SourceForge has been redesigned. Learn more.

Could OU part of cert cause error?

  • interprb

    interprb - 2007-07-15


    Could the ou name field cause a mismatch error in authenticating users in any way? Also I was told that the ou is not part of the cert. huh??? I assume that they are telling me that the ou part is not part of the validating process. Does this sound right?

    When issuing mail certs to users, what are the most important fields to really pay attention to?

    Thanks for your help.

    Best regards,

    • interprb

      interprb - 2007-07-24

      I was reading your previous post about extension settings:

      "generally, the extensions are meant to restrict the usage of the certificate.
      If an extension is missing, it is assumed to "allow all".

      But your users may reject to accept a root CA that authorizes for everything.
      But at least the basic constraints should be there."

      Do I understand correctly that if the settings are not set to its uses it could cause problems? For example, if set this way;

      Extensions ==>certificate key usage==>

      field value:
      Not Critical <-- could this cause a problem?
      Key Encipherment
      Data Encipherment


      • Christian Hohnstaedt

        _if_ you set >certificate key usage< you _must_ set it correctly.
        "Correctly" is defined by the purpose of the certificate, how you want to use it.

        Maybe you want to read:

        "critical" generally means to the certificate interpreter like mozilla:
        "If you don't understand this extension, reject the certificate"

        Otherwise, the Browser/client whatever just evaluates and interprets the extensions
        it knows about.

        with "users" I meant humans, that could reject to install a root certificate
        allowing to sign everything.

    • interprb

      interprb - 2007-07-25

      Thanks for the read and explanation. Helpful. Question, if any part of the extensions give a "unsupported extension"  error I am going to have a problem even if critical is marked or not. Right? 

      The reason for asking, I was looking at an option to view info about a user and certs (on the server)and saw what might be the problem.

      x509v3 Basic constraints:
      unsupported extension

      key usage:
      unsupported extension

      Thanks again.


Log in to post a comment.