On Wed, Feb 13, 2013 at 07:46:10PM -0800, Matthew Hall wrote:
> Hello,
>
> I tried to figure out how to create a certification request which has an
> empty
> CN and only uses SANs, in line with the recommendations of the latest PKIX
> RFC
> 5280.
>
> I tried various permutations of commenting out distinguished_name, adding a
> CA
> section referencing a policy with commonName = optional, leaving the [dn]
> section present, with all entries commented, etc. and was not able to get it
> to work.
What worked for me was:
$ (umask 077; openssl req -new -newkey rsa:1024 -keyout key.pem -nodes \
-subj "/" -out req.pem)
The resulting subject DN in the request is an empty sequence.
0:d=0 hl=4 l= 319 cons: SEQUENCE
4:d=1 hl=3 l= 169 cons: SEQUENCE
7:d=2 hl=2 l= 1 prim: INTEGER :00 <--- version 0
10:d=2 hl=2 l= 0 cons: SEQUENCE <--- empty subject DN
12:d=2 hl=3 l= 159 cons: SEQUENCE <--- subjectPublicKeyInfo
15:d=3 hl=2 l= 13 cons: SEQUENCE <--- Algorithm and params
17:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
28:d=4 hl=2 l= 0 prim: NULL
30:d=3 hl=3 l= 141 prim: BIT STRING <--- public key bits
174:d=2 hl=2 l= 0 cons: cont [ 0 ]
176:d=1 hl=2 l= 13 cons: SEQUENCE
178:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
189:d=2 hl=2 l= 0 prim: NULL
191:d=1 hl=3 l= 129 prim: BIT STRING
You'll naturally need to add the requisite subjectAltName extensions.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
