On Tue, Nov 12, 2002, Henry E. Thorpe wrote: > Question: > > Is there a standard for how the e-mail address is supposed to be > contained in the Subject or Alternative name extension of an x509 > certificate? > > We have some folks trying to set up a PKI using a Microsoft > Certificate server. I noted that openssl x509 doesn't successfully > extract the email address from their certs. > > The quote from them is "The Subject in our certificates uses the > default method provided by Microsoft's CA". > > As an example, a Verisign Class 1 Individual certificate (see > attached) parses just fine: > > [thorpe@ermine tmp]$ openssl x509 -in mikeschiraldi.crt -noout -email > [EMAIL PROTECTED] > [thorpe@ermine tmp]$ > > Where as the MS Cert Server ones don't: > > [thorpe@ermine tmp]$openssl x509 -in henrysmime.crt -noout -email > [thorpe@ermine tmp]$ > > I think that's because Verisign places the Email in the CN field: > > Subject: [stuff]CN=Mike [EMAIL PROTECTED] > > Whereas the MS server places it in the other noise in the Subject line: > > Subject: [EMAIL PROTECTED], [stuff] CN=Henry E Thorpe > > I've also seen: > > X509v3 Subject Alternative Name: > email:[EMAIL PROTECTED], email:[EMAIL PROTECTED] > > which also works: > > [thorpe@ermine tmp]$ openssl x509 -in alt-smime.crt -noout -email > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [thorpe@ermine tmp] > > Can anyone help me point these folks in the right direction? > > TIA for any hints. >
Email is always in a separate field. You get some odd looking subject names because of a quirk in the default OpenSSL print routines which are retained for compatibility. If you use the -nameopt option to the x509 utility with oneline or multiline it may make things a bit clearer. Now the reason why the cert you included doesn't display the email address is because of a bug in OpenSSL: it would miss the email address if it was at the start of the subject name. I've checked in a fix which will appear in the next snapshots. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]