An example issuing an intermediate CA with policy mappings?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

An example issuing an intermediate CA with policy mappings?

Krehbiel, Richard

For my testing I want to explore the behaviors of policies, policy constraints, and policy mappings.  I have figured out how to request and issue certs with custom policy OIDs, but I haven't yet seen a method of granting an intermediate cert with policy mappings.   Can openssl do this?  How?  Thanks.


KASTLE SYSTEMS

855.527.8531  |  KASTLE.COM

Follow us on LinkedIn or Twitter for Security Tips!
Click Here to see why the Washington Post is calling our Hands-Free Mobile Credential "the end of the badge."

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: An example issuing an intermediate CA with policy mappings?

Dave Coombs
> On Sep 25, 2018, at 14:34, Krehbiel, Richard <[hidden email]> wrote:
>
> For my testing I want to explore the behaviors of policies, policy constraints, and policy mappings.  I have figured out how to request and issue certs with custom policy OIDs, but I haven't yet seen a method of granting an intermediate cert with policy mappings.   Can openssl do this?  How?  Thanks.

Yes, I've used "openssl ca" to make certs with policy mappings in the past.  Try something like this in your openssl.cnf, for use with "openssl ca -extensions test_ext" for example.  (I haven't tested with these exact values, but it should be a starting point.)

[openssl_init]
oid_section = new_oids
...

[new_oids]
issuerOID = Issuer Domain Policy, 1.2.3.4.5
subjectOID = Subject Domain Policy, 1.3.5.7.9
...

[test_ext]
policyMappings = @policy_mappings
...

[policy_mappings]
issuerOID = subjectOID

And if you want to map more than one subject domain policy OID to the same issuer domain policy OID, you can use issuerOID.0, issuerOID.1, issuerOID.2, etc, to differentiate them in the policy_mappings section.

Good luck,
  -Dave

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users