[openssl-users] An example issuing an intermediate CA with policy mappings?

Dave Coombs dcoombs at carillon.ca
Wed Sep 26 13:10:15 UTC 2018

> On Sep 25, 2018, at 14:34, Krehbiel, Richard <rkrehbiel at kastle.com> wrote:
> For my testing I want to explore the behaviors of policies, policy constraints, and policy mappings.  I have figured out how to request and issue certs with custom policy OIDs, but I haven't yet seen a method of granting an intermediate cert with policy mappings.   Can openssl do this?  How?  Thanks.

Yes, I've used "openssl ca" to make certs with policy mappings in the past.  Try something like this in your openssl.cnf, for use with "openssl ca -extensions test_ext" for example.  (I haven't tested with these exact values, but it should be a starting point.)

oid_section = new_oids

issuerOID = Issuer Domain Policy,
subjectOID = Subject Domain Policy,

policyMappings = @policy_mappings

issuerOID = subjectOID

And if you want to map more than one subject domain policy OID to the same issuer domain policy OID, you can use issuerOID.0, issuerOID.1, issuerOID.2, etc, to differentiate them in the policy_mappings section.

Good luck,

More information about the openssl-users mailing list