Re: certificate extension
- From: "Douglas E. Engert" <deengert@xxxxxxx>
- Date: Tue, 03 Jun 2008 08:41:04 -0500
naveen.bn wrote:
Hi all,
I have a problem in retaining the X509 extension in the end certificate which will be submitted to kdc.
i generate the certificate using the openssl tool this what it looks like .
openssl req -new -newkey rsa:1024 -nodes -config openssl.cnf -out ca.csr -keyout ca.key
optput is the ca.csr file, which looks like
openssl req -text -noout -in ca.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=in, O=dfds, OU=fds, CN=f
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b8:d7:57:3b:de:28:38:9e:0f:cc:04:c6:29:46:
47:42:ee:d9:a4:0b:4e:af:9e:e9:e7:9a:dd:2f:96:
c6:fc:72:d1:a5:7b:dc:1e:98:f7:2f:7b:b8:23:55:
41:de:00:e7:06:95:36:c8:31:ba:a4:99:19:f6:93:
ca:0b:a3:51:b0:bd:df:3b:37:5d:d1:b6:a4:2f:74:
9c:03:00:db:e5:4a:9e:22:a6:d8:0f:ff:87:a7:4f:
71:64:2f:c1:1e:cc:03:c9:ae:83:da:0f:56:62:ef:
a8:27:fa:2d:00:26:d6:e4:19:89:af:f3:23:bb:43:
1f:32:1f:ac:da:eb:79:41:3d
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints: CA:TRUE
X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
af:9e:41:62:06:95:2a:60:b2:cc:0d:cf:a1:99:ce:f1:71:74:
cc:bd:2f:a1:53:10:53:45:3e:5f:db:93:06:90:7d:b5:74:36:
2e:66:93:bf:14:59:f0:ec:fd:3c:20:36:a1:35:6a:d1:6c:47:
d7:81:fd:48:50:6b:01:10:ca:fd:c6:d4:cb:0e:2b:17:f5:3b:
d3:61:69:1b:94:29:d8:12:91:af:15:4c:b1:27:35:ef:dc:82:
cd:d2:1d:c8:13:4a:3b:19:ee:4d:b7:fa:c7:1a:c3:7a:d5:73:
69:1d:ac:a8:1b:2f:b6:fa:08:f0:a2:bf:67:d1:76:00:d5:98:
78:91
now i can see the x509 extension but after the ca.csr is used to generate a ca.pem certificate, i am not able to see the x509 extension, will this certificate be valid to use with krb5-1.6.3 with pkinit
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
You did not include the -config openssl.cnf Extensions in a request are only
suggestions. They may or may not be copied to the cert. The openssl.conf can
specify what extensions will be in the cert.
See the OpenSSL apps/CA.sh script on how to create a demo CA and use the openssl.cnf
to create a CA cert and sign user requests.
openssl x509 -text -noout -in ca.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b5:0f:de:82:c6:24:be:1a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=in, O=dfds, OU=fds, CN=f
Validity
Not Before: Jun 3 11:17:23 2008 GMT
Not After : Jun 3 11:17:23 2009 GMT
Subject: C=in, O=dfds, OU=fds, CN=f
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b8:d7:57:3b:de:28:38:9e:0f:cc:04:c6:29:46:
47:42:ee:d9:a4:0b:4e:af:9e:e9:e7:9a:dd:2f:96:
c6:fc:72:d1:a5:7b:dc:1e:98:f7:2f:7b:b8:23:55:
41:de:00:e7:06:95:36:c8:31:ba:a4:99:19:f6:93:
ca:0b:a3:51:b0:bd:df:3b:37:5d:d1:b6:a4:2f:74:
9c:03:00:db:e5:4a:9e:22:a6:d8:0f:ff:87:a7:4f:
71:64:2f:c1:1e:cc:03:c9:ae:83:da:0f:56:62:ef:
a8:27:fa:2d:00:26:d6:e4:19:89:af:f3:23:bb:43:
1f:32:1f:ac:da:eb:79:41:3d
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
2d:5b:be:a5:af:cb:ee:a8:17:34:bf:44:e6:9e:05:df:cd:bb:
79:3b:9f:8b:72:90:5c:d6:94:e4:6b:6a:58:af:36:ea:fd:a6:
e2:2b:81:de:2c:c4:f8:00:05:60:4a:0b:c0:17:fe:a3:11:79:
67:09:4b:ac:d6:92:0c:28:ef:2c:5f:92:ba:d7:08:54:06:4c:
0f:ca:a0:93:10:66:2d:2c:54:36:d8:eb:bb:58:84:32:52:f4:
f6:ff:ce:33:c9:72:f4:fc:c0:f5:7c:5e:6b:d3:2d:a7:ed:ff:
36:90:28:c1:fb:e2:77:b4:82:3a:41:27:f1:83:51:e2:d0:35:
b0:51
Can some one help out with this .
Thank you
naveen
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.
- Prev by Date: Re: certificate extension
- Next by Date: Kerberos- GSS-API C code issues
- Previous by thread: Re: certificate extension
- Next by thread: Kerberos- GSS-API C code issues
- Index(es):
Relevant Pages
|
