UID in subj args - bug?
Robert Moskowitz
rgm at htt-consult.com
Thu Jul 6 19:04:12 UTC 2023
Adding
-preserveDN
is the only way I have found so far to get UID included.
My command is:
openssl ca -config $dir/openssl.cnf\
-extensions usr_cert -notext -preserveDN \
-in $dir/csr/$clientemail.csr.$format\
-out $dir/certs/$clientemail.cert.$format
I tried adding
policy = policy_loose
to the usr_cert extension, but that didn't do anything.
grumble.
On 7/6/23 13:33, Robert Moskowitz wrote:
> I havpolicy = policy_loose
> copy_extensions = copy
>
> [ policy_loose ]
> # Allow the intermediate CA to sign a more
> # diverse range of certificates.
> # See the POLICY FORMAT section of the `ca` man page.
> countryName = optional
> stateOrProvinceName = optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = optional
> UID = optional
> serialnumber = optional
>
> And the CSR has the UID, but the proposed cert drops it.
>
> On 7/6/23 13:27, noreply via openssl-users wrote:
>>
>> Hi Robert,
>>
>> Have you tried the commands in this solution:
>> https://stackoverflow.com/a/70397430 ?
>> It seems to be addressing the missing UID issue in certificate.
>>
>>
>> Sent with Proton Mail secure email.
>>
>> ------- Original Message -------
>> On Thursday, July 6th, 2023 at 10:24, Robert Moskowitz
>> <rgm at htt-consult.com> wrote:
>>
>>
>>> I have:
>>>
>>> policy = policy_loose
>>> copy_extensions = copy
>>>
>>> [ policy_loose ]
>>> # Allow the intermediate CA to sign a more
>>> # diverse range of certificates.
>>> # See the POLICY FORMAT section of the `ca` man page.
>>> countryName = optional
>>> stateOrProvinceName = optional
>>> localityName = optional
>>> organizationName = optional
>>> organizationalUnitName = optional
>>> commonName = optional
>>>
>>>
>>> I added:
>>>
>>> userid = optional
>>> serialnumber = optional
>>>
>>> And the oepnssl ca command still did not recognize UID. I then tried
>>>
>>> UID = optional
>>>
>>> and still did not work.
>>>
>>>
>>> On 7/6/23 11:51, Viktor Dukhovni wrote:
>>>
>>>> On Thu, Jul 06, 2023 at 11:45:57AM -0400, Robert Moskowitz wrote:
>>>>
>>>>> I think there is a bug....
>>>>>
>>>>> I can provide the CSR and cert both in pem.
>>>>> More likely your CA config file does not specify what do with UID
>>>>> RDNs
>>>>> when signing CSRs. The default config file has:
>>>> # A few difference way of specifying how similar the request should
>>>> look
>>>> # For type CA, the listed attributes must be the same, and the
>>>> optional
>>>> # and supplied fields are just that :-)
>>>> policy = policy_match
>>>>
>>>> # For the CA policy
>>>> [ policy_match ]
>>>> countryName = match
>>>> stateOrProvinceName = match
>>>> organizationName = match
>>>> organizationalUnitName = optional
>>>> commonName = supplied
>>>> emailAddress = optional
>>>>
>>>> # For the 'anything' policy # At this point in time, you must list
>>>> all acceptable 'object'
>>>> # types.
>>>> [ policy_anything ]
>>>> countryName = optional
>>>> stateOrProvinceName = optional
>>>> localityName = optional
>>>> organizationName = optional
>>>> organizationalUnitName = optional
>>>> commonName = supplied
>>>> emailAddress = optional
>>>>
>>>> No mention of UIDs there.
>
More information about the openssl-users
mailing list