UID in subj args - bug?

Robert Moskowitz rgm at htt-consult.com
Thu Jul 6 17:24:01 UTC 2023


I have:

policy            = policy_loose
copy_extensions   = copy

[ policy_loose ]
# Allow the intermediate CA to sign a more
#   diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional


I added:

userid                  = optional
serialnumber            = optional

And the oepnssl ca command still did not recognize UID.  I then tried

UID = optional

and still did not work.


On 7/6/23 11:51, Viktor Dukhovni wrote:
> On Thu, Jul 06, 2023 at 11:45:57AM -0400, Robert Moskowitz wrote:
>
>> I think there is a bug....
>>
>> I can provide the CSR and cert both in pem.
> More likely your CA config file does not specify what do with UID RDNs
> when signing CSRs.  The default config file has:
>
>      # A few difference way of specifying how similar the request should look
>      # For type CA, the listed attributes must be the same, and the optional
>      # and supplied fields are just that :-)
>      policy          = policy_match
>
>      # For the CA policy
>      [ policy_match ]
>      countryName             = match
>      stateOrProvinceName     = match
>      organizationName        = match
>      organizationalUnitName  = optional
>      commonName              = supplied
>      emailAddress            = optional
>
>      # For the 'anything' policy                                                                                                                                               # At this point in time, you must list all acceptable 'object'
>      # types.
>      [ policy_anything ]
>      countryName             = optional
>      stateOrProvinceName     = optional
>      localityName            = optional
>      organizationName        = optional
>      organizationalUnitName  = optional
>      commonName              = supplied
>      emailAddress            = optional
>
> No mention of UIDs there.
>



More information about the openssl-users mailing list