[openssl-users] Throwing in the towel on ENV for DN
rgm at htt-consult.com
Fri Aug 18 14:54:29 UTC 2017
On 08/18/2017 08:48 AM, Jeffrey Walton wrote:
>> It is coming down that I would need a unique cnf for each cert type, rather
>> than one per signing CA. Things just don't work well without prompting or
>> very consistent DN content. So I am going to pull most of my. ENV. I am
>> leaving it in for dir and SAN.
>> I feel it is a bug that if in 'prompt = no' or -batch, if a DN object is
>> empty (size 0), it should just be dropped. This is not an error condition.
> If this is a private PKI, then you can do things like that.
I as not clear. meant one of the DN's objects like OU.
If you have prompt = no and
It takes OU's size as zero and fails. This should not be an error
condition, OU should be skipped just like if you had in the command
(which I *KNOW* works):
-subj "/CN=US/ST=MI/O= HTT Consulting/OU=/CN=Root CA"
So I call it a bug.
> But I believe you need a distinguished name if you are following the
> RFCs. Maybe you can modify your script to stuff the principal name
> from the SAN in the DN somewhere.
>> Next steps:
>> complete basic setup for ecdsa pki and 802.1AR leaf. Publish on my website.
>> Write up 'lessons learned' and post it here.
> I think there's a separate RFC or draft for 802.1AR, but I have not read it.
> Maybe part of the pain point is, OpenSSL is not aware of it. Its just
> using RFC 5280 (and to some extent, 6125).
> Maybe you should stop using the command line tools and code something
> up in C. Once you hit your stride using the C APIs, its easy to crank
> out certificates the way you want them.
More information about the openssl-users