naveen.bn wrote:
> Hi all,
> I have a problem in retaining the X509 extension in the end certificate which will be submitted to kdc.
> i generate the certificate using the openssl tool this what it looks like .
>
>
> openssl req -new -newkey rsa:1024 -nodes -config openssl.cnf -out ca.csr -keyout ca.key
>
> optput is the ca.csr file, which looks like
>
> openssl req -text -noout -in ca.csr
> Certificate Request:
> Data:
> Version: 0 (0x0)
> Subject: C=in, O=dfds, OU=fds, CN=f
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:b8:d7:57:3b:de:28:38:9e:0f:cc:04:c6:29:46:
> 47:42:ee:d9:a4:0b:4e:af:9e:e9:e7:9a:dd:2f:96:
> c6:fc:72:d1:a5:7b:dc:1e:98:f7:2f:7b:b8:23:55:
> 41:de:00:e7:06:95:36:c8:31:ba:a4:99:19:f6:93:
> ca:0b:a3:51:b0:bd:df:3b:37:5d:d1:b6:a4:2f:74:
> 9c:03:00:db:e5:4a:9e:22:a6:d8:0f:ff:87:a7:4f:
> 71:64:2f:c1:1e:cc:03:c9:ae:83:da:0f:56:62:ef:
> a8:27:fa:2d:00:26:d6:e4:19:89:af:f3:23:bb:43:
> 1f:32:1f:ac:da:eb:79:41:3d
> Exponent: 65537 (0x10001)
> Attributes:
> Requested Extensions:
> X509v3 Basic Constraints:
> CA:TRUE
> X509v3 Key Usage:
> Digital Signature, Non Repudiation, Key Encipherment
> Signature Algorithm: sha1WithRSAEncryption
> af:9e:41:62:06:95:2a:60:b2:cc:0d:cf:a1:99:ce:f1:71 :74:
> cc:bd:2f:a1:53:10:53:45:3e:5f:db:93:06:90:7d:b5:74 :36:
> 2e:66:93:bf:14:59:f0:ec:fd:3c:20:36:a1:35:6a:d1:6c :47:
> d7:81:fd:48:50:6b:01:10:ca:fd:c6:d4:cb:0e:2b:17:f5 :3b:
> d3:61:69:1b:94:29:d8:12:91:af:15:4c:b1:27:35:ef:dc :82:
> cd:d2:1d:c8:13:4a:3b:19:ee:4d:b7:fa:c7:1a:c3:7a:d5 :73:
> 69:1d:ac:a8:1b:2f:b6:fa:08:f0:a2:bf:67:d1:76:00:d5 :98:
> 78:91
> now i can see the x509 extension but after the ca.csr is used to generate a ca.pem certificate,
> i am not able to see the x509 extension, will this certificate be valid to use with krb5-1.6.3 with
> pkinit
> openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem


You did not include the -config openssl.cnf Extensions in a request are only
suggestions. They may or may not be copied to the cert. The openssl.conf can
specify what extensions will be in the cert.

See the OpenSSL apps/CA.sh script on how to create a demo CA and use the openssl.cnf
to create a CA cert and sign user requests.

> openssl x509 -text -noout -in ca.pem
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number:
> b5:0f:de:82:c6:24:be:1a
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=in, O=dfds, OU=fds, CN=f
> Validity
> Not Before: Jun 3 11:17:23 2008 GMT
> Not After : Jun 3 11:17:23 2009 GMT
> Subject: C=in, O=dfds, OU=fds, CN=f
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:b8:d7:57:3b:de:28:38:9e:0f:cc:04:c6:29:46:
> 47:42:ee:d9:a4:0b:4e:af:9e:e9:e7:9a:dd:2f:96:
> c6:fc:72:d1:a5:7b:dc:1e:98:f7:2f:7b:b8:23:55:
> 41:de:00:e7:06:95:36:c8:31:ba:a4:99:19:f6:93:
> ca:0b:a3:51:b0:bd:df:3b:37:5d:d1:b6:a4:2f:74:
> 9c:03:00:db:e5:4a:9e:22:a6:d8:0f:ff:87:a7:4f:
> 71:64:2f:c1:1e:cc:03:c9:ae:83:da:0f:56:62:ef:
> a8:27:fa:2d:00:26:d6:e4:19:89:af:f3:23:bb:43:
> 1f:32:1f:ac:da:eb:79:41:3d
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha1WithRSAEncryption
> 2d:5b:be:a5:af:cb:ee:a8:17:34:bf:44:e6:9e:05:df:cd :bb:
> 79:3b:9f:8b:72:90:5c:d6:94:e4:6b:6a:58:af:36:ea:fd :a6:
> e2:2b:81:de:2c:c4:f8:00:05:60:4a:0b:c0:17:fe:a3:11 :79:
> 67:09:4b:ac:d6:92:0c:28:ef:2c:5f:92:ba:d7:08:54:06 :4c:
> 0f:ca:a0:93:10:66:2d:2c:54:36:d8:eb:bb:58:84:32:52 :f4:
> f6:ff:ce:33:c9:72:f4:fc:c0:f5:7c:5e:6b:d3:2d:a7:ed :ff:
> 36:90:28:c1:fb:e2:77:b4:82:3a:41:27:f1:83:51:e2:d0 :35:
> b0:51
>
> Can some one help out with this .
> Thank you
> naveen
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>


--

Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444