X509 extensions

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

X509 extensions

dsf-2
How can I rewrite some field in X509 extension and than
save whole certificate with this change to file?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509 extensions

Kyle Hamilton
...you can't, without re-signing the certificate.  (changing the
certificate data invalidates the signed hash.)

However, if you want to, you can use openssl x509 -x509toreq -in
currentcert.pem -out currentcert.req .

Then, create a new configuration template file with the information
you want to rewrite, and then run it through x509 req -in
currentcert.req -out newcert.req.  Send newcert.req to your certifying
authority for signing.

-Kyle H

On 2/8/06, [hidden email] <[hidden email]> wrote:
> How can I rewrite some field in X509 extension and than
> save whole certificate with this change to file?
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509 extensions

Girish Venkatachalam
There is a utility called "certpatch" developed by
OpenBSD folks for including the SubjAltName extension.
I have modified it a little bit to suit my need.

This utility modifies the certificate in place and
regenerates the hash. Perhaps you can modify it a
little to suit your need.

If all you need it add an IP address, e-mail or FQDN
SubjAltName extension then this utility may help.

Do let me know if this is what you need and then I can
mail the program that I have.

HTH.

regards,
Girish

--- Kyle Hamilton <[hidden email]> wrote:

> ...you can't, without re-signing the certificate.
> (changing the
> certificate data invalidates the signed hash.)
>
> However, if you want to, you can use openssl x509
> -x509toreq -in
> currentcert.pem -out currentcert.req .
>
> Then, create a new configuration template file with
> the information
> you want to rewrite, and then run it through x509
> req -in
> currentcert.req -out newcert.req.  Send newcert.req
> to your certifying
> authority for signing.
>
> -Kyle H
>
> On 2/8/06, [hidden email] <[hidden email]> wrote:
> > How can I rewrite some field in X509 extension and
> than
> > save whole certificate with this change to file?
> >
>
______________________________________________________________________
> > OpenSSL Project                                
> http://www.openssl.org
> > User Support Mailing List                  
> [hidden email]
> > Automated List Manager                          
> [hidden email]
> >
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]