Certificates for MS EFS

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Certificates for MS EFS

Rodrigo A B Freire
    List,

    I run a local CA and I wish to use the OpenSSL certificates to cipher
the EFS ops.

    To do so, I need to generate the certificates with the extended OID
1.3.6.1.4.1.311.10.3.4 (listed as msEFS on objects.h)

    My certificate generation flow is:

openssl req -nodes -new -x509 \
            -keyout /etc/CA/certs/key.pem \
            -out /etc/CA/certs/cert.pem -days 365

openssl x509 -x509toreq
             -in /etc/CA/certs/cert.pem \
             -signkey /etc/CA/certs/key.pem \
             -out /etc/CA/certs/tmp.pem

openssl ca -policy policy_anything \
            -out /etc/CA/certs/cert.pem \
            -infiles /etc/CA/certs/tmp.pem

    I've tried creating a file, named ext_oids containing:

[ ext_client ]
# OID:1.3.6.1.4.1.311.10.3.4 (msEFS) Microsoft Encrypted File System
extendedKeyUsage=msEFS
subjectAltName=email:copy

    And appended to step 2 (openssl x509):
  -extfile /etc/CA/ext_oids -extensions ext_client

    Didn't work.

    Any hint?

    Rodrigo.