I, some time ago a wrote a this patch to ca.c. This adds a new option "-pkixDN". When used this option strips the Email from the DN. Also you need to modify openssl.cnf to make a copy of the email address in the SubjectAltName ("subjectAltName=email:copy"). "Dr. Donal O'Mahony" wrote: > Also - How do I get it to stop concatenating the E-mail address onto the end > of the CommonName Attribute > -- FERDINANDO RICCHIUTI Research & Development CSP s.c. a r.l. ____________________________________________ Villa Gualino Viale Settimo Severo, 63 - 10133 Torino [IT] e-mail [EMAIL PROTECTED] mob +39 (0)348 6023959 tel +39 (0)11 3165401 ____________________________________________
*** ca.c.old Fri Jun 30 19:21:49 2000 --- ca.c Sun Sep 3 17:18:53 2000 *************** *** 167,172 **** --- 167,173 ---- " -revoke file - Revoke a certificate (given in file)\n", " -extensions .. - Extension section (override value in config file)\n", " -crlexts .. - CRL extension section (override value in config file)\n", + " -pkixDN - Make a PKIX compliant DN (without the EMail attribute)\n", NULL }; *************** *** 207,217 **** --- 208,220 ---- X509_REQ *req, char *ext_sect, LHASH *conf); static int do_revoke(X509 *x509, TXT_DB *db); static int check_time_format(char *str); + static void do_pkixDN(X509_NAME *DN); static LHASH *conf=NULL; static char *section=NULL; static int preserve=0; static int msie_hack=0; + static int pkixDN=0; int MAIN(int, char **); *************** *** 415,420 **** --- 418,425 ---- if (--argc < 1) goto bad; crl_ext= *(++argv); } + else if (strcmp(*argv,"-pkixDN") == 0) + pkixDN=1; else { bad: *************** *** 1477,1483 **** char *startdate, char *enddate, int days, int batch, int verbose, X509_REQ *req, char *ext_sect, LHASH *lconf) { ! X509_NAME *name=NULL,*CAname=NULL,*subject=NULL; ASN1_UTCTIME *tm,*tmptm; ASN1_STRING *str,*str2; ASN1_OBJECT *obj; --- 1482,1488 ---- char *startdate, char *enddate, int days, int batch, int verbose, X509_REQ *req, char *ext_sect, LHASH *lconf) { ! X509_NAME *name=NULL,*CAname=NULL,*subject=NULL,*pkix_subject=NULL; ASN1_UTCTIME *tm,*tmptm; ASN1_STRING *str,*str2; ASN1_OBJECT *obj; *************** *** 1696,1702 **** if (verbose) BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n"); ! row[DB_name]=X509_NAME_oneline(subject,NULL,0); row[DB_serial]=BN_bn2hex(serial); if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { --- 1701,1712 ---- if (verbose) BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n"); ! pkix_subject=X509_NAME_dup(subject); ! if (pkix_subject == NULL) goto err; ! ! if (pkixDN) do_pkixDN(pkix_subject); ! ! row[DB_name]=X509_NAME_oneline(pkix_subject,NULL,0); row[DB_serial]=BN_bn2hex(serial); if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { *************** *** 1837,1842 **** --- 1847,1854 ---- EVP_PKEY_free(pktmp); #endif + if (!X509_set_subject_name(ret,pkix_subject)) goto err; + if (!X509_sign(ret,pkey,dgst)) goto err; *************** *** 1892,1897 **** --- 1904,1911 ---- X509_NAME_free(CAname); if (subject != NULL) X509_NAME_free(subject); + if (pkix_subject != NULL) + X509_NAME_free(pkix_subject); if (tmptm != NULL) ASN1_UTCTIME_free(tmptm); if (ok <= 0) *************** *** 2233,2235 **** --- 2247,2265 ---- return(ok); } + static void do_pkixDN(X509_NAME *DN) + { + int nec,i; + X509_NAME_ENTRY *ne; + ASN1_OBJECT *obj; + + nec=X509_NAME_entry_count(DN); + for (i=0;i<nec;i++) + { + ne=(X509_NAME_ENTRY *)X509_NAME_get_entry(DN,i); + obj=X509_NAME_ENTRY_get_object(ne); + if (OBJ_obj2nid(obj)==NID_pkcs9_emailAddress) + X509_NAME_delete_entry(DN,i); + } + + }