Hello everyone, I am trying to add the logotype extension to certificates under a private CA I am taking care of. The CA is built using OpenVPN's Easy-RSA 3 tool, though I think that doesn't matter in this situation. I have some questions regarding this matter. Before digging into details I will tell you the problem I want to solve. I have multiple different logos. Searching the Internet I have found an E-Mail from November 2010 [1]. Based on that information I have reached to the following snippet of configuration: cat ./exts # Logos 1.3.6.1.5.5.7.1.12 = ASN1:SEQUENCE:logotype_ext [logotype_ext] issuerLogo=EXPLICIT:1,IMPLICIT:1,SEQUENCE:logotype_indirect [logotype_indirect] refStructHash=SEQWRAP,SEQUENCE:HashAlgAndValue refStructURI=SEQWRAP,SEQUENCE:IA5String:http://logos.example.org/logo0.png [HashAlgAndValue] hashAlg=SEQUENCE:logo_algid hashValue=FORMAT:HEX,OCTETSTRING:9c2c672338e1a6615ccfa78097c0ed8681e3335d [logo_algid] capabilityID = OID:sha1 parameter = NULL I receive the following error when I try to issue a certificate using openssl. The same when I use the easyrsa wrapper script. $ openssl ca -in 10.req -out 10.crt -config openssl-1.0.cnf -extfile exts -days 3650 -batch Using configuration from openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' organizationName :ASN.1 12:'10' organizationalUnitName:ASN.1 12:'Cortex AG Trust Network' organizationalUnitName:ASN.1 12:'(c) Cortex AG - For authorized use only!' commonName :ASN.1 12:'Cortex AG Root Certification Authority' ERROR: adding extensions in section default 6987:error:22074074:X509 V3 routines:V3_GENERIC_EXTENSION:extension value error:/SourceCache/OpenSSL098/OpenSSL098-52/src/crypto/x509v3/v3_conf.c:282:value=SEQUENCE:logotype_ext I have tried changing SEQWRAP with SEQUENCE and also variations I have found in [1]. None of them worked. Can someone please tell me what am I doing wrong. Also I have a couple of logos I want to add to the certificate. How would I encode that in openssl.cnf? [1]: http://openssl.6102.n7.nabble.com/Logotype-encoding-td15882.html Thank you, Valentin Bud -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150118/aa2c1feb/attachment-0001.html>
