> In LDAP, the convention is to display the DNs in the opposite order,
> but the semantic meaning of the DN is unchanged. The X.500 representation
> /c=us/o=foo/ou=people/cn=joe
> specifies the exact same object as the LDAP DN
> cn=joe,ou=people,o=foo,c=us
>
> The difference is purely a matter of presentation.
And I believe that thee root of the confusion is syntax.
X.500 uses the '/' convention, while RFC 2253 uses the ',' convention.
OpenSSL 0.9.7-dev (and possibly other versions) print the DN using ','
notation but in the wrong order in the case where you dump the entire
certificate, eg.
openssl x509 -in foo.pem -noout -text
gives
Subject: C=CA, ST=ON, O=cfrq.net, OU=SSL Client, CN=Harald Koch
If you say:
openssl x509 -in ~/lib/CA/client-cert.pem -noout -subject
you get
subject= /C=CA/ST=ON/O=cfrq.net/OU=SSL Client/CN=Harald Koch
and if you say:
openssl x509 -in ~/lib/CA/client-cert.pem -noout -subject -nameopt rfc2253
you get:
subject= CN=Harald Koch,OU=SSL Client,O=cfrq.net,ST=ON,C=CA
both of which are correct.
--
Harald Koch <[EMAIL PROTECTED]>
"It takes a child to raze a village."
-Michael T. Fry
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
