Hello, I tried to figure out how to create a certification request which has an empty CN and only uses SANs, in line with the recommendations of the latest PKIX RFC 5280.
I tried various permutations of commenting out distinguished_name, adding a CA section referencing a policy with commonName = optional, leaving the [dn] section present, with all entries commented, etc. and was not able to get it to work. In every case I got back one or another variation of the classic error: unable to find 'distinguished_name' in config problems making Certificate Request 139965798016672:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name Most people receiving this error are getting it because they had a missing openssl.cnf or left off the -config switch in the command. In my case it's obvious that's not the reason because the request works fine if the distinguished_name is not commented. This makes all of the standard help regarding the error message irrelevant to this particular case I'm encountering as well, of course. Therefore I am asking for some help from the list, to understand if this part of the RFC is supported at all, and if it is supported, how I should be invoking the command to get the expected behavior. If it's documented already, and I missed it, I apologize in advance. Thanks, Matthew Hall command: openssl req \ -new -config test-no-cn.cnf -newkey rsa:4096 -nodes \ -outform der -out test-no-cn.csr \ -keyout test-no-cn.key test-no-cn.cnf: [req] default_bits = 4096 prompt = no encrypt_key = no default_md = sha256 #distinguished_name = dn req_extensions = req_ext [dn] CN = test.example.com OU = Test Certificate O = Test Company L = Test City ST = California C = US emailAddress = t...@test.com [req_ext] subjectAltName = DNS:test.example.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
