On Thu, Jul 06, 2023 at 06:23:46PM -0400, Robert Moskowitz wrote: > So adding to [ policy_loose ] > > UID = optional > > and it works. Sigh. Good to hear things work as expected/intended. > But I still want a list of the types! For example UID above works. What > about Userid? I misspelled serialNumber (had serialnumber) and it threw > that back with an error. So there IS a list somewhere, even if it is > deep in the code. https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4 Name ::= CHOICE { rdnSequence RDNSequence } RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue AttributeTypeAndValue ::= SEQUENCE { type AttributeType, value AttributeValue } AttributeType ::= OBJECT IDENTIFIER -- e.g. UID, serialNumber, ... AttributeValue ::= ANY -- DEFINED BY AttributeType DirectoryString ::= CHOICE { teletexString TeletexString (SIZE (1..MAX)), printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1..MAX)), bmpString BMPString (SIZE (1..MAX)) } The Name describes a hierarchical name composed of attributes, such as country name, and corresponding values, such as US. The type of the component AttributeValue is determined by the AttributeType; in general it will be a DirectoryString. So any RDN you choose to include in the subject DN needs an OID and a value. The OID can be any of the built-in OID names that are intended for use in directory names, or a custom OID (specified explicitly or given a name in configuration file). The value can be any ASN.1 type, but it really should be a DirectoryString. When specifying literal values, you may need to prefix them with a "UTF8:" qualifier to signal that it is UTF8-encoded when that's the case. So any OID at all will do, but of course it should ideally be one that's recognised as a known type of RDN component by the applications that process the certificate. The UID type is inherited from the LDAP world: https://www.rfc-editor.org/rfc/rfc4519.html#section-2.39, originally from https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1 ... Standard sets of attributes have been defined in the X.500 series of specifications [X.520]. Implementations of this specification MUST be prepared to receive the following standard attribute types in issuer and subject (Section 4.1.2.6) names: * country, * organization, * organizational unit, * distinguished name qualifier, * state or province name, * common name (e.g., "Susan Housley"), and * serial number. In addition, implementations of this specification SHOULD be prepared to receive the following standard attribute types in issuer and subject names: * locality, * title, * surname, * given name, * initials, * pseudonym, and * generation qualifier (e.g., "Jr.", "3rd", or "IV"). The syntax and associated object identifiers (OIDs) for these attribute types are provided in the ASN.1 modules in Appendix A. ... https://datatracker.ietf.org/doc/html/rfc5280#appendix-A Welcome to the world of X.509 where anything goes, and nobody knows what's going on... -- Viktor.
