This is a discussion on Re: openssl ca - configuration file options - oid_section (0.9.8b) - Openssl ; On Thu, Aug 31, 2006, Simon McMahon wrote: > Hi, > > I must have something wrong in the configuration file and there dont seem > to be samples to cover additional OIDs. I just want to know how to ...
On Thu, Aug 31, 2006, Simon McMahon wrote:
> I must have something wrong in the configuration file and there dont seem
> to be samples to cover additional OIDs. I just want to know how to use the
> 'oid_section' in the openssl.cnf file correctly. Btw, I am simply adding
> the OCSPsigning extendedKeyUsage attribute to the cert. I can do that but
> not using the oid that I defined.
> I tried adding the following lines to the standard (supplied) openssl.cnf
> [ CA_default ]
> oid_section = oids
> [ oids ]
> OCSPsigning = 220.127.116.11.18.104.22.168.9
> [ ocsp_cert ]
> extendedKeyUsage = OCSPsigning
> Note: the sections have other stuff in them also - I am just showing the
> Then running:
> openssl ca -in csr.pem -out xcert.pem -extensions ocsp_cert
> gives output:
> Error Loading extension section ocsp_cert
> 2920:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too
> 2920:error:2206706E:X509 V3 routines:V2I_EXTENDED_KEY_USAGE:invalid object
> ifier:.\crypto\x509v3\v3_extku.c:135:section:,name :OCSPsigning,value:
> 2920:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
> o\x509v3\v3_conf.c:93:name=extendedKeyUsage, value=OCSPsigning
> If I switch to:
> [ ocsp_cert ]
> extendedKeyUsage = 22.214.171.124.126.96.36.199.9
> It works fine giving output:
> Certificate Details:
> X509v3 extensions:
> X509v3 Extended Key Usage:
> OCSP Signing
> How do I get the oid_section to work so I can use those oids that I
First this should be in openssl-users...
The old oid_section stuff is now obsolete. The preferred method is via the
config module section which then works for all the openssl utility
applications and other config module savvy apps too.
for details and examples. However the OID is already part of OpenSSL so it
doesn't need to be added: it is called "OCSPSigning" though.
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
OpenSSL Project http://www.openssl.org
Development Mailing List firstname.lastname@example.org
Automated List Manager email@example.com