Hi Robert, Have you tried the commands in this solution: https://stackoverflow.com/a/70397430 ? It seems to be addressing the missing UID issue in certificate. Sent with Proton Mail secure email. ------- Original Message ------- On Thursday, July 6th, 2023 at 10:24, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: > I have: > > policy = policy_loose > copy_extensions = copy > > [ policy_loose ] > # Allow the intermediate CA to sign a more > # diverse range of certificates. > # See the POLICY FORMAT section of the `ca` man page. > countryName = optional > stateOrProvinceName = optional > localityName = optional > organizationName = optional > organizationalUnitName = optional > commonName = optional > > > I added: > > userid = optional > serialnumber = optional > > And the oepnssl ca command still did not recognize UID. I then tried > > UID = optional > > and still did not work. > > > On 7/6/23 11:51, Viktor Dukhovni wrote: > > > On Thu, Jul 06, 2023 at 11:45:57AM -0400, Robert Moskowitz wrote: > > > > > I think there is a bug.... > > > > > > I can provide the CSR and cert both in pem. > > > More likely your CA config file does not specify what do with UID RDNs > > > when signing CSRs. The default config file has: > > > > # A few difference way of specifying how similar the request should look > > # For type CA, the listed attributes must be the same, and the optional > > # and supplied fields are just that :-) > > policy = policy_match > > > > # For the CA policy > > [ policy_match ] > > countryName = match > > stateOrProvinceName = match > > organizationName = match > > organizationalUnitName = optional > > commonName = supplied > > emailAddress = optional > > > > # For the 'anything' policy # At this point in time, you must list all acceptable 'object' > > # types. > > [ policy_anything ] > > countryName = optional > > stateOrProvinceName = optional > > localityName = optional > > organizationName = optional > > organizationalUnitName = optional > > commonName = supplied > > emailAddress = optional > > > > No mention of UIDs there.