[openssl-users] Cant seem to get prompt no to work

Robert Moskowitz rgm at htt-consult.com
Thu Aug 17 19:45:19 UTC 2017 


On 08/17/2017 03:39 PM, Salz, Rich via openssl-users wrote:
> In the CA section, you have to specify which fields you need/want in the DN.  This is the “policy” identifier which points to a section that names the RDN’s you want/need.
>
I have that:

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
#     dir               = /root/ca
certs             = $ENV::dir/certs
crl_dir           = $ENV::dir/crl
new_certs_dir     = $ENV::dir/newcerts
database          = $ENV::dir/index.txt
serial            = $ENV::dir/serial
RANDFILE          = $ENV::dir/private/.rand

# The root key and root certificate.
private_key       = $ENV::dir/private/ca.key.pem
certificate       = $ENV::dir/certs/ca.cert.pem

# For certificate revocation lists.
crlnumber         = $ENV::dir/crlnumber
crl               = $ENV::dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict
prompt            = no

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
req_extensions      = req_ext

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = $ENV::countryName
stateOrProvinceName             = $ENV::stateOrProvinceName
localityName                    = $ENV::localityName
0.organizationName              = $ENV::organizationName
organizationalUnitName          = $ENV::organizationalUnitName
commonName                      = $ENV::commonName

[ req_ext ]
subjectAltName = email:$ENV::adminemail

More information about the openssl-users mailing list