Right now I am feeling really stupid. I blame it on. Well, never mind.
I have 2 openssl.cnf files. One at the ca directory level, and one at
the ca/intermediate level.
I was suppose to be editing the intermediate level one, but was working
on the ca level one.
argh....
So adding to [ policy_loose ]
UID = optional
and it works. SIgh.
I am working too hard and missing the details.
But I still want a list of the types! For example UID above works. What
about Userid? I misspelled serialNumber (had serialnumber) and it threw
that back with an error. So there IS a list somewhere, even if it is
deep in the code.
Thank you for all your help and putting up with me sometimes getting
lost in the maze.
On 7/6/23 15:26, Viktor Dukhovni wrote:
On Thu, Jul 06, 2023 at 03:04:12PM -0400, Robert Moskowitz wrote:
Adding
-preserveDN
is the only way I have found so far to get UID included.
My command is:
openssl ca -config $dir/openssl.cnf\
-extensions usr_cert -notext -preserveDN \
-in $dir/csr/$clientemail.csr.$format\
-out $dir/certs/$clientemail.cert.$format
I tried adding
policy = policy_loose
to the usr_cert extension, but that didn't do anything.
That's not where it goes. The "policy" section name is set in the
"CA_default" section, or can be specified as a command-line option.
If that doesn't work, perhaps another github issue. I don't have
an active CA configuration just at the moment, nor cycles to play
with one to find the right combination.
You should be able to specify which RDNs from the request to include in
the issued certificate via the named policy section. If that fails,
post a full reproducer script that creates a CA, a suitable CSR, ...
and then fails to create the expected certificate subject DN.
If you post a complete stand-alone script, that will "demo" the issue on
a bare openssl platform, then we can make progress.
