certificate extension
Michael Calmer
mc at suse.de
Tue Jun 3 08:32:03 EDT 2008
Hi,
Am Dienstag, 3. Juni 2008 schrieb naveen.bn:
> Hi all,
> I have a problem in retaining the X509 extension in the end certificate
> which will be submitted to kdc. i generate the certificate using the
> openssl tool this what it looks like .
>
>
> openssl req -new -newkey rsa:1024 -nodes -config openssl.cnf -out ca.csr
> -keyout ca.key
>
> optput is the ca.csr file, which looks like
>
> openssl req -text -noout -in ca.csr
> Certificate Request:
> Data:
[...]
> Requested Extensions:
> X509v3 Basic Constraints:
> CA:TRUE
> X509v3 Key Usage:
> Digital Signature, Non Repudiation, Key Encipherment
[...]
> now i can see the x509 extension but after the ca.csr is used to generate a
> ca.pem certificate, i am not able to see the x509 extension, will this
> certificate be valid to use with krb5-1.6.3 with pkinit
> openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out
Hmm, I use "openssl ca" command to sign requests. There you have also a
option -config and you need to write the extensions again into the config
during the sign process. (e.g. in the [ v3_ca ] section)
The idea behind this (as I understand it:-)
A user "request" some extensions but the CA is the only authority who
can "allow" them to go into the final certificate.
A UI would show the requested extensions and the CA would be able to accept or
reject them (and add more if required).
[...]
> Can some one help out with this .
--
MFG
Michael Calmer
--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575 - e-mail: Michael.Calmer at suse.com
--------------------------------------------------------------------------
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
More information about the Kerberos
mailing list