Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 10-10-2003, 03:58 PM   #1
Registered: Jul 2003
Distribution: Fedora 3
Posts: 133

Rep: Reputation: 15
Thawte Certificate and OpenSSL


I know how to create a regular X.509 certificate in OpenSSL, but I was wondering what fields I should type in order to correspond with a certificate created from Freemail service. Specifically, Thawte has a "USA National Identification" and "National Identity Type". Do these go into the certificate, and if so, how would I put them in a certificate created by OpenSSL?

In short, I want to create a certificate in OpenSSL that is identical to Thawte's Freemail certificates, just with the CA being me, and not Thawte.

Old 10-11-2003, 08:40 AM   #2
Registered: May 2001
Posts: 29,360
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
If I got it wrong I hope someone corrects me soon but in short: I wouldn't know how to. Thawte states nfo supplied in the "USA National Identification" field is used for their "Web of Trust". I've no need to crack their marketing lingo, but I'd say this is Thawte specific value-added stuff. If the RFC doesn't provide ways to add custom fields/data w/o breaking the standard, then it can't be a part of the cert's data w/o violating the std (not that many companies can't be arsed with keeping up stds anyway when they smell profit). There even is a small chance this could backfire, because if you seek to tweak certs until they look like Thawte certs, (and if you somehow manage to include that Thawte info) then it could be taken as trying to deceive people. Of course they should notice the CA is wonky unless you import the CA first, but nonetheless.
Old 10-14-2003, 07:05 PM   #3
Registered: Sep 2003
Distribution: Mandrake, Slack, Debian and PicoBSD
Posts: 181

Rep: Reputation: 31
Sounds like snake-oil from Thawte. Why do you want / need to do this?

Like the man (i assume?) said, it smells fishy. For your own private use / identification within your company / possibly clients your certificates are just as good as Thawtes (and they cost nothing).

We always include telephone / email / address on our (in-house and external) certs, and a handy list of which ones we're using / which are revoked. Never had a problem a phone call couldn't solve.
Old 10-15-2003, 02:41 PM   #4
Registered: Jul 2003
Distribution: Fedora 3
Posts: 133

Original Poster
Rep: Reputation: 15
Thanks guys. I was just wondering if Thawte certificates had anything special in them or something due to their US id # and stuff. Guess not.

Oh ya, what did you mean when you said "snake-oil from Thawte"? um...what's snake-oil?

Last edited by jqcaducifer; 10-15-2003 at 02:42 PM.
Old 10-15-2003, 03:59 PM   #5
Registered: Apr 2003
Location: Silicon Valley East, Northern Virginia
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238

Rep: Reputation: 30
"snake oil" is a reference to an old scheme where travelling salesmen would roll into a town and try to sell a special "medicine" that would cure whatever the salesmen decided was a good seller. All that was really in the bottle was snake oil. Basically a scam.

As for the cert.....Thawte are x.509 compliant which means all the sub OU's for Thawte specific info is useless. May be helpful if you are creating trusted Domains and maybe need to know which domain is which. Or possibly Thawte has a an expensive tool that you can buy that uses this extra info.
Old 10-16-2003, 07:43 PM   #6
Registered: Jul 2003
Distribution: Fedora 3
Posts: 133

Original Poster
Rep: Reputation: 15
haha snake-oil new vocab learned


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Openssl - verify wheather certificate is revoked djgerbavore Linux - Security 1 11-21-2005 08:20 AM
How to create OpenSSL certificate for use in IIS 6.0 Pastorino Linux - Security 3 09-23-2005 08:50 AM
why can't i generate a new certificate with openssl? achouramira Linux - Security 1 04-28-2005 08:15 AM
OpenSSL + Apache certificate, how? The_Nerd Linux - Software 2 12-26-2004 10:18 PM
Certificate with OpenSSL gr33ndata Linux - Security 3 10-03-2003 08:39 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:44 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration