So this sounds like a limitation of our software rather than an OpenSSL by-design issue?
I've been told that when the EE certificate in question was issued that the CA's subject DN was copied to the EE's issuer DN and "flipped" on the way; I don't understand why. The people responsible for the tools have now changed the behaviour to not flip the DN but are looking for us to get our PKCS12 export function working with their special certs so that their clients can avoid having to regenerate them. Should OpenSSL work with such certs? Regards, Steven -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Monday, 17 November 2003 11:42 PM To: [EMAIL PROTECTED] Subject: Re: Ordering of components of subject/issuer DN On Mon, Nov 17, 2003, Steven Reddie wrote: > > I have come across a certificate that chokes our software which uses > OpenSSL. I haven't dug very deep yet, but was hoping that someone > could tell me about any ordering rules for the DN's. > > openssl asn1parse on the cert produces the dump below which has the > order of issuer DN components in the reverse order (CN->C) of what I > am used to seeing (C->CN). Is this a legal certificate? My > understanding is that the order is fixed by one of the X.400/X.500 > standards. Apparently IE and Netscape can quite happily import and > export the P12 file that this cert came from. If this encoding is > illegal, is it considered best practice to be able to handle it? > The standards don't specify any specific ordering with single valued RDNs. In ASN1 terms they are a SEQUENCE: the rules for encoding of a SEQUENCE are that the order of the components is kept. The actual components withing a multi valued RDN are a SET which is considered unordered however though use of multi valued RDNs is rare. If it chokes your software then perhaps it is expecting a certain order or expecting certain components to be present? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]