Can anyone respond to this? At least to let me know that I am thinking along the right track? Is there any expectation that the CA should be using the subject from the CSR that the customer sends?
On Mon, Dec 06, 2004 at 03:38:52AM GMT > > I'm having trouble with Comodo/InstantSSL. I think they are not > signing certs properly. > > Using openssl, I've created an SSL key and CSR for doing SSL on my > mail server by doing the following: > > --------------------------------------------------------------------------------------------- > # openssl req -new -nodes -keyout mail.suso.org-key.pem -out > mail.suso.org-req.pem -days 365 > Generating a 1024 bit RSA private key > .............++++++ > ....................................................................................++++++ > writing new private key to 'mail.suso.org-key.pem' > ----- > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a > DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [GB]:US > State or Province Name (full name) [Berkshire]:Indiana > Locality Name (eg, city) [Newbury]:Bloomington > Organization Name (eg, company) [My Company Ltd]:Suso Technology Services, > Inc. > Organizational Unit Name (eg, section) []:suso.org > Common Name (eg, your name or your server's hostname) []:mail.suso.org > Email Address []:[EMAIL PROTECTED] > > Please enter the following 'extra' attributes > to be sent with your certificate request > A challenge password []: > An optional company name []: > # openssl req -in mail.suso.org-req.pem -subject > subject=/C=US/ST=Indiana/L=Bloomington/O=Suso Technology Services, > Inc./OU=suso.org/CN=mail.suso.org/[EMAIL PROTECTED] > -----BEGIN CERTIFICATE REQUEST----- > > [SNIPPED FROM THIS EMAIL] > > -----END CERTIFICATE REQUEST----- > > --------------------------------------------------------------------------------------------- > > Then I sent the CSR from the mail.suso.org-req.pem file to Comodo to > get signed by a recognized CA. When I get the signed cert back, the > subject of the cert is not the same as what it is in the CSR I sent > them. In fact, it is the information that they have in their own > database for my account. Which right now is for a different company > because last time I created a cert this same thing happened. > > After explaining to them the situation and that they should be > using the info from the CSR to sign certs, they claimed that they > understood what I was talking about and that if I emailed them (instead > of using their web form) the CSR again with the correct information, > that they would generate a new certificate with the subject from the > CSR. > > So, after checking the subject in the CSR cert, I sent them the same > CSR that I sent them through the web form. Within an hour I got a new > certificate with the same problem as before, it had the subject that was > not from the CSR, but from their own database. > > So now I'm wanting to double check myself. Are CAs supposed to be > using the CSRs for the subject in the cert that you get back? What do > you all think about this situation? > > -- > Suso Banderas > [EMAIL PROTECTED] > ________________________________________________________________________ > Linux: be root. - Windows: reboot. -- Suso Banderas [EMAIL PROTECTED] ________________________________________________________________________ Time was invented so everything wouldn't happen at once. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
