[openssl-users] Throwing in the towel on ENV for DN

Robert Moskowitz rgm at htt-consult.com
Fri Aug 18 12:26:12 UTC 2017

Jakob had it right....

On 08/17/2017 07:01 PM, Jakob Bohm wrote:
> Given all these problems with the Distinguished Name prompting
> mechanism, just add the -subject option to the req command line
> (using appropriate environment variables in the shell script).
> Enjoy
> Jakob

It is coming down that I would need a unique cnf for each cert type, 
rather than one per signing CA.  Things just don't work well without 
prompting or very consistent DN content.  So I am going to pull most of 
my. ENV.  I am leaving it in for dir and SAN.

I feel it is a bug that if in 'prompt = no' or -batch, if a DN object is 
empty (size 0), it should just be dropped.  This is not an error condition.

I nice feature would be if a default is set, not to prompt for that 
object.  Something like

prompt = if no default

Then I would use ENV to set the default values and let prompting go for 
objects like CN and UID.

Also SAN is poorly handled and it has come out that this is a basic RFC 
requirement since '00!

Next steps:

complete basic setup for ecdsa pki and 802.1AR leaf.  Publish on my website.
Write up 'lessons learned' and post it here.
Add CRL and OCSP support.
Publish an IETF ID at least as an individual submission; offer this work 
to the IETF hackathon and workgroups like NETCONF, I2NSF, DOTS, ANIMA, 
and CORE.


More information about the openssl-users mailing list