Re: UID in subj args - bug?

[Robert Moskowitz <rgm@xxxxxxxxxxxxxxx>]

Adding

-preserveDN

is the only way I have found so far to get UID included.

My command is:

openssl ca -config $dir/openssl.cnf\
    -extensions usr_cert -notext -preserveDN \
    -in $dir/csr/$clientemail.csr.$format\
    -out $dir/certs/$clientemail.cert.$format

I tried adding

policy = policy_loose

to the usr_cert extension, but that didn't do anything.

grumble.

On 7/6/23 13:33, Robert Moskowitz wrote:
> I havpolicy            = policy_loose
> copy_extensions   = copy
>
> [ policy_loose ]
> # Allow the intermediate CA to sign a more
> #   diverse range of certificates.
> # See the POLICY FORMAT section of the `ca` man page.
> countryName             = optional
> stateOrProvinceName     = optional
> localityName            = optional
> organizationName        = optional
> organizationalUnitName  = optional
> commonName              = optional
> UID                  = optional
> serialnumber            = optional
>
> And the CSR has the UID, but the proposed cert drops it.
>
> On 7/6/23 13:27, noreply via openssl-users wrote:
> > Hi Robert,
> >
> > Have you tried the commands in this solution: 
> > https://stackoverflow.com/a/70397430 ?
> > It seems to be addressing the missing UID issue in certificate.
> >
> >
> > Sent with Proton Mail secure email.
> >
> > ------- Original Message -------
> > On Thursday, July 6th, 2023 at 10:24, Robert Moskowitz 
> > <rgm@xxxxxxxxxxxxxxx> wrote:
> >
> >
> > > I have:
> > >
> > > policy = policy_loose
> > > copy_extensions = copy
> > >
> > > [ policy_loose ]
> > > # Allow the intermediate CA to sign a more
> > > # diverse range of certificates.
> > > # See the POLICY FORMAT section of the `ca` man page.
> > > countryName = optional
> > > stateOrProvinceName = optional
> > > localityName = optional
> > > organizationName = optional
> > > organizationalUnitName = optional
> > > commonName = optional
> > >
> > >
> > > I added:
> > >
> > > userid = optional
> > > serialnumber = optional
> > >
> > > And the oepnssl ca command still did not recognize UID. I then tried
> > >
> > > UID = optional
> > >
> > > and still did not work.
> > >
> > >
> > > On 7/6/23 11:51, Viktor Dukhovni wrote:
> > >
> > > > On Thu, Jul 06, 2023 at 11:45:57AM -0400, Robert Moskowitz wrote:
> > > >
> > > > > I think there is a bug....
> > > > >
> > > > > I can provide the CSR and cert both in pem.
> > > > > More likely your CA config file does not specify what do with UID 
> > > > > RDNs
> > > > > when signing CSRs. The default config file has:
> > > > # A few difference way of specifying how similar the request should 
> > > > look
> > > > # For type CA, the listed attributes must be the same, and the 
> > > > optional
> > > > # and supplied fields are just that :-)
> > > > policy = policy_match
> > > >
> > > > # For the CA policy
> > > > [ policy_match ]
> > > > countryName = match
> > > > stateOrProvinceName = match
> > > > organizationName = match
> > > > organizationalUnitName = optional
> > > > commonName = supplied
> > > > emailAddress = optional
> > > >
> > > > # For the 'anything' policy # At this point in time, you must list 
> > > > all acceptable 'object'
> > > > # types.
> > > > [ policy_anything ]
> > > > countryName = optional
> > > > stateOrProvinceName = optional
> > > > localityName = optional
> > > > organizationName = optional
> > > > organizationalUnitName = optional
> > > > commonName = supplied
> > > > emailAddress = optional
> > > >
> > > > No mention of UIDs there.