Re: Friendly Name in CA cert
On Fri, Aug 24, 2007, Bynum, Don wrote: > So, when I see a Friendly Name in the CA certs in a Trusted Root Store > (in any browser for example), how did the friendly name get there? A > PKCS#12 file always includes the private key, right? The private keys > of Trusted Root CA certs are certainly not submitted to the browser > vendor. > A PKCS#12 files does not have to include a private key but it normally does include at least one key. In the past browsers would reject a PKCS#12 file without a key but now some will accept it. In any case a friendlyName can be associated with a certificate other than the one containing a private key (if any). Also the actual browser vendor might associate a human readable name with the certificate so when it is submitted a hard coded friendly name might appear. So when a CA sends the CA it might send a certificate and tell the vendor call this "Foobar Class 1 CA". The third possibility is that in the absence of any other friendly name some subject name components will be used but there's no standard way of doing that. So if CN="Foo CA" and O="Bar Organization" the common name might be "Foo CA - Bar Organization" Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Friendly Name in CA cert
So, when I see a Friendly Name in the CA certs in a Trusted Root Store (in any browser for example), how did the friendly name get there? A PKCS#12 file always includes the private key, right? The private keys of Trusted Root CA certs are certainly not submitted to the browser vendor. Regards, Don. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Friday, August 24, 2007 9:14 AM To: openssl-users@openssl.org Subject: Re: Friendly Name in CA cert On Fri, Aug 24, 2007, Bynum, Don wrote: > I want to embed a friendly name in a self signed Root CA cert. I > cannot seem to find the correct element in the config file to set > this. Anyone know how to do this? There isn't a DN component or extension called "friendly name". It is only an attribute in PKCS#12 files. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Friendly Name in CA cert
On Fri, Aug 24, 2007, Bynum, Don wrote: > I want to embed a friendly name in a self signed Root CA cert. I cannot > seem to find the correct element in the config file to set this. Anyone > know how to do this? There isn't a DN component or extension called "friendly name". It is only an attribute in PKCS#12 files. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Friendly Name in CA cert
I want to embed a friendly name in a self signed Root CA cert. I cannot seem to find the correct element in the config file to set this. Anyone know how to do this? Don Bynum