> It is coming down that I would need a unique cnf for each cert type, rather > than one per signing CA. Things just don't work well without prompting or > very consistent DN content. So I am going to pull most of my. ENV. I am > leaving it in for dir and SAN. > > I feel it is a bug that if in 'prompt = no' or -batch, if a DN object is > empty (size 0), it should just be dropped. This is not an error condition. If this is a private PKI, then you can do things like that. But I believe you need a distinguished name if you are following the RFCs. Maybe you can modify your script to stuff the principal name from the SAN in the DN somewhere. > Next steps: > > complete basic setup for ecdsa pki and 802.1AR leaf. Publish on my website. > Write up 'lessons learned' and post it here. I think there's a separate RFC or draft for 802.1AR, but I have not read it. Maybe part of the pain point is, OpenSSL is not aware of it. Its just using RFC 5280 (and to some extent, 6125). Maybe you should stop using the command line tools and code something up in C. Once you hit your stride using the C APIs, its easy to crank out certificates the way you want them. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users