UID in subj args - bug?
noreply
noreply-support-group at protonmail.com
Thu Jul 6 22:52:01 UTC 2023
Is this what you're looking for: https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/objects/obj_dat.h#L957 ?
Sent with Proton Mail secure email.
------- Original Message -------
On Thursday, July 6th, 2023 at 15:23, Robert Moskowitz <rgm at htt-consult.com> wrote:
> Right now I am feeling really stupid. I blame it on. Well, never mind.
>
> I have 2 openssl.cnf files. One at the ca directory level, and one at
> the ca/intermediate level.
>
> I was suppose to be editing the intermediate level one, but was working
> on the ca level one.
>
> argh....
>
> So adding to [ policy_loose ]
>
> UID = optional
>
> and it works. SIgh.
>
> I am working too hard and missing the details.
>
> But I still want a list of the types! For example UID above works. What
> about Userid? I misspelled serialNumber (had serialnumber) and it threw
> that back with an error. So there IS a list somewhere, even if it is
> deep in the code.
>
> Thank you for all your help and putting up with me sometimes getting
> lost in the maze.
>
> On 7/6/23 15:26, Viktor Dukhovni wrote:
>
> > On Thu, Jul 06, 2023 at 03:04:12PM -0400, Robert Moskowitz wrote:
> >
> > > Adding
> > >
> > > -preserveDN
> > >
> > > is the only way I have found so far to get UID included.
> > >
> > > My command is:
> > >
> > > openssl ca -config $dir/openssl.cnf\
> > > -extensions usr_cert -notext -preserveDN \
> > > -in $dir/csr/$clientemail.csr.$format\
> > > -out $dir/certs/$clientemail.cert.$format
> > >
> > > I tried adding
> > >
> > > policy = policy_loose
> > >
> > > to the usr_cert extension, but that didn't do anything.
> > > That's not where it goes. The "policy" section name is set in the
> > > "CA_default" section, or can be specified as a command-line option.
> >
> > If that doesn't work, perhaps another github issue. I don't have
> > an active CA configuration just at the moment, nor cycles to play
> > with one to find the right combination.
> >
> > You should be able to specify which RDNs from the request to include in
> > the issued certificate via the named policy section. If that fails,
> > post a full reproducer script that creates a CA, a suitable CSR, ...
> > and then fails to create the expected certificate subject DN.
> >
> > If you post a complete stand-alone script, that will "demo" the issue on
> > a bare openssl platform, then we can make progress.
More information about the openssl-users
mailing list