crlDistributionPoints with DirName value?
Hi, (Sorry if some of my terminology is wrong - What I understand of X.509 certs I've picked up working with OpenSSL to set up IPSec and SSL tunnels.) I've been working on getting SSH Sentinel to talk to the Linux FreeS/WAN IPSec implementation, and am at the stage where I want to get Sentinel to fetch CRLs automatically. To make a long story short, at http://pki.ssh.com:8080/enroll-ca-list.html ssh.com provides some test CAs whose certificates include crlDistributionPoints extensions of type DirName, and I infer that I must do something similar to get Sentinel to fetch the CRLs automatically (as it supports only LDAP for this). Is this possible with OpenSSL? Into the usr_cert section of openssl.cnf I've put crlDistributionPoints = DirName:/C=FI/O=SSH Communications Security Corp/CN=SSH Test CA 2 No Liabilities and when I attempt to use openssl ca to sign the certificate I get: # openssl ca -in req.pem -out cert.pem Using configuration from /usr/share/ssl/openssl.cnf Enter PEM pass phrase: Error Loading extension section usr_cert 6355:error:22075075:X509 V3 routines:v2i_GENERAL_NAME:unsupported option:v3_alt.c:380:name=DirName 6355:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:91:name=crlDistributionPoints, value=DirName:/C=FI/O=SSH Communications Security Corp/CN=SSH Test CA 2 No Liabilities >From my reading of the source code it appears that I can only use email, URI, DNS, RID, and IP type values for this extension. Is there some other way to get a value of type DirName into this extension? Thanks very much :) -- | Mike Acar | [EMAIL PROTECTED] | __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: crlDistributionPoints with DirName value?
Hi, > crlDistributionPoints = DirName:/C=FI/O=SSH Communications Security Corp/CN=SSH Test > CA 2 No Liabilities How about crlDistributionPoints = @crl_dist [ crl_dist ] DirName = /C=FI/O=SSH Communications Security Corp/CN=SSH Test CA 2 No Liabilities -Kiyoshi Kiyoshi Watanabe > and when I attempt to use openssl ca to sign the certificate I get: > > # openssl ca -in req.pem -out cert.pem > Using configuration from /usr/share/ssl/openssl.cnf > Enter PEM pass phrase: > Error Loading extension section usr_cert > 6355:error:22075075:X509 V3 routines:v2i_GENERAL_NAME:unsupported > option:v3_alt.c:380:name=DirName > 6355:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in > extension:v3_conf.c:91:name=crlDistributionPoints, value=DirName:/C=FI/O=SSH > Communications Security Corp/CN=SSH Test CA 2 No Liabilities > > >From my reading of the source code it appears that I can only use email, > URI, DNS, RID, and IP type values for this extension. Is there some > other way to get a value of type DirName into this extension? > > Thanks very much :) > > -- > | Mike Acar | [EMAIL PROTECTED] | > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: crlDistributionPoints with DirName value?
I'll answer several messages at once in this mail. Nils Larsch <[EMAIL PROTECTED]> wrote: > Try: > > [EMAIL PROTECTED] > > [dist_point] > dirName=dir_name > > [dir_name] > C=FI > O=SSH Communications Security Corp > CN=SSH Test CA 2 No Liabilities > > this works for me (note: I'm using 0.9.8-dev). Indeed, this works for me too. I checked the relevant code in the snapshot from 20031105 and it's apparently been rewritten to handle dirNames. Kiyoshi Watanabe <[EMAIL PROTECTED]> wrote: > Sorry, I did not mention that I used the patch from Oliver King a few > years back in openssl dev mailing list. Please search the patch in the > archive. I guess this patch also adds support for dirName type attributes? Regardless, support for it appears to be in the snapshot I'm using. When I reported that Kiyoshi's suggestion didn't work, I quoted this from my config: crlDistributionPoints = @crl_dist [ crl_dist ] DirName = /C=FI/O=SSH Communications Security Corp/CN=SSH Test CA 2 No Liabilities and Peter Sylvester <[EMAIL PROTECTED]> pointed out: > The string is "dirName" not "DirName" I went back and tried again, and it didn't work either way. With the snapshot and Nils's suggested syntax, I must indeed use "dirName", not "DirName". Thanks for the tip. I appreciate the help, all. One step closer to security :) -- | Mike Acar | [EMAIL PROTECTED] | __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: crlDistributionPoints with DirName value?
On Thu, Nov 06, 2003, Mike Acar wrote: > > I'll answer several messages at once in this mail. > > Nils Larsch <[EMAIL PROTECTED]> wrote: > > > Try: > > > > [EMAIL PROTECTED] > > > > [dist_point] > > dirName=dir_name > > > > [dir_name] > > C=FI > > O=SSH Communications Security Corp > > CN=SSH Test CA 2 No Liabilities > > > > this works for me (note: I'm using 0.9.8-dev). > > Indeed, this works for me too. I checked the relevant code in the > snapshot from 20031105 and it's apparently been rewritten to handle > dirNames. > Yes that will work in 0.9.8-dev (this isn't supported in 0.9.7X). It can be simplified to: crlDistributionPoints=dirName:dir_name [dir_name] C=FI O=SSH Communications Security Corp CN=SSH Test CA 2 No Liabilities Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]