James Eborall schrieb: > > Basically the mail system (and some others I believe) use a DN element > for the email address to check that the cert used to sign matches the > originator's address. If I make a CSR then the email address is there as > 'emailaddress=...' which seems ok, however when I export it back to the > CA and sign it the DN is rewritten during the signing process and loses > the emailaddress element.
The emailaddress will be removed because of the recommendations for S/MIME v3. S/MIME v2 compatible clients (e.g. Netscape) check the subject alternative name too. > It seems odd that they use this and ignore the > subjectaltname but I'm rather new to PKI. If you have clients that needs the emailaddress in the DN then you must change the ra.conf and ca.conf. There is a switch DN_WITHOUT_EMAIL. Simply set it to N or NO. Best Regards, Michael -- ------------------------------------------------------------------- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
