LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Thawte Certificate and OpenSSL (http://www.linuxquestions.org/questions/linux-security-4/thawte-certificate-and-openssl-102547/)

jqcaducifer 10-10-2003 02:58 PM

Thawte Certificate and OpenSSL
 
Hi

I know how to create a regular X.509 certificate in OpenSSL, but I was wondering what fields I should type in order to correspond with a certificate created from thawte.com Freemail service. Specifically, Thawte has a "USA National Identification" and "National Identity Type". Do these go into the certificate, and if so, how would I put them in a certificate created by OpenSSL?

In short, I want to create a certificate in OpenSSL that is identical to Thawte's Freemail certificates, just with the CA being me, and not Thawte.

Thanks

unSpawn 10-11-2003 07:40 AM

If I got it wrong I hope someone corrects me soon but in short: I wouldn't know how to. Thawte states nfo supplied in the "USA National Identification" field is used for their "Web of Trust". I've no need to crack their marketing lingo, but I'd say this is Thawte specific value-added stuff. If the RFC doesn't provide ways to add custom fields/data w/o breaking the standard, then it can't be a part of the cert's data w/o violating the std (not that many companies can't be arsed with keeping up stds anyway when they smell profit). There even is a small chance this could backfire, because if you seek to tweak certs until they look like Thawte certs, (and if you somehow manage to include that Thawte info) then it could be taken as trying to deceive people. Of course they should notice the CA is wonky unless you import the CA first, but nonetheless.

frogman 10-14-2003 06:05 PM

Sounds like snake-oil from Thawte. Why do you want / need to do this?

Like the man (i assume?) said, it smells fishy. For your own private use / identification within your company / possibly clients your certificates are just as good as Thawtes (and they cost nothing).

We always include telephone / email / address on our (in-house and external) certs, and a handy list of which ones we're using / which are revoked. Never had a problem a phone call couldn't solve.

jqcaducifer 10-15-2003 01:41 PM

Thanks guys. I was just wondering if Thawte certificates had anything special in them or something due to their US id # and stuff. Guess not.

EDIT
Oh ya, what did you mean when you said "snake-oil from Thawte"? um...what's snake-oil? :confused:

cyph3r7 10-15-2003 02:59 PM

"snake oil" is a reference to an old scheme where travelling salesmen would roll into a town and try to sell a special "medicine" that would cure whatever the salesmen decided was a good seller. All that was really in the bottle was snake oil. Basically a scam.

As for the cert.....Thawte are x.509 compliant which means all the sub OU's for Thawte specific info is useless. May be helpful if you are creating trusted Domains and maybe need to know which domain is which. Or possibly Thawte has a an expensive tool that you can buy that uses this extra info. ;)

jqcaducifer 10-16-2003 06:43 PM

haha snake-oil :) new vocab learned
Thanks


All times are GMT -5. The time now is 09:11 AM.