[openssl-users] How to add CT Precertificate SCTs to a server certificate?

Viktor Dukhovni openssl-users at dukhovni.org
Mon Apr 20 15:51:58 UTC 2015


On Mon, Apr 20, 2015 at 01:57:47PM +0000, Salz, Rich wrote:

> > How do we use `openssl req` and a CONF file to add the information
> > (assuming we already have the certified timestamps)?
> 
> Ouch, that's gonna be nasty.  Look at ASN1_generate_nconf.pod  Most likely have to use the SEQUENCE type, recursively.  Ouch indeed.
> 
> A patch to let you specify the DER directly would be useful.

No patch required:

    http://web.mit.edu/crypto/openssl.cnf

    # DER hex encoding of an extension: beware experts only!
    # obj=DER:02:03
    # Where 'obj' is a standard or added object
    # You can even override a supported extension:
    # basicConstraints= critical, DER:30:03:01:01:FF

-- 
	Viktor.


More information about the openssl-users mailing list