Is this what you're looking for: https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/objects/obj_dat.h#L957 ? Sent with Proton Mail secure email. ------- Original Message ------- On Thursday, July 6th, 2023 at 15:23, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: > Right now I am feeling really stupid. I blame it on. Well, never mind. > > I have 2 openssl.cnf files. One at the ca directory level, and one at > the ca/intermediate level. > > I was suppose to be editing the intermediate level one, but was working > on the ca level one. > > argh.... > > So adding to [ policy_loose ] > > UID = optional > > and it works. SIgh. > > I am working too hard and missing the details. > > But I still want a list of the types! For example UID above works. What > about Userid? I misspelled serialNumber (had serialnumber) and it threw > that back with an error. So there IS a list somewhere, even if it is > deep in the code. > > Thank you for all your help and putting up with me sometimes getting > lost in the maze. > > On 7/6/23 15:26, Viktor Dukhovni wrote: > > > On Thu, Jul 06, 2023 at 03:04:12PM -0400, Robert Moskowitz wrote: > > > > > Adding > > > > > > -preserveDN > > > > > > is the only way I have found so far to get UID included. > > > > > > My command is: > > > > > > openssl ca -config $dir/openssl.cnf\ > > > -extensions usr_cert -notext -preserveDN \ > > > -in $dir/csr/$clientemail.csr.$format\ > > > -out $dir/certs/$clientemail.cert.$format > > > > > > I tried adding > > > > > > policy = policy_loose > > > > > > to the usr_cert extension, but that didn't do anything. > > > That's not where it goes. The "policy" section name is set in the > > > "CA_default" section, or can be specified as a command-line option. > > > > If that doesn't work, perhaps another github issue. I don't have > > an active CA configuration just at the moment, nor cycles to play > > with one to find the right combination. > > > > You should be able to specify which RDNs from the request to include in > > the issued certificate via the named policy section. If that fails, > > post a full reproducer script that creates a CA, a suitable CSR, ... > > and then fails to create the expected certificate subject DN. > > > > If you post a complete stand-alone script, that will "demo" the issue on > > a bare openssl platform, then we can make progress.
