certificate extension

Douglas E. Engert deengert at anl.gov
Tue Jun 3 09:41:04 EDT 2008



naveen.bn wrote:
> Hi all,
> I have a problem in retaining the X509 extension in the end certificate which will be submitted to kdc.
> i generate the certificate using the openssl tool this what it looks like .
> 
> 
>  openssl req -new -newkey rsa:1024 -nodes -config openssl.cnf -out ca.csr -keyout ca.key 
> 
> optput is the ca.csr file, which looks like
> 
> openssl req -text -noout -in ca.csr
> Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: C=in, O=dfds, OU=fds, CN=f
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (1024 bit)
>                 Modulus (1024 bit):
>                     00:b8:d7:57:3b:de:28:38:9e:0f:cc:04:c6:29:46:
>                     47:42:ee:d9:a4:0b:4e:af:9e:e9:e7:9a:dd:2f:96:
>                     c6:fc:72:d1:a5:7b:dc:1e:98:f7:2f:7b:b8:23:55:
>                     41:de:00:e7:06:95:36:c8:31:ba:a4:99:19:f6:93:
>                     ca:0b:a3:51:b0:bd:df:3b:37:5d:d1:b6:a4:2f:74:
>                     9c:03:00:db:e5:4a:9e:22:a6:d8:0f:ff:87:a7:4f:
>                     71:64:2f:c1:1e:cc:03:c9:ae:83:da:0f:56:62:ef:
>                     a8:27:fa:2d:00:26:d6:e4:19:89:af:f3:23:bb:43:
>                     1f:32:1f:ac:da:eb:79:41:3d
>                 Exponent: 65537 (0x10001)
>         Attributes:
>         Requested Extensions:
>             X509v3 Basic Constraints: 
>                 CA:TRUE
>             X509v3 Key Usage: 
>                 Digital Signature, Non Repudiation, Key Encipherment
>     Signature Algorithm: sha1WithRSAEncryption
>         af:9e:41:62:06:95:2a:60:b2:cc:0d:cf:a1:99:ce:f1:71:74:
>         cc:bd:2f:a1:53:10:53:45:3e:5f:db:93:06:90:7d:b5:74:36:
>         2e:66:93:bf:14:59:f0:ec:fd:3c:20:36:a1:35:6a:d1:6c:47:
>         d7:81:fd:48:50:6b:01:10:ca:fd:c6:d4:cb:0e:2b:17:f5:3b:
>         d3:61:69:1b:94:29:d8:12:91:af:15:4c:b1:27:35:ef:dc:82:
>         cd:d2:1d:c8:13:4a:3b:19:ee:4d:b7:fa:c7:1a:c3:7a:d5:73:
>         69:1d:ac:a8:1b:2f:b6:fa:08:f0:a2:bf:67:d1:76:00:d5:98:
>         78:91
> now i can see the x509 extension but after the ca.csr is used to generate a ca.pem certificate, 
> i am not able to see the x509 extension, will this certificate be valid to use with krb5-1.6.3 with 
> pkinit
> openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem  

You did not include the -config openssl.cnf Extensions in a request are only
suggestions. They may or may not be copied to the cert. The openssl.conf can
specify what extensions will be in the cert.

See the OpenSSL apps/CA.sh script on how to create a demo CA and use the openssl.cnf
to create a CA cert and sign user requests.

> openssl x509 -text -noout -in ca.pem
> Certificate:
>     Data:
>         Version: 1 (0x0)
>         Serial Number:
>             b5:0f:de:82:c6:24:be:1a
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=in, O=dfds, OU=fds, CN=f
>         Validity
>             Not Before: Jun  3 11:17:23 2008 GMT
>             Not After : Jun  3 11:17:23 2009 GMT
>         Subject: C=in, O=dfds, OU=fds, CN=f
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (1024 bit)
>                 Modulus (1024 bit):
>                     00:b8:d7:57:3b:de:28:38:9e:0f:cc:04:c6:29:46:
>                     47:42:ee:d9:a4:0b:4e:af:9e:e9:e7:9a:dd:2f:96:
>                     c6:fc:72:d1:a5:7b:dc:1e:98:f7:2f:7b:b8:23:55:
>                     41:de:00:e7:06:95:36:c8:31:ba:a4:99:19:f6:93:
>                     ca:0b:a3:51:b0:bd:df:3b:37:5d:d1:b6:a4:2f:74:
>                     9c:03:00:db:e5:4a:9e:22:a6:d8:0f:ff:87:a7:4f:
>                     71:64:2f:c1:1e:cc:03:c9:ae:83:da:0f:56:62:ef:
>                     a8:27:fa:2d:00:26:d6:e4:19:89:af:f3:23:bb:43:
>                     1f:32:1f:ac:da:eb:79:41:3d
>                 Exponent: 65537 (0x10001)
>     Signature Algorithm: sha1WithRSAEncryption
>         2d:5b:be:a5:af:cb:ee:a8:17:34:bf:44:e6:9e:05:df:cd:bb:
>         79:3b:9f:8b:72:90:5c:d6:94:e4:6b:6a:58:af:36:ea:fd:a6:
>         e2:2b:81:de:2c:c4:f8:00:05:60:4a:0b:c0:17:fe:a3:11:79:
>         67:09:4b:ac:d6:92:0c:28:ef:2c:5f:92:ba:d7:08:54:06:4c:
>         0f:ca:a0:93:10:66:2d:2c:54:36:d8:eb:bb:58:84:32:52:f4:
>         f6:ff:ce:33:c9:72:f4:fc:c0:f5:7c:5e:6b:d3:2d:a7:ed:ff:
>         36:90:28:c1:fb:e2:77:b4:82:3a:41:27:f1:83:51:e2:d0:35:
>         b0:51
> 
> Can some one help out with this .
> Thank you
> naveen
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list