[gnutls-help] deleting an extension from a x509 certificate

DEXTER mydexterid at gmail.com
Thu May 22 11:42:38 CEST 2014

Sure. In a proxy firewall environment, you have the server's certificate,
and you want to copy that cert exactly as is, but you want to remove some
of the extensions and show that to the client.
In case of OpenSSL you have an api for that:

int idx = X509_get_ext_by_NID( cert, nid, -1 ); //get the index
X509_EXTENSION *ext = X509_get_ext(cert, idx); //get the extensionif
(ext != NULL){ //check that the extension was found
    X509_delete_ext(cert, idx); //delete the extension
    X509_EXTENSION_free(ext); //free the memory}

It would be great if GnuTLS had this functionality too.

Without this api, can you tell me what is the way to copy a certificate and
only remove some of the extensions from it?


On Thu, May 22, 2014 at 9:03 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org>wrote:

> On Wed, May 21, 2014 at 4:28 PM, DEXTER <mydexterid at gmail.com> wrote:
> > Hi,
> >
> > Is there a way to delete an extension from an x509 certificate?
> > I found no API to do that, only get/set apis.
> > Also found a very old patch here:
> > http://marc.info/?l=gnupg-commit-watchers&m=108192753710809
> > removing the ability to delete an extension.
> It was never part of the API, as it is designed around the generate
> and read use-cases. Could you describe your use case for that
> functionality?
> regards,
> Nikos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140522/bcdac5ee/attachment.html>

More information about the Gnutls-help mailing list