[openssl-users] Throwing in the towel on ENV for DN

Robert Moskowitz rgm at htt-consult.com
Fri Aug 18 14:54:29 UTC 2017

On 08/18/2017 08:48 AM, Jeffrey Walton wrote:
>> It is coming down that I would need a unique cnf for each cert type, rather
>> than one per signing CA.  Things just don't work well without prompting or
>> very consistent DN content.  So I am going to pull most of my. ENV.  I am
>> leaving it in for dir and SAN.
>> I feel it is a bug that if in 'prompt = no' or -batch, if a DN object is
>> empty (size 0), it should just be dropped.  This is not an error condition.
> If this is a private PKI, then you can do things like that.
I as not clear.   meant one of the DN's objects like OU.

If you have prompt = no and

organizationalUnitName  =

It takes OU's size as zero and fails.  This should not be an error 
condition, OU should be skipped just like if you had in the command 
(which I *KNOW* works):

-subj "/CN=US/ST=MI/O= HTT Consulting/OU=/CN=Root CA"

So I call it a bug.

> But I believe you need a distinguished name if you are following the
> RFCs. Maybe you can modify your script to stuff the principal name
> from the SAN in the DN somewhere.
>> Next steps:
>> complete basic setup for ecdsa pki and 802.1AR leaf.  Publish on my website.
>> Write up 'lessons learned' and post it here.
> I think there's a separate RFC or draft for 802.1AR, but I have not read it.
> Maybe part of the pain point is, OpenSSL is not aware of it. Its just
> using RFC 5280 (and to some extent, 6125).
> Maybe you should stop using the command line tools and code something
> up in C. Once you hit your stride using the C APIs, its easy to crank
> out certificates the way you want them.
> Jeff

More information about the openssl-users mailing list