On 08/18/2017 08:48 AM, Jeffrey Walton wrote:
It is coming down that I would need a unique cnf for each cert type, rather
than one per signing CA. Things just don't work well without prompting or
very consistent DN content. So I am going to pull most of my. ENV. I am
leaving it in for dir and SAN.
I feel it is a bug that if in 'prompt = no' or -batch, if a DN object is
empty (size 0), it should just be dropped. This is not an error condition.
If this is a private PKI, then you can do things like that.
I as not clear. meant one of the DN's objects like OU.
If you have prompt = no and
organizationalUnitName =
It takes OU's size as zero and fails. This should not be an error
condition, OU should be skipped just like if you had in the command
(which I *KNOW* works):
-subj "/CN=US/ST=MI/O= HTT Consulting/OU=/CN=Root CA"
So I call it a bug.
But I believe you need a distinguished name if you are following the
RFCs. Maybe you can modify your script to stuff the principal name
from the SAN in the DN somewhere.
Next steps:
complete basic setup for ecdsa pki and 802.1AR leaf. Publish on my website.
Write up 'lessons learned' and post it here.
I think there's a separate RFC or draft for 802.1AR, but I have not read it.
Maybe part of the pain point is, OpenSSL is not aware of it. Its just
using RFC 5280 (and to some extent, 6125).
Maybe you should stop using the command line tools and code something
up in C. Once you hit your stride using the C APIs, its easy to crank
out certificates the way you want them.
Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users