Hi, we found today a big problem with the DNs which OpenSSL displays because our application (OpenCA) produce DNs which are conform to the directorystandards but OpenSSL interprets them in the opposite order. What does this mean?
Here an example: The root of our directory is the following: o=HU, c=de The organizational unit for the PKI is Test-CA. So the next DN in the directory must be: ou=Test-CA, o=HU, c=de A certificate would have the DN "cn=bell, ou=Test-CA, o=HU, c=de". It is no problem to produce this DN with OpenSSL but then we were a little bit shocked when we see the DNs of Thawte, VeriSign, Entrust etc. with OpenSSL. They have all the format "c=US, o=VeriSign, ..." (openssl-*/cerst/). All these trustcenters use LDAP-servers but these DNs can never be stored in a directoryserver! So it looks like OpenSSL displays the different parts of a DN in the wrong order. Did I make a misinterpretation? If this is a bug then I have the next question, can you fix this in the 0.9.7-tree? It is possible to protect the old index.txt etc. by adding an option -x500 or something like this to get a DN which can be inserted in a directoryserver. The problem is that OpenSSL interprets a correct DN with "openssl req -subj 'cn=...,c=de'" in the wrong order (so we get a "wrong" certificate). I know no optimal solution except of adding such an option to every related command or add an option like -oldstyledn to "openssl x509" and "openssl ca" but before starting discussing solutions I will wait for an answer (bug or misinterpretation). Best Regards, Michael -- ------------------------------------------------------------------- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
