I found the following using Google. ===begin quote=========== IETF PKIX (latest version RFC 5280) is a well accepted profile for certificates. From section 4.1.2.4, the following fields must be supported (I've added between parenthesis is the OpenSSL long and optional short name):
country (countryName, C), organization (organizationName, O), organizational unit (organizationalUnitName, OU), distinguished name qualifier (dnQualifier), state or province name (stateOrProvinceName, ST), common name (commonName, CN) and serial number (serialNumber). There's also a list of element that should be supported: locality (locality, L), title (title), surname (surName, SN), given name (givenName, GN), initials (initials), pseudonym (pseudonym) and generation qualifier (generationQualifier). =====end quote=========== But in Kleopatra, on OpenSuse 12.3, which I am trying to learn, I see in the DN-Attribute page, items like domain component (DC, I really don't know what this is), EMAIL, MAIL,MOBILE, PC, STREET, TEL, among others. However, when I use openssl to create a CSR, whether for a website or for a client side certificate, I am neveer prompted even for items like SN or GN, let alone STREET. Obviously, for a website, normally associated with a business, GN and SN aren't relevant, but items like STREET, PC, would be, and I am never prompted for those when trying to create a CSR for a website. And for client side certificates, I want the user's first and last names, mailing address, phone, &c. in the certificates produced. How do I get tht information into the CSR/CRT files? I note that Kleopatra has a special section for GnuPG, but not one for OpenSSL. I know the two are note the same, but are they interoperable? That is, are GnuPG and OpenSSL client side certificates interchangable, in a single PKI system? Thanks Ted ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
