[openssl-users] Certificate template information

Franks Andy (IT Technical Architecture Manager) Andy.Franks at sath.nhs.uk
Tue Apr 28 08:08:48 UTC 2015


Thanks Rich, Jakob. 
So, can I use openssl as it is to query the values of the extension on an existing certificate do you think? The usual issue seems that people want to use openssl to form a request and insert the ms CA template name in there otherwise it complains. I don't want to do that, I want to take a presented certificate (to freeradius) and perform something in the shell that will check  against acceptable template names (and that the certificate chains properly, but that's not a problem).
I can't find anything on google citing that someone has achieved it so far.
Thanks again.
Andy

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Jakob Bohm
Sent: 28 April 2015 04:17
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Certificate template information

On 28/04/2015 02:59, Salz, Rich wrote:
>> I have need to identify a Microsoft generated certificate's template name, I believe as part of oid 1.3.6.1.4.1.311.21.7
> Where, in a cert OtherName field?
It is an extension.  Microsoft certificate server (their
bundled CA software) puts the name of the "certificate
template" (analogous to an openssl.cnf section) in a
certificate extension, and a few other Microsoft tools
unfortunately check this name in addition to more
relevant conditions such as EKU values etc.

The form I know of can be implemented as follows in
openssl.cnf (in the [sometemplatename_cert] section of
the file):

#     enrollCerttypeExtension (1 3 6 1 4 1 311 20 2)
#   OCTET STRING, encapsulates {
#     BMPString 'SomeTemplateName'
#     }
#   }
1.3.6.1.4.1.311.20.2 = ASN1:BMP:SomeTemplateName

I am not sure about the 1.3.6.1.4.1.311.21.7 OID, but it
might be similar.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list