UID in subj args - bug?

noreply noreply-support-group at protonmail.com
Thu Jul 6 17:27:23 UTC 2023 


Hi Robert,

Have you tried the commands in this solution: https://stackoverflow.com/a/70397430 ?
It seems to be addressing the missing UID issue in certificate.


Sent with Proton Mail secure email.

------- Original Message -------
On Thursday, July 6th, 2023 at 10:24, Robert Moskowitz <rgm at htt-consult.com> wrote:


> I have:
> 
> policy = policy_loose
> copy_extensions = copy
> 
> [ policy_loose ]
> # Allow the intermediate CA to sign a more
> # diverse range of certificates.
> # See the POLICY FORMAT section of the `ca` man page.
> countryName = optional
> stateOrProvinceName = optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = optional
> 
> 
> I added:
> 
> userid = optional
> serialnumber = optional
> 
> And the oepnssl ca command still did not recognize UID. I then tried
> 
> UID = optional
> 
> and still did not work.
> 
> 
> On 7/6/23 11:51, Viktor Dukhovni wrote:
> 
> > On Thu, Jul 06, 2023 at 11:45:57AM -0400, Robert Moskowitz wrote:
> > 
> > > I think there is a bug....
> > > 
> > > I can provide the CSR and cert both in pem.
> > > More likely your CA config file does not specify what do with UID RDNs
> > > when signing CSRs. The default config file has:
> > 
> > # A few difference way of specifying how similar the request should look
> > # For type CA, the listed attributes must be the same, and the optional
> > # and supplied fields are just that :-)
> > policy = policy_match
> > 
> > # For the CA policy
> > [ policy_match ]
> > countryName = match
> > stateOrProvinceName = match
> > organizationName = match
> > organizationalUnitName = optional
> > commonName = supplied
> > emailAddress = optional
> > 
> > # For the 'anything' policy # At this point in time, you must list all acceptable 'object'
> > # types.
> > [ policy_anything ]
> > countryName = optional
> > stateOrProvinceName = optional
> > localityName = optional
> > organizationName = optional
> > organizationalUnitName = optional
> > commonName = supplied
> > emailAddress = optional
> > 
> > No mention of UIDs there.

More information about the openssl-users mailing list