UID in subj args - bug?
Robert Moskowitz
rgm at htt-consult.com
Thu Jul 6 23:34:19 UTC 2023
Oh, I suspect I can build a list from that, but DN types are all mixed
in with all the other objects. Still looking.
thanks anyway
On 7/6/23 18:52, noreply via openssl-users wrote:
> Is this what you're looking for: https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/objects/obj_dat.h#L957 ?
>
>
>
> Sent with Proton Mail secure email.
>
> ------- Original Message -------
> On Thursday, July 6th, 2023 at 15:23, Robert Moskowitz <rgm at htt-consult.com> wrote:
>
>
>> Right now I am feeling really stupid. I blame it on. Well, never mind.
>>
>> I have 2 openssl.cnf files. One at the ca directory level, and one at
>> the ca/intermediate level.
>>
>> I was suppose to be editing the intermediate level one, but was working
>> on the ca level one.
>>
>> argh....
>>
>> So adding to [ policy_loose ]
>>
>> UID = optional
>>
>> and it works. SIgh.
>>
>> I am working too hard and missing the details.
>>
>> But I still want a list of the types! For example UID above works. What
>> about Userid? I misspelled serialNumber (had serialnumber) and it threw
>> that back with an error. So there IS a list somewhere, even if it is
>> deep in the code.
>>
>> Thank you for all your help and putting up with me sometimes getting
>> lost in the maze.
>>
>> On 7/6/23 15:26, Viktor Dukhovni wrote:
>>
>>> On Thu, Jul 06, 2023 at 03:04:12PM -0400, Robert Moskowitz wrote:
>>>
>>>> Adding
>>>>
>>>> -preserveDN
>>>>
>>>> is the only way I have found so far to get UID included.
>>>>
>>>> My command is:
>>>>
>>>> openssl ca -config $dir/openssl.cnf\
>>>> -extensions usr_cert -notext -preserveDN \
>>>> -in $dir/csr/$clientemail.csr.$format\
>>>> -out $dir/certs/$clientemail.cert.$format
>>>>
>>>> I tried adding
>>>>
>>>> policy = policy_loose
>>>>
>>>> to the usr_cert extension, but that didn't do anything.
>>>> That's not where it goes. The "policy" section name is set in the
>>>> "CA_default" section, or can be specified as a command-line option.
>>> If that doesn't work, perhaps another github issue. I don't have
>>> an active CA configuration just at the moment, nor cycles to play
>>> with one to find the right combination.
>>>
>>> You should be able to specify which RDNs from the request to include in
>>> the issued certificate via the named policy section. If that fails,
>>> post a full reproducer script that creates a CA, a suitable CSR, ...
>>> and then fails to create the expected certificate subject DN.
>>>
>>> If you post a complete stand-alone script, that will "demo" the issue on
>>> a bare openssl platform, then we can make progress.
More information about the openssl-users
mailing list