[Techtalk] certificates

Maria McKinley maria at shadlen.org
Wed May 6 08:23:21 UTC 2009


Wim De Smet wrote:
> Hi,
> 
> On Wed, May 6, 2009 at 7:24 AM, Maria McKinley <maria at shadlen.org> wrote:
>> Wim De Smet wrote:
>>> Hi,
>>>
>>> On Mon, May 4, 2009 at 10:31 PM, Maria McKinley <maria at shadlen.org> wrote:
>>>> Maria McKinley wrote:
>>>>  > [...]
>>>>  > certtool -i < /etc/ssl/certs/ldap.shadlen.crt | grep Version:
>>>>  >
>>>>  > I get version 1. According to this site:
>>>>  >
>>>>  > [...]
>>>>
>>>>  >Nevermind, I think these instructions will do the trick:
>>>>
>>>>  >http://www.debian-administration.org/articles/284
>>>> Ugh. Spoke too fast. I'm still getting version 1 certificates. Anybody
>>>> know how to get version 3 certificates?
>>> I gave it a shot with those instructions except I didn't use their
>>> openssl.conf and I got a v3 certificate. Check /etc/ssl/openssl.conf
>>> and see if there's anything in the other openssl.conf missing or
>>> something. Or just skip using it I think you should still get a useful
>>> certificate.
>>>
>>> regards,
>>> Wim
>> Interesting, I just noted that the cacert.pem is a v3 cert, but the
>> cert.pem is a v1 cert. For ldap configs, it usually wants both the cert
>> and the cacert, but maybe only the cacert will ever actually be v3 cert?
> 
> In principle you should end up with a v3 cert since you're using v3
> extensions on the req. Well, I think. Check if the request has the
> requested extensions section. I think these are getting lost
> somewhere, perhaps because of ca's copy_extensions?
> 
> BTW, the bugs and warnings sections of ca(1) is particularly amusing to read.
> 
> regards,
> Wim

Agree about the bugs and warnings sections of ca! The request does have 
the requested extensions section:

test:~/ca.more# openssl req -in req.pem -text -verify -noout
verify OK
Certificate Request:
     Data:
         Version: 0 (0x0)
         Subject: O=Shadlen Lab/emailAddress=sysadmin at shadlen.org, 
L=Seattle, ST=Washington, C=US, CN=test.shadlen.org
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
                     00:c6:8f:c4:4a:cc:48:63:94:e5:79:be:9e:20:d5:
                     db:f9:ac:6f:18:9d:0b:40:d6:8d:da:02:dd:09:02:
                     cc:a2:97:bd:5d:5d:54:79:7c:50:67:42:a9:6e:72:
                     17:c9:22:da:5c:31:b9:d2:33:a0:40:bd:a2:51:e5:
                     97:06:ee:ce:35:1e:a0:0b:8d:62:93:a6:09:e9:5f:
                     94:50:28:5d:4d:39:a7:fa:f3:a3:eb:f4:bf:ff:b9:
                     3e:d7:cd:93:10:83:47:16:e5:03:52:bb:07:ba:d1:
                     2e:33:58:7a:20:4e:db:c9:2b:71:f2:90:8b:0c:9f:
                     00:50:18:c5:39:bf:bf:fa:71
                 Exponent: 65537 (0x10001)
         Attributes:
         Requested Extensions:
             X509v3 Basic Constraints:
                 CA:FALSE
             X509v3 Subject Key Identifier:
                 76:8E:C3:AE:D7:32:D0:C9:76:E7:2E:6E:D5:52:16:19:EF:34:2A:88
     Signature Algorithm: md5WithRSAEncryption
         58:1a:cf:d2:9b:c3:f7:48:0a:04:e8:a1:5a:20:24:64:7a:81:
         10:fa:ef:46:9e:c2:ad:15:62:71:12:1a:b4:4f:3d:fb:d0:a5:
         d7:57:f3:c4:4d:1c:1b:5b:73:a7:ed:3d:57:8a:d0:8b:c4:41:
         0c:f9:1d:49:e7:bc:37:11:af:ce:2a:ce:09:41:44:3c:b7:f2:
         b5:19:89:3c:7f:51:01:34:43:da:eb:1a:2c:bc:bf:4f:a5:6a:
         8d:02:cc:f1:e1:b8:1a:18:d7:b9:d7:1b:a6:fd:77:75:b5:7a:
         c2:da:c6:04:b6:3b:66:cb:ca:d1:f8:2b:82:eb:39:1b:bb:b3:
         7b:ae

which seems to be what ca wants:

-extensions section
            the section of the configuration file containing certificate 
extensions to be added when a certificate is issued (defaults to
            x509_extensions unless the -extfile option is used). If no 
extension section is present then, a V1 certificate is created. If the
            extension section is present (even if it is empty), then a 
V3 certificate is created.

Beats me. I don't even know if making this cert v3 will solve my 
openldap problem. I'm seriously considering switching distributions. I'm 
looking for a distribution that is using openssl instead of gnutls, 
because from everything I read, that seems to be the source of lots of 
frustration. I know ubuntu and debian are using gnutls.

cheers,
maria


More information about the Techtalk mailing list