[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    RE: certificate request missing locale
From:       "Dave Thompson" <dthompson () prinpay ! com>
Date:       2010-06-28 20:33:11
Message-ID: 743623776A0B4A36A08EAD38EBCBED97 () prinpay ! com
[Download RAW message or body]

> From: owner-openssl-users@openssl.org On Behalf Of John R Pierce
> Sent: Monday, 28 June, 2010 13:18

> I'm trying to process a CRQ that came from a hardware 
> appliance, and its 
> apparently missing its country code.
> 
and more. 
> 
> $ openssl ca -out tomcat-cert.pem -days 3650 -config ./openssl.cnf 
> -infiles tomcat_crq.pem
<snip>
> The Subject's Distinguished Name is as follows
> commonName            :PRINTABLE:'myhostname'
> The mandatory countryName field was missing
> 
That's the default policy check. If you want to allow SubjName 
with no country (and indeed nothing but commonName) you can 
use a different policy. The simplest is policy_anything already 
in the distro configfile; or you can edit/write your own.

> I tried adding   -subj CN=myhostname.domain.com/OU=Domain\ 
> Test/O=domain.com/C=US/ST=CA/L=My\ City
> 
That should have given you an error message. The correct format 
begins with a slash e.g. /CN=myhost/OU=foo etc. and should work, 
barring bugs, see below. Personally I'd use singlequotes around 
the string rather than backslash(es) to shell, to avoid confusion 
with backslash to the program, but that's just style.

<snip>
> oh, if it matters, I'm using the openssl in Solaris 10..
> 
> $ openssl version
> OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 
> CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 
> CVE-2007-5135 CVE-2008-5077 CVE-2009-0590)
> 
> I realize this is a rather old release.  will a newer one let me 
> override the location etc ?

I don't notice any functional changes in this area in the distros 
I have. (Some code did move from ca.c to parse_name in apps.c.) But 
that build is clearly nonstandard to some extent, and if the changes 
unintentionally screwed up something, it'll be hard for people here 
to support, and I expect we won't be very eager. If you do demonstrate 
a problem with that old nonstandard version that vanishes on current 
or recent distros, you can guess what unpaid advice you'll get.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]