UID in subj args - bug?

Robert Moskowitz rgm at htt-consult.com
Thu Jul 6 22:23:46 UTC 2023

Right now I am feeling really stupid.  I blame it on.  Well, never mind.

I have 2 openssl.cnf files.  One at the ca directory level, and one at 
the ca/intermediate level.

I was suppose to be editing the intermediate level one, but was working 
on the ca level one.


So adding to [ policy_loose ]

UID                  = optional

and it works.  SIgh.

I am working too hard and missing the details.

But I still want a list of the types!  For example UID above works. What 
about Userid?  I misspelled serialNumber (had serialnumber) and it threw 
that back with an error.  So there IS a list somewhere, even if it is 
deep in the code.

Thank you for all your help and putting up with me sometimes getting 
lost in the maze.

On 7/6/23 15:26, Viktor Dukhovni wrote:
> On Thu, Jul 06, 2023 at 03:04:12PM -0400, Robert Moskowitz wrote:
>> Adding
>> -preserveDN
>> is the only way I have found so far to get UID included.
>> My command is:
>> openssl ca -config $dir/openssl.cnf\
>>       -extensions usr_cert -notext -preserveDN \
>>       -in $dir/csr/$clientemail.csr.$format\
>>       -out $dir/certs/$clientemail.cert.$format
>> I tried adding
>> policy = policy_loose
>> to the usr_cert extension, but that didn't do anything.
> That's not where it goes.  The "policy" section name is set in the
> "CA_default" section, or can be specified as a command-line option.
> If that doesn't work, perhaps another github issue.  I don't have
> an active CA configuration just at the moment, nor cycles to play
> with one to find the right combination.
> You should be able to specify which RDNs from the request to include in
> the issued certificate via the named policy section.  If that fails,
> post a full reproducer script that creates a CA, a suitable CSR, ...
> and then fails to create the expected certificate subject DN.
> If you post a complete stand-alone script, that will "demo" the issue on
> a bare openssl platform, then we can make progress.

More information about the openssl-users mailing list