Am Dienstag, 3. Juni 2008 schrieb naveen.bn:
> Hi all,
> I have a problem in retaining the X509 extension in the end certificate
> which will be submitted to kdc. i generate the certificate using the
> openssl tool this what it looks like .
> openssl req -new -newkey rsa:1024 -nodes -config openssl.cnf -out ca.csr
> -keyout ca.key
> optput is the ca.csr file, which looks like
> openssl req -text -noout -in ca.csr
> Certificate Request:
> Data:

> Requested Extensions:
> X509v3 Basic Constraints:
> X509v3 Key Usage:
> Digital Signature, Non Repudiation, Key Encipherment


> now i can see the x509 extension but after the ca.csr is used to generate a
> ca.pem certificate, i am not able to see the x509 extension, will this
> certificate be valid to use with krb5-1.6.3 with pkinit
> openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out

Hmm, I use "openssl ca" command to sign requests. There you have also a
option -config and you need to write the extensions again into the config
during the sign process. (e.g. in the [ v3_ca ] section)

The idea behind this (as I understand it:-)

A user "request" some extensions but the CA is the only authority who
can "allow" them to go into the final certificate.

A UI would show the requested extensions and the CA would be able to accept or
reject them (and add more if required).


> Can some one help out with this .


Michael Calmer

Michael Calmer
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575 - e-mail: Michael.Calmer@suse.com
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)