[openssl-users] Throwing in the towel on ENV for DN
Robert Moskowitz
rgm at htt-consult.com
Fri Aug 18 12:26:12 UTC 2017
Jakob had it right....
On 08/17/2017 07:01 PM, Jakob Bohm wrote:
> Given all these problems with the Distinguished Name prompting
> mechanism, just add the -subject option to the req command line
> (using appropriate environment variables in the shell script).
>
>
> Enjoy
>
> Jakob
It is coming down that I would need a unique cnf for each cert type,
rather than one per signing CA. Things just don't work well without
prompting or very consistent DN content. So I am going to pull most of
my. ENV. I am leaving it in for dir and SAN.
I feel it is a bug that if in 'prompt = no' or -batch, if a DN object is
empty (size 0), it should just be dropped. This is not an error condition.
I nice feature would be if a default is set, not to prompt for that
object. Something like
prompt = if no default
Then I would use ENV to set the default values and let prompting go for
objects like CN and UID.
Also SAN is poorly handled and it has come out that this is a basic RFC
requirement since '00!
Next steps:
complete basic setup for ecdsa pki and 802.1AR leaf. Publish on my website.
Write up 'lessons learned' and post it here.
Add CRL and OCSP support.
Publish an IETF ID at least as an individual submission; offer this work
to the IETF hackathon and workgroups like NETCONF, I2NSF, DOTS, ANIMA,
and CORE.
Bob
More information about the openssl-users
mailing list