adding certificate policies extension in CSR

8.1k views Asked by At

I am trying to add a "certificate policies" extension in CSR using openssl (version 1.0.1.e).

  1. Is the certificate requester allowed to deal with certificate policies or only CA should do it?

  2. Based on function mkreq() in file openssl/demos/x509/openssl/demos/x509/mkreq.c, I added the following line:

     add_ext(exts, NID_certificate_policies, "1.3.6.1");
    

Unfortunately it leads to a segmentation fault. Is the syntax correct? Any clue what is wrong?

2

There are 2 answers

0
Gaston On BEST ANSWER
  1. Yes, certificate requester is allowed to insert certificate policy or any other extension. But the Certificate Authority might validate the request or reject it.

  2. Per default the openssl configuration file, openssl.cnf, includes the following setting for CRS extension:

    [ v3_req ]
    
    # Extensions to add to a certificate request
    
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment 
    

In order to support certificate_policies extension, "certificatePolicies" settings have to be added in this section.

0
NMorozov On

Solved add_ext contains call to function

X509V3_EXT_conf_nid(NULL, NULL, nid, (char *)value);

The Context argument is NULL, if you rewrite this function with context, and your segfault will be fixed. f.example

int add_ext_by_name(STACK_OF(X509_EXTENSION) *sk, const char *name, const char *value)
{
    X509_EXTENSION *ex;
    X509V3_CTX ctx;
    X509V3_set_ctx_test(&ctx);
    ex = X509V3_EXT_nconf(NULL, &ctx, name, value);
    if (!ex) {
        printf("%s: %s\n", tr("no ext"), name);
        return 0;
    }
    sk_X509_EXTENSION_push(sk, ex);
    return 1;
}

call to

add_ext_by_name(exts, "certificatePolicies", "1.2.643.100.113.1, 1.2.643.100.113.2");

will be successful. Funtion with NID argument you can write by yourself :)