Additional Request Attributes - HOWTO?
|
View:
New views
5 Messages
—
Rating Filter:
Alert me
|
 |
Additional Request Attributes - HOWTO?
by blainedw
::
Rate this Message:
Hi all, I read the section in the "documentation" about adding attributes to the certificate and I am still a little unclear. So I am hoping for a sanity check. I have 3 attributes I am adding but I'll just provide an example of one to give you an idea. I have added them to the browser_req.xml.template like so: Under User Data Section.... <input> <name>ADDITIONAL_ATTRIBUTE_EIN</name> <label>Employee Number</label> <type>textfield</type> <charset>NUMERIC</charset> <value></value> <minlen>6</minlen> <required>YES</required> </input> I'm not sure if it should be added to the DN or the SUBJALT section farther down in the template (or both)???????? I then modified the server_req.xml.template (since we usually do server-side generation) <input> <name>ADDITIONAL_ATTRIBUTE_EIN</name> <label>employeeID</label> <type>textfield</type> <charset>NUMERIC</charset> <value></value> <minlen>6</minlen> <required>YES</required> </input> ADDITIONAL_REQUEST_ATTRIBUTES "requestercn" "email" "employeeID" "company" "department" "telephone" "citizenship" ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE "Name (first and Last name)" "Email" "Employee Number" "Company" "Department" "Telephone" "Citizenship" ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE "LATIN1_LETTERS" "EMAIL" "NUMERIC" "LATIN1_LETTERS" "LATIN1_LETTERS" "LATIN1_LETTERS" "LATIN1_LETTERS" Similar changes were made to servers/pub.conf.template I made the following to servers/ra.conf.template DN_TYPE_SPKAC_ELEMENTS "emailAddress" "CN" "OU" "DC" "DC" "DC" "employeeID" "company" "citizenship" DN_TYPE_SPKAC_ELEMENT_4 "Employee Number" DN_TYPE_SPKAC_ELEMENT_4_MINIMUM_LENGTH 6 DN_TYPE_SPKAC_ELEMENT_4_REQUIRED "YES" DN_TYPE_SPKAC_ELEMENT_4_CHARACTERSET "NUMERIC" DN_TYPE_IE_ELEMENTS "emailAddress" "CN" "OU" "DC" "DC" "DC" "employeeID" "company" "citizenship" DN_TYPE_IE_ELEMENT_4 "Employee Number" DN_TYPE_IE_ELEMENT_4_MINIMUM_LENGTH 6 DN_TYPE_IE_ELEMENT_4_REQUIRED "YES" DN_TYPE_IE_ELEMENT_4_CHARACTERSET "NUMERIC" Similar changes were made to servers/ca.conf.template Then I went into the openssl.cnf stuff modifying the specific profile as (in this case VPN_User.conf.template): [ new_oids ] pseudonym=2.5.4.65 domainComponent=0.9.2342.19200300.100.1.25 employeeID=1.3.6.1.4.1.5643.2.0.4 citizenship=1.3.6.1.5.5.7.9.4 company=1.2.840.113549.1.9.2 [ req_attributes ] employeeID = Employee Number (eg, EIN) employeeID_max = 6 citizenship = country of Citizenship ctizenship_max = 2 company Does that look like I'm on the right path???? Am I missing something or doing anything wrong? This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users |
|
|
Re: Additional Request Attributes - HOWTO?
by John A. Sullivan III
::
Rate this Message:
On Fri, 2009-06-19 at 12:46 -0400, blainedw@... wrote:
> > Hi all, > > I read the section in the "documentation" about adding attributes to > the certificate and I am still a little unclear. So I am hoping for a > sanity check. I have 3 attributes I am adding but I'll just provide an > example of one to give you an idea. I have added them to the > browser_req.xml.template like so: > > Under User Data Section.... > > <input> > <name>ADDITIONAL_ATTRIBUTE_EIN</name> > <label>Employee Number</label> > <type>textfield</type> > <charset>NUMERIC</charset> > <value></value> > <minlen>6</minlen> > <required>YES</required> > </input> > > I'm not sure if it should be added to the DN or the SUBJALT section > farther down in the template (or both)???????? > > > I then modified the server_req.xml.template (since we usually do > server-side generation) > > > <input> > <name>ADDITIONAL_ATTRIBUTE_EIN</name> > <label>employeeID</label> > <type>textfield</type> > <charset>NUMERIC</charset> > <value></value> > <minlen>6</minlen> > <required>YES</required> > </input> > > ADDITIONAL_REQUEST_ATTRIBUTES "requestercn" "email" "employeeID" > "company" "department" "telephone" "citizenship" > ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE "Name (first and Last name)" > "Email" "Employee Number" "Company" "Department" "Telephone" > "Citizenship" > ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE "LATIN1_LETTERS" "EMAIL" > "NUMERIC" "LATIN1_LETTERS" "LATIN1_LETTERS" "LATIN1_LETTERS" > "LATIN1_LETTERS" > > > Similar changes were made to servers/pub.conf.template > > I made the following to servers/ra.conf.template > > DN_TYPE_SPKAC_ELEMENTS "emailAddress" "CN" "OU" "DC" "DC" "DC" > "employeeID" "company" "citizenship" > > DN_TYPE_SPKAC_ELEMENT_4 "Employee Number" > DN_TYPE_SPKAC_ELEMENT_4_MINIMUM_LENGTH 6 > DN_TYPE_SPKAC_ELEMENT_4_REQUIRED "YES" > DN_TYPE_SPKAC_ELEMENT_4_CHARACTERSET "NUMERIC" > > DN_TYPE_IE_ELEMENTS "emailAddress" "CN" "OU" "DC" "DC" "DC" > "employeeID" "company" "citizenship" > > DN_TYPE_IE_ELEMENT_4 "Employee Number" > DN_TYPE_IE_ELEMENT_4_MINIMUM_LENGTH 6 > DN_TYPE_IE_ELEMENT_4_REQUIRED "YES" > DN_TYPE_IE_ELEMENT_4_CHARACTERSET "NUMERIC" > > Similar changes were made to servers/ca.conf.template > > Then I went into the openssl.cnf stuff modifying the specific profile > as (in this case VPN_User.conf.template): > > [ new_oids ] > > pseudonym=2.5.4.65 > domainComponent=0.9.2342.19200300.100.1.25 > employeeID=1.3.6.1.4.1.5643.2.0.4 > citizenship=1.3.6.1.5.5.7.9.4 > company=1.2.840.113549.1.9.2 > > [ req_attributes ] > > employeeID = Employee Number (eg, EIN) > employeeID_max = 6 > > citizenship = country of Citizenship > ctizenship_max = 2 > > company > > > Does that look like I'm on the right path???? Am I missing something or doing anything wrong?<snip> answers. I assume all the additional fields will be usable even in non-standard because of your addition of oids for them. That's not anything I've ever attempted. I don't think you want to edit server_req.xml.template for server side key generation. I believe that is for when you are providing a PKCS#10 request generated by the requestor. We do server side key generation using browser_req.xml. I'm guessing since these are non-standard fields, putting them in DN or SubjAltName will depend on how your application is going to use them. That is a guess :) In ra.conf, are the element numbers in order of the element list? Thus SPAK_ELEMENT_4 in your case would be the first DC field I believe. Sorry I can't be more definitive but I hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@... http://www.spiritualoutreach.com Making Christianity intelligible to secular society ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users |
|
|
Re: Additional Request Attributes - HOWTO?
by blainedw
::
Rate this Message:
Thanks John for the feedback. I undid my changes to server-req.template. Currently we don't have an application that will use them ;) We are going through the process of re-badging everyone and now we are using smartcards with the eventual hope of using these cards not only for physical but also system access. These fields are thought to be needed in the future. I fixed the element order (I always forget that - its bitten me more than once). I generated a request and processed it through the RA. But when I generate a cert I get this error on one of my custom fields: This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated. ------------------------------------------------------------------------------ Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users |
|
|
Re: Additional Request Attributes - HOWTO?
by blainedw
::
Rate this Message:
Hi I tried using otherName syntax for adding these fields to subjectAltNames without much luck. I am thinking that maybe of trying to shoe-horn these items as additional OU's which I know I can do. But I was wondering what other folks have done and how they accomplished it for additional attributes????? The fields I have are employeeID,company,location,citizenship. Dave This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated. ------------------------------------------------------------------------------ _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users |
|
|
Re: Additional Request Attributes - HOWTO?
by John A. Sullivan III
::
Rate this Message:
On Wed, 2009-06-24 at 13:25 -0400, blainedw@... wrote:
> > Hi > > I tried using otherName syntax for adding these fields to > subjectAltNames without much luck. I am thinking that maybe of trying > to shoe-horn these items as additional OU's which I know I can do. But > I was wondering what other folks have done and how they accomplished > it for additional attributes????? The fields I have are > employeeID,company,location,citizenship. <snip> We were able to add DC fields to the DN. I believe I posted how we did that. If it proves hard to find, let me know and I'll try to steal some time to dig it out again. We did it by adding the fields to the files in etc/servers and in browser_req.xml.template(?) I believe - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@... http://www.spiritualoutreach.com Making Christianity intelligible to secular society ------------------------------------------------------------------------------ _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users |
| Free embeddable forum powered by Nabble | Forum Help |
