certtool and SAN URI population

peter williams home_pw at msn.com
Sat Feb 26 20:53:01 CET 2011 

I'm considering altering file in certtool(1) implementation files so it is
easy in the "template" configuration file to specify a value for the "SAN
URI" fields of SSL client certs.

 

It's already easy to specify an SAN domain-name field via the template. 

 

If I do it, would someone consider the code changes for inclusion in the
package? The changes are in support of an W3C incubator project applying
client SSL certs which have a URI as name form.

 

Can anyone think of a way to use the template file to include a SAN URI
field in a SSL client cert, using the current release of certtool(1)?
(Perhaps, there is a syntax for adding an arbitrary extension value,
expressed in hex, perhaps).

 

Here is what I want the gnutls test site to do when showing a SAN URI. This
was done using someone's cert minting web site to create/manage the SSL
client cert, rather than using certtool(1). 

 

 

This is GNUTLS

 

Session ID: 02000000F4FFE0B7B67C08080400000000000000C60100001000000002000000

If your browser supports session resuming, then you should see the same
session ID, when you press the reload button.

 

Server Name: test.gnutls.org

Ephemeral DH using prime of 1024 bits.

 

Protocol version:              TLS1.1

Certificate Type:               X.509

Key Exchange:   DHE-RSA

Compression     NULL

Cipher   AES-256-CBC

MAC      SHA1

Ciphersuite         DHE_RSA_AES_256_CBC_SHA1

 

X.509 Certificate Information:

                Version: 3

                Serial Number (hex): 4b45d7295406364afe32d209942be329

                Issuer: O=FOAF\+SSL,OU=The Community of Self Signers,CN=Not
a Certification Authority

                Validity:

                                Not Before: Sat Feb 26 16:49:18 UTC 2011

                                Not After: Fri Feb 17 18:49:18 UTC 2012

                Subject: O=FOAF\+SSL,OU=The Community Of Self
Signers,UID=http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me,CN=home
pw4

                Subject Public Key Algorithm: RSA

                                Modulus (bits 1536):

 
b5:20:f3:84:79:f5:80:3a:7a:b3:32:33:15:5e:ee:f8

 
ad:4e:1f:57:5b:60:3f:77:80:f3:f6:0c:ea:b1:34:61

 
8f:be:11:75:39:10:9c:01:5c:5f:95:9b:49:7e:67:c1

 
a3:b2:c9:6e:5f:09:8b:b0:bf:2a:65:97:77:9d:26:f5

 
5f:e8:d3:20:de:7a:f0:56:2f:d2:cd:06:7d:bc:9d:77

 
5b:22:fc:06:e6:34:22:71:7d:00:a6:80:1d:ed:af:d7

 
b5:4a:93:c3:f4:e5:95:38:47:56:73:97:2e:52:4f:4e

 
c2:a3:66:7d:0e:1a:c8:56:d5:32:e3:2b:f3:0c:ef:8c

 
1a:dc:41:71:89:20:56:8f:be:9f:79:3d:ae:ea:ee:aa

 
7e:83:67:b7:22:8a:89:5a:6c:f9:45:45:a6:f6:28:66

 
93:27:7a:1b:c7:75:04:25:ce:6c:35:d5:70:e8:94:53

 
11:7b:88:ce:24:20:6a:fd:21:6a:70:5a:d0:8b:7c:59

                                Exponent (bits 24):

                                                01:00:01

                Extensions:

                                Basic Constraints (critical):

                                                Certificate Authority (CA):
FALSE

                                Key Usage (critical):

                                                Digital signature.

                                                Non repudiation.

                                                Key encipherment.

                                                Key agreement.

                                                Certificate signing.

                                Unknown extension 2.16.840.1.113730.1.1 (not
critical):

                                                ASCII: ....

                                                Hexdump: 030205a0

                                Subject Key Identifier (not critical):

 
27273521ca35671123bb281c46903fc2f43051c0

                                Subject Alternative Name (critical):

                                                URI:
http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me

                Signature Algorithm: RSA-SHA

                Signature:

 
c8:22:58:c6:e9:46:af:9f:41:6f:82:3f:2d:25:ed:69

 
ca:6e:43:f4:89:2f:24:c7:96:1d:97:8e:09:13:1e:ac

 
32:c6:f0:ba:df:79:19:d3:56:28:6a:ee:ea:42:e6:a8

 
2e:f1:b4:2e:0d:45:7c:6d:dd:7d:bc:a6:7e:12:aa:0f

 
5b:c2:cb:36:f5:dd:c6:ec:2b:e0:eb:55:15:e0:fa:8a

 
9c:e4:3a:b7:ee:c2:89:bd:7b:ca:9e:fe:0a:98:b5:36

 
dd:12:ca:68:66:4b:9f:c2:3e:c3:58:51:1c:d5:84:7f

 
aa:07:3f:14:27:a1:d7:5b:41:ab:f7:d8:64:5c:58:64

Other Information:

                MD5 fingerprint:

                                cd3af2ec77b2421229ea61a88d3a181a

                SHA-1 fingerprint:

                                1ee2e509ed8d61251ee10b7078ae9202129b3f76

                Public Key Id:

                                6a651cf7e0a7f791ba8f29ebb201822e354b49f6

 

 

Your HTTP header was:

User-Agent: Opera/9.80 (Windows NT 6.1; U; en) Presto/2.7.62 Version/11.01

Host: test.gnutls.org:5556

Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png,
image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1

Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0

Referer: http://www.gnu.org/software/gnutls/server.html

Connection: Keep-Alive

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110226/b62f34c2/attachment.htm>

More information about the Gnutls-devel mailing list