LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-10-2003, 02:58 PM   #1
jqcaducifer
Member
 
Registered: Jul 2003
Distribution: Fedora 3
Posts: 133

Rep: Reputation: 15
Thawte Certificate and OpenSSL


Hi

I know how to create a regular X.509 certificate in OpenSSL, but I was wondering what fields I should type in order to correspond with a certificate created from thawte.com Freemail service. Specifically, Thawte has a "USA National Identification" and "National Identity Type". Do these go into the certificate, and if so, how would I put them in a certificate created by OpenSSL?

In short, I want to create a certificate in OpenSSL that is identical to Thawte's Freemail certificates, just with the CA being me, and not Thawte.

Thanks
 
Old 10-11-2003, 07:40 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,017
Blog Entries: 54

Rep: Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764
If I got it wrong I hope someone corrects me soon but in short: I wouldn't know how to. Thawte states nfo supplied in the "USA National Identification" field is used for their "Web of Trust". I've no need to crack their marketing lingo, but I'd say this is Thawte specific value-added stuff. If the RFC doesn't provide ways to add custom fields/data w/o breaking the standard, then it can't be a part of the cert's data w/o violating the std (not that many companies can't be arsed with keeping up stds anyway when they smell profit). There even is a small chance this could backfire, because if you seek to tweak certs until they look like Thawte certs, (and if you somehow manage to include that Thawte info) then it could be taken as trying to deceive people. Of course they should notice the CA is wonky unless you import the CA first, but nonetheless.
 
Old 10-14-2003, 06:05 PM   #3
frogman
Member
 
Registered: Sep 2003
Distribution: Mandrake, Slack, Debian and PicoBSD
Posts: 181

Rep: Reputation: 30
Sounds like snake-oil from Thawte. Why do you want / need to do this?

Like the man (i assume?) said, it smells fishy. For your own private use / identification within your company / possibly clients your certificates are just as good as Thawtes (and they cost nothing).

We always include telephone / email / address on our (in-house and external) certs, and a handy list of which ones we're using / which are revoked. Never had a problem a phone call couldn't solve.
 
Old 10-15-2003, 01:41 PM   #4
jqcaducifer
Member
 
Registered: Jul 2003
Distribution: Fedora 3
Posts: 133

Original Poster
Rep: Reputation: 15
Thanks guys. I was just wondering if Thawte certificates had anything special in them or something due to their US id # and stuff. Guess not.

EDIT
Oh ya, what did you mean when you said "snake-oil from Thawte"? um...what's snake-oil?

Last edited by jqcaducifer; 10-15-2003 at 01:42 PM.
 
Old 10-15-2003, 02:59 PM   #5
cyph3r7
Member
 
Registered: Apr 2003
Location: Silicon Valley East, Northern Virginia
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238

Rep: Reputation: 30
"snake oil" is a reference to an old scheme where travelling salesmen would roll into a town and try to sell a special "medicine" that would cure whatever the salesmen decided was a good seller. All that was really in the bottle was snake oil. Basically a scam.

As for the cert.....Thawte are x.509 compliant which means all the sub OU's for Thawte specific info is useless. May be helpful if you are creating trusted Domains and maybe need to know which domain is which. Or possibly Thawte has a an expensive tool that you can buy that uses this extra info.
 
Old 10-16-2003, 06:43 PM   #6
jqcaducifer
Member
 
Registered: Jul 2003
Distribution: Fedora 3
Posts: 133

Original Poster
Rep: Reputation: 15
haha snake-oil new vocab learned
Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Openssl - verify wheather certificate is revoked djgerbavore Linux - Security 1 11-21-2005 07:20 AM
How to create OpenSSL certificate for use in IIS 6.0 Pastorino Linux - Security 3 09-23-2005 07:50 AM
why can't i generate a new certificate with openssl? achouramira Linux - Security 1 04-28-2005 07:15 AM
OpenSSL + Apache certificate, how? The_Nerd Linux - Software 2 12-26-2004 09:18 PM
Certificate with OpenSSL gr33ndata Linux - Security 3 10-03-2003 07:39 AM


All times are GMT -5. The time now is 03:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration