UID in subj args - bug?

Viktor Dukhovni openssl-users at dukhovni.org
Thu Jul 6 19:26:24 UTC 2023

On Thu, Jul 06, 2023 at 03:04:12PM -0400, Robert Moskowitz wrote:

> Adding
> -preserveDN
> is the only way I have found so far to get UID included.
> My command is:
> openssl ca -config $dir/openssl.cnf\
>      -extensions usr_cert -notext -preserveDN \
>      -in $dir/csr/$clientemail.csr.$format\
>      -out $dir/certs/$clientemail.cert.$format
> I tried adding
> policy = policy_loose
> to the usr_cert extension, but that didn't do anything.

That's not where it goes.  The "policy" section name is set in the
"CA_default" section, or can be specified as a command-line option.

If that doesn't work, perhaps another github issue.  I don't have
an active CA configuration just at the moment, nor cycles to play
with one to find the right combination.

You should be able to specify which RDNs from the request to include in
the issued certificate via the named policy section.  If that fails,
post a full reproducer script that creates a CA, a suitable CSR, ...
and then fails to create the expected certificate subject DN.

If you post a complete stand-alone script, that will "demo" the issue on
a bare openssl platform, then we can make progress.


More information about the openssl-users mailing list