certificate extension

naveen.bn naveen.bn at globaledgesoft.com
Tue Jun 3 07:21:19 EDT 2008


Hi all,
I have a problem in retaining the X509 extension in the end certificate which will be submitted to kdc.
i generate the certificate using the openssl tool this what it looks like .


 openssl req -new -newkey rsa:1024 -nodes -config openssl.cnf -out ca.csr -keyout ca.key 

optput is the ca.csr file, which looks like

openssl req -text -noout -in ca.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=in, O=dfds, OU=fds, CN=f
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b8:d7:57:3b:de:28:38:9e:0f:cc:04:c6:29:46:
                    47:42:ee:d9:a4:0b:4e:af:9e:e9:e7:9a:dd:2f:96:
                    c6:fc:72:d1:a5:7b:dc:1e:98:f7:2f:7b:b8:23:55:
                    41:de:00:e7:06:95:36:c8:31:ba:a4:99:19:f6:93:
                    ca:0b:a3:51:b0:bd:df:3b:37:5d:d1:b6:a4:2f:74:
                    9c:03:00:db:e5:4a:9e:22:a6:d8:0f:ff:87:a7:4f:
                    71:64:2f:c1:1e:cc:03:c9:ae:83:da:0f:56:62:ef:
                    a8:27:fa:2d:00:26:d6:e4:19:89:af:f3:23:bb:43:
                    1f:32:1f:ac:da:eb:79:41:3d
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
    Signature Algorithm: sha1WithRSAEncryption
        af:9e:41:62:06:95:2a:60:b2:cc:0d:cf:a1:99:ce:f1:71:74:
        cc:bd:2f:a1:53:10:53:45:3e:5f:db:93:06:90:7d:b5:74:36:
        2e:66:93:bf:14:59:f0:ec:fd:3c:20:36:a1:35:6a:d1:6c:47:
        d7:81:fd:48:50:6b:01:10:ca:fd:c6:d4:cb:0e:2b:17:f5:3b:
        d3:61:69:1b:94:29:d8:12:91:af:15:4c:b1:27:35:ef:dc:82:
        cd:d2:1d:c8:13:4a:3b:19:ee:4d:b7:fa:c7:1a:c3:7a:d5:73:
        69:1d:ac:a8:1b:2f:b6:fa:08:f0:a2:bf:67:d1:76:00:d5:98:
        78:91
now i can see the x509 extension but after the ca.csr is used to generate a ca.pem certificate, 
i am not able to see the x509 extension, will this certificate be valid to use with krb5-1.6.3 with 
pkinit
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem  
openssl x509 -text -noout -in ca.pem
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            b5:0f:de:82:c6:24:be:1a
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=in, O=dfds, OU=fds, CN=f
        Validity
            Not Before: Jun  3 11:17:23 2008 GMT
            Not After : Jun  3 11:17:23 2009 GMT
        Subject: C=in, O=dfds, OU=fds, CN=f
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b8:d7:57:3b:de:28:38:9e:0f:cc:04:c6:29:46:
                    47:42:ee:d9:a4:0b:4e:af:9e:e9:e7:9a:dd:2f:96:
                    c6:fc:72:d1:a5:7b:dc:1e:98:f7:2f:7b:b8:23:55:
                    41:de:00:e7:06:95:36:c8:31:ba:a4:99:19:f6:93:
                    ca:0b:a3:51:b0:bd:df:3b:37:5d:d1:b6:a4:2f:74:
                    9c:03:00:db:e5:4a:9e:22:a6:d8:0f:ff:87:a7:4f:
                    71:64:2f:c1:1e:cc:03:c9:ae:83:da:0f:56:62:ef:
                    a8:27:fa:2d:00:26:d6:e4:19:89:af:f3:23:bb:43:
                    1f:32:1f:ac:da:eb:79:41:3d
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        2d:5b:be:a5:af:cb:ee:a8:17:34:bf:44:e6:9e:05:df:cd:bb:
        79:3b:9f:8b:72:90:5c:d6:94:e4:6b:6a:58:af:36:ea:fd:a6:
        e2:2b:81:de:2c:c4:f8:00:05:60:4a:0b:c0:17:fe:a3:11:79:
        67:09:4b:ac:d6:92:0c:28:ef:2c:5f:92:ba:d7:08:54:06:4c:
        0f:ca:a0:93:10:66:2d:2c:54:36:d8:eb:bb:58:84:32:52:f4:
        f6:ff:ce:33:c9:72:f4:fc:c0:f5:7c:5e:6b:d3:2d:a7:ed:ff:
        36:90:28:c1:fb:e2:77:b4:82:3a:41:27:f1:83:51:e2:d0:35:
        b0:51

Can some one help out with this .
Thank you
naveen




More information about the Kerberos mailing list