I have:
policy = policy_loose
copy_extensions = copy
[ policy_loose ]
# Allow the intermediate CA to sign a more
# diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
I added:
userid = optional
serialnumber = optional
And the oepnssl ca command still did not recognize UID. I then tried
UID = optional
and still did not work.
On 7/6/23 11:51, Viktor Dukhovni wrote:
On Thu, Jul 06, 2023 at 11:45:57AM -0400, Robert Moskowitz wrote:
I think there is a bug....
I can provide the CSR and cert both in pem.
More likely your CA config file does not specify what do with UID RDNs
when signing CSRs. The default config file has:
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy # At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
No mention of UIDs there.
