Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I know how to create a regular X.509 certificate in OpenSSL, but I was wondering what fields I should type in order to correspond with a certificate created from thawte.com Freemail service. Specifically, Thawte has a "USA National Identification" and "National Identity Type". Do these go into the certificate, and if so, how would I put them in a certificate created by OpenSSL?
In short, I want to create a certificate in OpenSSL that is identical to Thawte's Freemail certificates, just with the CA being me, and not Thawte.
If I got it wrong I hope someone corrects me soon but in short: I wouldn't know how to. Thawte states nfo supplied in the "USA National Identification" field is used for their "Web of Trust". I've no need to crack their marketing lingo, but I'd say this is Thawte specific value-added stuff. If the RFC doesn't provide ways to add custom fields/data w/o breaking the standard, then it can't be a part of the cert's data w/o violating the std (not that many companies can't be arsed with keeping up stds anyway when they smell profit). There even is a small chance this could backfire, because if you seek to tweak certs until they look like Thawte certs, (and if you somehow manage to include that Thawte info) then it could be taken as trying to deceive people. Of course they should notice the CA is wonky unless you import the CA first, but nonetheless.
Sounds like snake-oil from Thawte. Why do you want / need to do this?
Like the man (i assume?) said, it smells fishy. For your own private use / identification within your company / possibly clients your certificates are just as good as Thawtes (and they cost nothing).
We always include telephone / email / address on our (in-house and external) certs, and a handy list of which ones we're using / which are revoked. Never had a problem a phone call couldn't solve.
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238
Rep:
"snake oil" is a reference to an old scheme where travelling salesmen would roll into a town and try to sell a special "medicine" that would cure whatever the salesmen decided was a good seller. All that was really in the bottle was snake oil. Basically a scam.
As for the cert.....Thawte are x.509 compliant which means all the sub OU's for Thawte specific info is useless. May be helpful if you are creating trusted Domains and maybe need to know which domain is which. Or possibly Thawte has a an expensive tool that you can buy that uses this extra info.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.