On Wed, Feb 13, 2013 at 07:46:10PM -0800, Matthew Hall wrote: > Hello, > > I tried to figure out how to create a certification request which has an > empty > CN and only uses SANs, in line with the recommendations of the latest PKIX > RFC > 5280. > > I tried various permutations of commenting out distinguished_name, adding a > CA > section referencing a policy with commonName = optional, leaving the [dn] > section present, with all entries commented, etc. and was not able to get it > to work.
What worked for me was: $ (umask 077; openssl req -new -newkey rsa:1024 -keyout key.pem -nodes \ -subj "/" -out req.pem) The resulting subject DN in the request is an empty sequence. 0:d=0 hl=4 l= 319 cons: SEQUENCE 4:d=1 hl=3 l= 169 cons: SEQUENCE 7:d=2 hl=2 l= 1 prim: INTEGER :00 <--- version 0 10:d=2 hl=2 l= 0 cons: SEQUENCE <--- empty subject DN 12:d=2 hl=3 l= 159 cons: SEQUENCE <--- subjectPublicKeyInfo 15:d=3 hl=2 l= 13 cons: SEQUENCE <--- Algorithm and params 17:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 28:d=4 hl=2 l= 0 prim: NULL 30:d=3 hl=3 l= 141 prim: BIT STRING <--- public key bits 174:d=2 hl=2 l= 0 cons: cont [ 0 ] 176:d=1 hl=2 l= 13 cons: SEQUENCE 178:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption 189:d=2 hl=2 l= 0 prim: NULL 191:d=1 hl=3 l= 129 prim: BIT STRING You'll naturally need to add the requisite subjectAltName extensions. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org