Jakob had it right....

On 08/17/2017 07:01 PM, Jakob Bohm wrote:
Given all these problems with the Distinguished Name prompting
mechanism, just add the -subject option to the req command line
(using appropriate environment variables in the shell script).


Enjoy

Jakob

It is coming down that I would need a unique cnf for each cert type, rather than one per signing CA. Things just don't work well without prompting or very consistent DN content. So I am going to pull most of my. ENV. I am leaving it in for dir and SAN.

I feel it is a bug that if in 'prompt = no' or -batch, if a DN object is empty (size 0), it should just be dropped. This is not an error condition.

I nice feature would be if a default is set, not to prompt for that object. Something like

prompt = if no default

Then I would use ENV to set the default values and let prompting go for objects like CN and UID.

Also SAN is poorly handled and it has come out that this is a basic RFC requirement since '00!

Next steps:

complete basic setup for ecdsa pki and 802.1AR leaf.  Publish on my website.
Write up 'lessons learned' and post it here.
Add CRL and OCSP support.
Publish an IETF ID at least as an individual submission; offer this work to the IETF hackathon and workgroups like NETCONF, I2NSF, DOTS, ANIMA, and CORE.

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to