>From: [email protected] On Behalf Of Derek Cole
>Sent: Friday, 12 October, 2012 11:22
>So I think you were right. I used a command to view the CSR
>that I generated with the following:
>openssl req -new -nodes -subj "/CN=www.myserver.com" -out /tmp/file.csr
>-keyout /tmp/privkey.csr -config /my/openssl.cnf
>when I do this though, I noticed that my subject line, which I view with
>openssl req -noout -text -in /tmp/file.csr -config /my/openssl.cnf
Aside: you don't need a config file to view an existing request,
although since 1.0.0 it gives a spurious warning.
>It seems like the file is getting created with the common name
>in the config file intsead of the one I pass it. Does it not
>overrride the config file?
req -new has two ways of getting the subject DistinguishedName,
prompted from the terminal and unprompted from the config file.
Apparently -subj substitutes only for prompted; to make it
effective, specify or default prompt=yes in the config file.
(And if that config file will or might be used in actual
prompting mode, make sure you have DNpart = promptstring
not DNpart = actualvalue as you should for prompt=no.)
In 0.9.8 if you specify all parameters needed for req -new
on the commandline you don't need a config file for that.
Since 1.0.0 -new demands a config file even if not needed.
>On Thu, Oct 11, 2012 at 7:55 PM, Dave Thompson <[email protected]>
wrote:
<snip: name(s) in cert must match host desired by client like Firefox>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
