[LUGOS] OpenSSL & Windows 2003 Server CSR

Nejc Skoberne nejc at skoberne.net
Tue Oct 25 13:21:40 CEST 2005 

Zdravo.

Upam, da ni preveč offtopic. Torej imam en Windows Server 2003 SE, kjer med drugim
teče tudi IIS. Rad bi naštimal SSL tako, da bi z OpenSSL-jem (CA imam že od prej)
podpisal certificate request od Windows strežnika. Problem se pojavi, ker je očitno
ta request malce "čuden". Torej ko želim podpisati, se zgodi tole:

$ /usr/local/bin/openssl ca -config /etc/ssl/openssl.cnf -out cert.cer -infiles cert.csr
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./webca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'SI'
stateOrProvinceName   :PRINTABLE:'None'
localityName          :PRINTABLE:'Kraj'
organizationName      :PRINTABLE:'Firma d.o.o.'
organizationalUnitName:PRINTABLE:'Server'
commonName            :PRINTABLE:'server.domena.si'
x509_extensions:unknown object type in 'policy' configuration

Certificate request izgleda tekstovno takole:

--------------------------------------------------------------------------------------
Certificate Request:
     Data:
         Version: 0 (0x0)
         Subject: C=SI, ST=None, L=Kraj, O=Firma d.o.o., OU=Server, CN=server.domena.si
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
		<snip>
                 Exponent: 65537 (0x10001)
         Attributes:
             1.3.6.1.4.1.311.13.2.3   :5.2.3790.2
             1.3.6.1.4.1.311.13.2.2   :unable to print attribute
         Requested Extensions:
             X509v3 Key Usage: critical
                 Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
             S/MIME Capabilities:
......0...+....0050...*.H..
..*.H..
             X509v3 Extended Key Usage:
                 TLS Web Server Authentication
     Signature Algorithm: sha1WithRSAEncryption
		<snip>
--------------------------------------------------------------------------------------

Torej tisti "unable to print attribute" mi je nekam sumljiv.

V openssl.cnf sem vklopil tudi naslednje možnosti:

------------------------------------------------------------------------
extensions =
[ req ]
x509_extensions = v3_ca # The extentions to add to the self signed cert
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
SET-ex3 = SET extension number 3
------------------------------------------------------------------------

Poskusil sem z OpenSSL verzije 0.9.7a ter 0.9.8a. Ima kdo kakšno idejo? Kako naj drugače
(zastojn) podpišem tak CSR?

Hvala in LP,

Nejc

More information about the lugos-list mailing list