Creating an EV Certificate Request in OpenSSL

Quick technical FAQ as it has just taken me over 2 hours to find out how to do this…

When generating a CSR (Certificate Signing Request) for an EV (Extended Validation) certificate there are some required fields. These required fields are very well documented (probably too well) and the problem you will find is trying to generate the EV request often fails with:

Subject Attribute businessCategory has no known NID, skipped
problems making Certificate Request
5478:error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string too long:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_mbstr.c:154:maxsize=2

The solution is to add the oid for businessCategory, some documentation will indicate that this is possible by just using the oid in the subject… Forget it, it doesn’t work. The correct solution is modify your openssl.cnf file ( /usr/local/etc/openssl.cnf /etc/ssl/openssl.cnf and /etc/openssl.cnf are common locations.)

Under the section “new_oids” (create one if it doesn’t exist) add the following:

[ new_oids ]


Then you can use the following command to generate the CSR and a new key for the server:

openssl req -new -newkey rsa:2048 -out ev-key.csr -subj ‘/CN=<webserver name eg Company Ltd/businessCategory=V1.0, Clause 5.(b)/jurisdictionOfIncorporationCountryName=<country code of registration of ‘My Company Ltd’/C=<country>/streetAddress=<business address>/ST=<state>/serialNumber=<company incorporation number for “My Company Ltd”>’

Note: because braces are used you need to use single quotes to surround the subject, also EV certificates cannot be issued to WildCard CNs so don’t waste your time.

Facebook does it again…

When will Facebook ever learn…?! (and when will I learn!)

I have a Facebook account to keep in touch with old friends, and to showcase the photos I take at parties and events. I have over 500 people on my profile which probably less than 100 are my friends, the rest are people I have taken pictures of and are usually friends of friends. I have various settings on the account to prevent access to my wall and other information that I want to share with friends, but have always been liberal with the settings as there isn’t any information there that people can’t find out about me with minimal research. My ‘wall’ has always been a bone of contention though as I say things that are on my mind at a particular time (good or bad), and therefore I have always tried to keep that to friends only.

Some one I love used to be linked on my profile, and over the last few days I have been dismayed at how people will not respect my privacy and keep repeating things to that person. I decided to try and put and end to the “he said, she said” and spent a not insignificant amount of time working on the privacy settings Facebook provides to lock down the profile so that my friends can see it and those mutual friends (which include a couple of people that I have in my “true friends” list) and all others that are ‘just there for the photos’ cannot see anything but the photos and basic information about me.

To do this lockdown procedure I found that Facebook provides a convenient interface under ‘Privacy Settings’ – ‘Customize’ which has 2 variable length fields. The first is who you show your information to, the second is whom you hide it from. The interface describes this as “…. can see this, except these …” where the first is something like “Friends only” or “Friends of Friends” and the second is a name of someone, or a group eg “No Access” or “Photos only” in my case.

Now here comes the punch line. It seems if you add a group, Facebook will completely ignore it for at least the status. I haven’t gone further into testing, as I’m sure others will, but now I know how the information I thought I had diligently protected on my profile was getting out to the masses that I had thought that I had blocked.

If any one wants to test this, it’s simple, create a group “No Access”, add one friend to the group, set all your settings to allow ‘Friends only’ except (ie hide from) ‘No Access’ and add a second friend to the “Hide from” (by name not a group). Go back to the privacy page and click ‘Preview my profile’ you should find only a small amount of information (if any) which will be what ‘complete unknown people’ will see. In the top bar you’ll see “Preview my profile as…” where you can put in the name of someone. First select a friend that is not in the ‘No Access’ group, and view your profile, you should see everything that has been set to “Friends Only” next go back and put in the name of the friend you added to the “No Access” group, and the next page… Horror of horrors will show your status (and maybe other stuff.) Finally put the name of the other person you named to “Hide from” and you will find what you expect, they cannot see the information.

Message to Facebook staff: when will you ever get it right?

UPDATE: It seems that someone over Facebook is on the ball, I posted this message to a couple of forums where I know the staff at Facebook hang out, and it’s fixed already.

The True Colours of HP Printers…

Well, I’m sure you’ll remember my previous 2 articles (here and here) on HP Printer Cartridges, and their deliberate regionalisation to that anyone who moves country has to throw away a perfectly good printer (even if it’s only a few months old) and how very “Not Green” the whole practice is. Well after my original article where “The Inquirer” picked it up, HP Customer Care contacted me and indicated that the HP363 Cartridges are same as the HP02 Cartridges, just they are localised for use in “Western Europe”.

Yesterday after waiting for 6 weeks for the order, 2 packs of six HP-363 cartridges were made available to me for a not so small sum of