UID in subj args - bug?
Robert Moskowitz
rgm at htt-consult.com
Thu Jul 6 17:24:01 UTC 2023
I have:
policy = policy_loose
copy_extensions = copy
[ policy_loose ]
# Allow the intermediate CA to sign a more
# diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
I added:
userid = optional
serialnumber = optional
And the oepnssl ca command still did not recognize UID. I then tried
UID = optional
and still did not work.
On 7/6/23 11:51, Viktor Dukhovni wrote:
> On Thu, Jul 06, 2023 at 11:45:57AM -0400, Robert Moskowitz wrote:
>
>> I think there is a bug....
>>
>> I can provide the CSR and cert both in pem.
> More likely your CA config file does not specify what do with UID RDNs
> when signing CSRs. The default config file has:
>
> # A few difference way of specifying how similar the request should look
> # For type CA, the listed attributes must be the same, and the optional
> # and supplied fields are just that :-)
> policy = policy_match
>
> # For the CA policy
> [ policy_match ]
> countryName = match
> stateOrProvinceName = match
> organizationName = match
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> # For the 'anything' policy # At this point in time, you must list all acceptable 'object'
> # types.
> [ policy_anything ]
> countryName = optional
> stateOrProvinceName = optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> No mention of UIDs there.
>
More information about the openssl-users
mailing list