[Techtalk] certificates
Wim De Smet
kromagg at gmail.com
Wed May 6 07:14:43 UTC 2009
Hi,
On Wed, May 6, 2009 at 7:24 AM, Maria McKinley <maria at shadlen.org> wrote:
> Wim De Smet wrote:
>> Hi,
>>
>> On Mon, May 4, 2009 at 10:31 PM, Maria McKinley <maria at shadlen.org> wrote:
>>> Maria McKinley wrote:
>>> > [...]
>>> > certtool -i < /etc/ssl/certs/ldap.shadlen.crt | grep Version:
>>> >
>>> > I get version 1. According to this site:
>>> >
>>> > [...]
>>>
>>> >Nevermind, I think these instructions will do the trick:
>>>
>>> >http://www.debian-administration.org/articles/284
>>> Ugh. Spoke too fast. I'm still getting version 1 certificates. Anybody
>>> know how to get version 3 certificates?
>>
>> I gave it a shot with those instructions except I didn't use their
>> openssl.conf and I got a v3 certificate. Check /etc/ssl/openssl.conf
>> and see if there's anything in the other openssl.conf missing or
>> something. Or just skip using it I think you should still get a useful
>> certificate.
>>
>> regards,
>> Wim
>
> Interesting, I just noted that the cacert.pem is a v3 cert, but the
> cert.pem is a v1 cert. For ldap configs, it usually wants both the cert
> and the cacert, but maybe only the cacert will ever actually be v3 cert?
In principle you should end up with a v3 cert since you're using v3
extensions on the req. Well, I think. Check if the request has the
requested extensions section. I think these are getting lost
somewhere, perhaps because of ca's copy_extensions?
BTW, the bugs and warnings sections of ca(1) is particularly amusing to read.
regards,
Wim
More information about the Techtalk
mailing list