Could OU part of cert cause error?

Help
interprb
2007-07-15
2013-03-09
  • interprb
    interprb
    2007-07-15

    Hello,

    Could the ou name field cause a mismatch error in authenticating users in any way? Also I was told that the ou is not part of the cert. huh??? I assume that they are telling me that the ou part is not part of the validating process. Does this sound right?

    When issuing mail certs to users, what are the most important fields to really pay attention to?

    Thanks for your help.

    Best regards,
    Hi

     
    • interprb
      interprb
      2007-07-24

      I was reading your previous post about extension settings:

      "generally, the extensions are meant to restrict the usage of the certificate.
      If an extension is missing, it is assumed to "allow all".

      But your users may reject to accept a root CA that authorizes for everything.
      But at least the basic constraints should be there."

      Do I understand correctly that if the settings are not set to its uses it could cause problems? For example, if set this way;

      Extensions ==>certificate key usage==>

      field value:
      Not Critical <-- could this cause a problem?
      Signing
      Non-repudiation
      Key Encipherment
      Data Encipherment

      Thanks,
      Hi

       
      • _if_ you set >certificate key usage< you _must_ set it correctly.
        "Correctly" is defined by the purpose of the certificate, how you want to use it.

        Maybe you want to read:
        http://www.openssl.org/docs/apps/x509.html#CERTIFICATE_EXTENSIONS

        "critical" generally means to the certificate interpreter like mozilla:
        "If you don't understand this extension, reject the certificate"

        Otherwise, the Browser/client whatever just evaluates and interprets the extensions
        it knows about.

        with "users" I meant humans, that could reject to install a root certificate
        allowing to sign everything.

         
    • interprb
      interprb
      2007-07-25

      Thanks for the read and explanation. Helpful. Question, if any part of the extensions give a "unsupported extension"  error I am going to have a problem even if critical is marked or not. Right? 

      The reason for asking, I was looking at an option to view info about a user and certs (on the server)and saw what might be the problem.

      x509v3 Basic constraints:
      unsupported extension

      key usage:
      unsupported extension

      Thanks again.
      Hi