UID in subj args - bug?

Robert Moskowitz rgm at htt-consult.com
Thu Jul 6 19:04:12 UTC 2023 

Adding

-preserveDN

is the only way I have found so far to get UID included.

My command is:

openssl ca -config $dir/openssl.cnf\
     -extensions usr_cert -notext -preserveDN \
     -in $dir/csr/$clientemail.csr.$format\
     -out $dir/certs/$clientemail.cert.$format

I tried adding

policy = policy_loose

to the usr_cert extension, but that didn't do anything.

grumble.

On 7/6/23 13:33, Robert Moskowitz wrote:
> I havpolicy            = policy_loose
> copy_extensions   = copy
>
> [ policy_loose ]
> # Allow the intermediate CA to sign a more
> #   diverse range of certificates.
> # See the POLICY FORMAT section of the `ca` man page.
> countryName             = optional
> stateOrProvinceName     = optional
> localityName            = optional
> organizationName        = optional
> organizationalUnitName  = optional
> commonName              = optional
> UID                  = optional
> serialnumber            = optional
>
> And the CSR has the UID, but the proposed cert drops it.
>
> On 7/6/23 13:27, noreply via openssl-users wrote:
>>
>> Hi Robert,
>>
>> Have you tried the commands in this solution: 
>> https://stackoverflow.com/a/70397430 ?
>> It seems to be addressing the missing UID issue in certificate.
>>
>>
>> Sent with Proton Mail secure email.
>>
>> ------- Original Message -------
>> On Thursday, July 6th, 2023 at 10:24, Robert Moskowitz 
>> <rgm at htt-consult.com> wrote:
>>
>>
>>> I have:
>>>
>>> policy = policy_loose
>>> copy_extensions = copy
>>>
>>> [ policy_loose ]
>>> # Allow the intermediate CA to sign a more
>>> # diverse range of certificates.
>>> # See the POLICY FORMAT section of the `ca` man page.
>>> countryName = optional
>>> stateOrProvinceName = optional
>>> localityName = optional
>>> organizationName = optional
>>> organizationalUnitName = optional
>>> commonName = optional
>>>
>>>
>>> I added:
>>>
>>> userid = optional
>>> serialnumber = optional
>>>
>>> And the oepnssl ca command still did not recognize UID. I then tried
>>>
>>> UID = optional
>>>
>>> and still did not work.
>>>
>>>
>>> On 7/6/23 11:51, Viktor Dukhovni wrote:
>>>
>>>> On Thu, Jul 06, 2023 at 11:45:57AM -0400, Robert Moskowitz wrote:
>>>>
>>>>> I think there is a bug....
>>>>>
>>>>> I can provide the CSR and cert both in pem.
>>>>> More likely your CA config file does not specify what do with UID 
>>>>> RDNs
>>>>> when signing CSRs. The default config file has:
>>>> # A few difference way of specifying how similar the request should 
>>>> look
>>>> # For type CA, the listed attributes must be the same, and the 
>>>> optional
>>>> # and supplied fields are just that :-)
>>>> policy = policy_match
>>>>
>>>> # For the CA policy
>>>> [ policy_match ]
>>>> countryName = match
>>>> stateOrProvinceName = match
>>>> organizationName = match
>>>> organizationalUnitName = optional
>>>> commonName = supplied
>>>> emailAddress = optional
>>>>
>>>> # For the 'anything' policy # At this point in time, you must list 
>>>> all acceptable 'object'
>>>> # types.
>>>> [ policy_anything ]
>>>> countryName = optional
>>>> stateOrProvinceName = optional
>>>> localityName = optional
>>>> organizationName = optional
>>>> organizationalUnitName = optional
>>>> commonName = supplied
>>>> emailAddress = optional
>>>>
>>>> No mention of UIDs there.
>

More information about the openssl-users mailing list