Hi,
I've got a certificate request with the the subjectname
cn=database,cn=OracleContext,dc=st-andrews,dc=ac,dc=uk
I've signed one of these previously with openssl after adding
domainComponent = optional
to the openssl.cnf file under policy_anything.
However, since installing a new version of openssl, the .cnf file now
contains
two additional lines
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
If I uncomment either of these, my signed certificate's subject becomes
dc=st-andrews,dc=ac,dc=uk,cn=dunktest,cn=OracleContext
which is unusable in this case.
Is this working as designed or a bug for this case. It's only doing
this, as far
as I've seen for certificates with multiple cn and dc fields
Here's the command and output from openssl ca when the lines are removed
/usr/local/ssl/bin/openssl ca -config old_openssl.cnf -policy
policy_anything -infiles newreq.pem
Using configuration from old_openssl.cnf
Enter pass phrase for cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
domainComponent :IA5STRING:'uk'
domainComponent :IA5STRING:'ac'
domainComponent :IA5STRING:'st-andrews'
commonName :T61STRING:'OracleContext'
commonName :T61STRING:'dunktest'
Certificate is to be certified until Jun 17 11:05:19 2006 GMT (150 days)
Sign the certificate? [y/n]:n
CERTIFICATE WILL NOT BE CERTIFIED
and when the lines are left in
/usr/local/ssl/bin/openssl ca -config new_openssl.cnf -policy
policy_anything -infiles newreq.pem
Using configuration from new_openssl.cnf
Enter pass phrase for cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4111 (0x100f)
Validity
Not Before: Jan 18 11:05:47 2006 GMT
Not After : Jan 18 11:05:47 2008 GMT
Subject:
commonName = OracleContext
commonName = dunktest
domainComponent = uk
domainComponent = ac
domainComponent = st-andrews
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2C:73:41:0C:34:4F:73:91:87:EC:A2:3A:1F:77:07:B5:54:A0:E7:67
X509v3 Authority Key Identifier:
keyid:45:59:29:AD:8A:91:EA:BA:7C:82:2D:4A:63:A6:F6:3B:AA:A8:93:93
DirName:/C=UK/ST=Fife/L=St Andrews/O=University of St
Andrews/OU=I.T. Services/CN=Master Signing
Certificate/[EMAIL PROTECTED]
serial:B8:E9:3F:CB:37:39:E6:DB
Netscape CA Revocation Url:
http://www.st-andrews.ac.uk/ca-crl.pem
Certificate is to be certified until Jan 18 11:05:47 2008 GMT (730 days)
Sign the certificate? [y/n]:n
CERTIFICATE WILL NOT BE CERTIFIED
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
