwise it complains. I don't want to do that, I want to take a presented
certificate (to freeradius) and perform something in the shell that will check
against acceptable template names (and that the certificate chains properly,
but that's not a problem).
I can't find anything on google citing that someone has achieved it so far.
Thanks again.
Andy
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jakob Bohm
Sent: 28 April 2015 04:17
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Certificate template information
On 28/04/2015 02:59, Salz, Rich wrote:
I have need to identify a Microsoft generated certificate's template name, I
believe as part of oid 1.3.6.1.4.1.311.21.7
Where, in a cert OtherName field?
It is an extension. Microsoft certificate server (their
bundled CA software) puts the name of the certificate
template (analogous to an openssl.cnf section) in a
certificate extension, and a few other Microsoft tools
unfortunately check this name in addition to more
relevant conditions such as EKU values etc.
The form I know of can be implemented as follows in
openssl.cnf (in the [sometemplatename_cert] section of
the file):
# enrollCerttypeExtension (1 3 6 1 4 1 311 20 2)
# OCTET STRING, encapsulates {
# BMPString 'SomeTemplateName'
# }
# }
1.3.6.1.4.1.311.20.2 = ASN1:BMP:SomeTemplateName
I am not sure about the 1.3.6.1.4.1.311.21.7 OID, but it
might be similar.
Enjoy
Jakob
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Certificate template information
Hi All, First time post, be gentle :-) I know this has come up before, but not recently, and there aren't any answers that seem conclusive. I have need to identify a Microsoft generated certificate's template name, I believe as part of oid 1.3.6.1.4.1.311.21.7 Can anybody shed any light on how to do this with openssl? Thanks Andy ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate template information
I have need to identify a Microsoft generated certificate's template name, I believe as part of oid 1.3.6.1.4.1.311.21.7 Where, in a cert OtherName field? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate template information
On 28/04/2015 02:59, Salz, Rich wrote:
I have need to identify a Microsoft generated certificate's template name, I
believe as part of oid 1.3.6.1.4.1.311.21.7
Where, in a cert OtherName field?
It is an extension. Microsoft certificate server (their
bundled CA software) puts the name of the certificate
template (analogous to an openssl.cnf section) in a
certificate extension, and a few other Microsoft tools
unfortunately check this name in addition to more
relevant conditions such as EKU values etc.
The form I know of can be implemented as follows in
openssl.cnf (in the [sometemplatename_cert] section of
the file):
# enrollCerttypeExtension (1 3 6 1 4 1 311 20 2)
# OCTET STRING, encapsulates {
# BMPString 'SomeTemplateName'
# }
# }
1.3.6.1.4.1.311.20.2 = ASN1:BMP:SomeTemplateName
I am not sure about the 1.3.6.1.4.1.311.21.7 OID, but it
might be similar.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
