On Mon, Apr 20, 2015, Salz, Rich wrote: > > How do we use `openssl req` and a CONF file to add the information > > (assuming we already have the certified timestamps)? > > Ouch, that's gonna be nasty. Look at ASN1_generate_nconf.pod Most likely have to use the SEQUENCE type, recursively. Ouch indeed. > > A patch to let you specify the DER directly would be useful. > You can use DER directly but CTs (at least those I've seen) don't use DER or ASN.1 internally: they use TLS like syntax contained in an OCTET STRING wrapper. So if you have the encoding of the CT you use the ASN.1 generator to produce an OCTET STRING and place the hex form of the CT in that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
