Question on a good attribute for local information

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Question on a good attribute for local information

Phil Dibowitz-3
We'd like to tie all of our certificates to a unique identifier in a
DB... is there an attribute out there, perhaps in the PKIX extensions or
x509v3 extensions or somewhere else that would be a reasonable place for
this?

Thanks,
--
Phil Dibowitz
P: 310-360-2330 C: 213-923-5115
Unix Admin, Ticketmaster.com

signature.asc (264 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Question on a good attribute for local information

Bear Giles
Issuer DN and serial number are unique.  In practice you'll need
to consider whether you'll be dealing with anyone other than
competent CAs (organizations and individuals).  "openssl ca" is
great but it's trivial to produce multiple certs with the same
issuer DN and serial number.

Bear

Phil Dibowitz wrote:
> We'd like to tie all of our certificates to a unique identifier in a
> DB... is there an attribute out there, perhaps in the PKIX extensions or
> x509v3 extensions or somewhere else that would be a reasonable place for
> this?
>
> Thanks,

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Question on a good attribute for local information

Phil Dibowitz-3
Bear Giles wrote:
> Issuer DN and serial number are unique.

Yes, but we have a central identity system that uses GUIDs to ...
everything. We want to do it for cerificates as well. We want said GUID
to be in the certificate.

Serial number is typically used for renewals, I don't want to step on that.

Any suggestions for attributes for that?

We'll only be dealing with our internal CA, so I have control over all
of that.

--
Phil Dibowitz
P: 310-360-2330 C: 213-923-5115
Unix Admin, Ticketmaster.com

signature.asc (264 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Question on a good attribute for local information

Phil Dibowitz-3
Phil Dibowitz wrote:

> Bear Giles wrote:
>
>>Issuer DN and serial number are unique.
>
>
> Yes, but we have a central identity system that uses GUIDs to ...
> everything. We want to do it for cerificates as well. We want said GUID
> to be in the certificate.
>
> Serial number is typically used for renewals, I don't want to step on that.
>
> Any suggestions for attributes for that?
>
> We'll only be dealing with our internal CA, so I have control over all
> of that.
>
No references on places to look? Suggestions on extensions to use?

For reference, the original question was:

We'd like to tie all of our certificates to a unique identifier in a
DB... is there an attribute out there, perhaps in the PKIX extensions or
x509v3 extensions or somewhere else that would be a reasonable place for
this?

--
Phil Dibowitz
P: 310-360-2330 C: 213-923-5115
Unix Admin, Ticketmaster.com

signature.asc (264 bytes) Download Attachment