ate loading page :)
BTW, as I understand it, mr. Gomez created both the keypair and certificate
off-line, thus he had no need for certificate request page.
Kaur Virunurm
Data Security Officer
Hansabank, Estonia
__
OpenSSL Project
You can repeat any attribute in DN as many times as you wish.
The way to do it is to add multiple entries for this attribute
into the [req] session of your config file. Example:
0.stateOrProvinceName = State or Province Name 1 (full name)
0.stateOrProvinceName_default = Estonia
1.st
> Can I know where I can see the example Perl script which to
> load user client certificate into Netscape Browser ?
You must send the certificate to the browser with correct MIME type
(application/x-x509-user-cert). You can build the page in perl, or
put the certificate into a file and point th
certificate's subject's DN will be:
[EMAIL PROTECTED]
In my opinion, openssl ca should either reject this request,
or issue a warning, but not just silently change the subject value.
Comments?
Kaur Virunurm
__
Open
Vadim Fedukovich wrote:
> x509 application use X509_NAME_oneline() that wants to OBJ_obj2nid()
> everything it prints. I'm not sure OBJ_obj2nid() returns something
> useful for "uniqueIdentifier" and X509_NAME_oneline() will just skip
> unknown name entry object.
No no no! You missed the point. I
> Is uniqueIdentifier allowed in a DistinguishedName?
Yes, I think? At least OpenSSL allows it and shows it as
UID= field in the DN.
Are there any restrictions on which attributes can be contained
in the DN at all? Can I use freely anything from the whole 2.5.4.*
OID-space and anything else th
> How do I process this data packet with OpenSSL?
> Do I need to pre-pend or append any data (such as DN, '--CERTIFICATE--'
> or something else)?
Yes. This works for me (VBScript):
request = "-BEGIN NEW CERTIFICATE REQUEST-" + CHR(13) + _ sz10 + _ "-END
NEW CERTIFICATE REQUEST-"
I agree with your philosophy, mr. Reif: the CA has certainly
the authority to decide what to include in the cert, but:
> Wether there should be a big flash "Hey, the user wants to
> trick you into something!" is another question.
That's it, but not only. Right now, the person behind the CA is d
> What is the behavior of openssl ca towards a field which is not listed
> in the policy section?
It will be ignored and quietly dropped.
'openssl ca' prints it out when displaying the request,
but does not copy it into the issued certificate.
Which also means that fields not specified in [pol
The result of CreatePKCS10 (sz10) _is_ in PEM format, it just
misses BEGIN/END tags. Add those with the following:
pkcs10Request = "-BEGIN NEW CERTIFICATE REQUEST-" + CHR(13)
+ sz10 + "-END NEW CERTIFICATE REQUEST-"
Then you can feed pkcs10Request directly to 'openssl ca'.
Kau
> You can't create a PKCS#12 file from this because you don't have the
> private key. Instead you must take the signed certificate and create a
> PKCS#7 file from it:
> openssl crl2pkcs7 -nocrl -certfile cert.pem -out p7.pem
There is no need to do it.
> Then strip off the BEGIN and END lines and
> > But the problem is that certificates, CA-signed and installed are marked in
> > IE5 as fit for everything EXCEPT email and client-identification.
> >
> > They are marked for servers, code signing, encryped file systems, all kinds
> > of stuff I have never heard of!
Won't the certificate usage
[EMAIL PROTECTED] wrote:
> Can I take my Verisign co-signed certificate and alter it's
> 'nsCertType' to 0xb0? Or did this need to happen to the csr *before*
> I sent it to Verisign, or (more likely) is this something Verisign had
> to do when they co-signed it?
Hell no! You cannot change an a
[EMAIL PROTECTED] wrote:
> Yes, I'm finding this out now. I'm contacting Verisign to see
> what they can do for me (short of actually buying a new $400 cert).
> My hopes aren't very high.
Does Thawte still offer its services? Thawte certs used to be cheaper.
Of course, since they are one
Hello.
The following works for me. I won't give you the full forms since they are
in Estonian and utterly unreadable, but the idea should be clear.
First, try everything with MSIE 5. It is much more intelligent than IE4 -
understands certificate chains, shows the certs in a nice and logical way,
15 matches
Mail list logo
