Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
EvilLord2017-09-19 16:43:09
OpenSSL
EvilLord, 2017-09-19 16:43:09

How to change the certificate request?

Good afternoon!
There is a Windows certification authority, for which clients generate requests using openssl.
The problem is that the attribute "Server Authentication (1.3.6.1.5.5.7.3.1)" or "serverauth" is missing in client requests and the certificate authority issues a certificate with all application policies.
The question is how can I change the request file or, when generating a request in openssl, indicate the need to issue a key with the policy: Server Authentication?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
E
EvilLord, 2017-09-25
@EvilLord

We managed to understand the issue a little, in the windows operating system there is a certreq utility and certificate policies in the form of a file, for example, policy.inf:

Content of policy.inf
[PolicyStatementExtension] 
Policies=LegalPolicy

[LegalPolicy] 
OID=1.1.1.1.1.1.1
Notice = "Данный сертификат является собственностью организации, и предназначен для использования в системе ."
URL = https://toster.ru/q/462222?e=5738597#comment_1490836

[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.2 ; Client Authentication

[BasicConstraintsExtension]
pathlength=0
critical=true

[RequestAttributes]

With this file, you can change the request that came from openssl using something like this command:
Then all the necessary policies will be pulled into the request and you can issue a ready-made certificate with a simple command.
I hope this makes life easier for some administrators!

Report
C
CityCat4, 2017-09-20
@CityCat4

There are no application policy attributes in client requests . They appear in the certificate after it is issued. If CA is yours, use the required template or create a new one, which will indicate the required number of policies.
The CSR contains practically only the data for the Subject that fits into the certificate.
Here is its approximate content:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=RU, ST=*** region, L=***, O=*** Ltd, OU=***, CN=***/[email protected]***.ru
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                ...
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                email:[email protected]***.ru, URI:http://***.ru
    Signature Algorithm: sha256WithRSAEncryption

Where asterisks are clear there will be other data, it may not be at all

Similar questions
A
Anton Kokarev2019-09-08 23:04:48
How to configure HTTPS on Apache/2.4.41 (FreeBSD) on A+? 4Reply
C
cereberlum2019-11-04 00:25:42
How to update openssl on centos? 1Reply
G
gd1xza2021-05-22 08:41:00
OpenSSL python ssl functions not working? 1Reply
A
AlizonJohn2017-07-25 18:25:11
Are there any differences in setting up an OpenVPN client when using openssl and polarssl? 0Reply
N
nikita_chiru2020-02-14 14:23:32
How to use openssl for Android 6 and below in Qt 5.14? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question