> On Sep 25, 2018, at 14:34, Krehbiel, Richard <rkrehbiel@xxxxxxxxxx> wrote: > > For my testing I want to explore the behaviors of policies, policy constraints, and policy mappings. I have figured out how to request and issue certs with custom policy OIDs, but I haven't yet seen a method of granting an intermediate cert with policy mappings. Can openssl do this? How? Thanks. Yes, I've used "openssl ca" to make certs with policy mappings in the past. Try something like this in your openssl.cnf, for use with "openssl ca -extensions test_ext" for example. (I haven't tested with these exact values, but it should be a starting point.) [openssl_init] oid_section = new_oids ... [new_oids] issuerOID = Issuer Domain Policy, 1.2.3.4.5 subjectOID = Subject Domain Policy, 1.3.5.7.9 ... [test_ext] policyMappings = @policy_mappings ... [policy_mappings] issuerOID = subjectOID And if you want to map more than one subject domain policy OID to the same issuer domain policy OID, you can use issuerOID.0, issuerOID.1, issuerOID.2, etc, to differentiate them in the policy_mappings section. Good luck, -Dave -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
