On Thu, Sep 21, 2006, James Lever wrote:
> Hi All,
>
> I'm trying to work out how to create a multi-value RDN using an
> automated openssl.cnf file as per RFC2253. From the RFC, it has this
> example:
>
> Here is an example name containing three RDNs, in which the first
> RDN
> is multi-valued:
>
> OU=Sales+CN=J. Smith,O=Widget Inc.,C=US
>
> Within OpenCA, you can create one of these multi-value RDNs by
> editing a request, but I'm trying to work out how to correctly create
> one from a config file.
>
You precede the relevant line which prompts for or supplies the DN component
with a '+'. So in the no prompt case if you have:
CN="My Common Name"
it becomes:
+CN="My Common Name"
> Also, can anybody explain the binary format of how a multi-value RDN
> is stored and how the two separate RDNs (in this case OU+CN) are
> linked and referenced?
>
Well its an ASN1 issue. From RFC3280:
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::=
SET OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }
In the single value RDN case you get RelativeDistinguishedName structures
each consisting of a single AttributeTypeAndValue structure making up the
RDNSequence (which is the RDN).
In the multi value case you get more than one AttributeTypeAndValue in the
RelativeDistinguishedName structure.
Note that because the RelativeDistinguishedName is a SET OF structure it is
ordered lexically and *not* the supplied order.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
