On Mon, Nov 17, 2003, Steven Reddie wrote: > So this sounds like a limitation of our software rather than an OpenSSL > by-design issue? > > I've been told that when the EE certificate in question was issued that the > CA's subject DN was copied to the EE's issuer DN and "flipped" on the way; I > don't understand why. The people responsible for the tools have now changed > the behaviour to not flip the DN but are looking for us to get our PKCS12 > export function working with their special certs so that their clients can > avoid having to regenerate them. Should OpenSSL work with such certs? >
One possibility is the textual display of a DN if it follows RFC2253: this reverses the order of the coponents in a DN before outputting them. However that's only for textual display. What you seem to be saying however is that the software is changing the order of the components of a DN between the CA subject name and the EE issuer name. The ordering is important for a DN, two DNs which have identical components but which are ordered differently are *NOT* equivalent. This means that any compliant software (OpenSSL, Mozilla, MSIE etc) will not recognise the CA as being the issuer of the EE certificate. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]