I am trying to add a "certificate policies" extension in CSR using openssl (version 1.0.1.e).
Is the certificate requester allowed to deal with certificate policies or only CA should do it?
Based on function mkreq() in file openssl/demos/x509/openssl/demos/x509/mkreq.c, I added the following line:
add_ext(exts, NID_certificate_policies, "1.3.6.1");
Unfortunately it leads to a segmentation fault. Is the syntax correct? Any clue what is wrong?
Yes, certificate requester is allowed to insert certificate policy or any other extension. But the Certificate Authority might validate the request or reject it.
Per default the openssl configuration file, openssl.cnf, includes the following setting for CRS extension:
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
In order to support certificate_policies extension, "certificatePolicies" settings have to be added in this section.