Re: [openssl-users] Cant seem to get prompt no to work

On Thu, Aug 17, 2017, Robert Moskowitz wrote: > In the [ ca ] section I have: > > prompt = no > > If I leave the = out I get an error, so I am assuming I got the > format of this right. > > Then I have > > [ req ] > distinguished_name = req_distinguished_name > > [ req_distinguished_name

Re: [openssl-users] Cant seem to get prompt no to work

On 08/18/2017 01:16 PM, Dr. Stephen Henson wrote: On Thu, Aug 17, 2017, Robert Moskowitz wrote: In the [ ca ] section I have: prompt = no If I leave the = out I get an error, so I am assuming I got the format of this right. Then I have [ req ] distinguished_name =

[openssl-users] Pilgrims progress

I have made it through the basics. Thanks for all the help. The fruits of my labor can be found at: http://www.htt-consult.com/pki under roll your own CA and 802.1AR There is a link there for my current 'lessons learned'. I will be adding more to this:

Re: [openssl-users] Throwing in the towel on ENV for DN

On 08/18/2017 08:46 AM, Salz, Rich via openssl-users wrote: This has been a long email thread. Can you open a github issue and summarize the improvements you think we should make? Thanks. And thanks for your patience! When I get through the "lessons learned" step, I will ask you how to

Re: [openssl-users] Throwing in the towel on ENV for DN

On 08/18/2017 08:48 AM, Jeffrey Walton wrote: It is coming down that I would need a unique cnf for each cert type, rather than one per signing CA. Things just don't work well without prompting or very consistent DN content. So I am going to pull most of my. ENV. I am leaving it in for dir

Re: [openssl-users] More on cert serialnumbers

On Thu, Aug 17, 2017 at 03:29:56PM +, Erwann Abalea via openssl-users wrote: > The BR are for public CAs, not private CAs; even if some of those > requirements are considered « good practice » (the 64 bits out of a CSPRNG is > such a req), they cannot be forced on private CAs. > And unless

Re: [openssl-users] More on cert serialnumbers

> Le 18 août 2017 à 15:18, Mark H. Wood a écrit : > > On Thu, Aug 17, 2017 at 03:29:56PM +, Erwann Abalea via openssl-users > wrote: >> The BR are for public CAs, not private CAs; even if some of those >> requirements are considered « good practice » (the 64 bits out of a

Re: [openssl-users] Throwing in the towel on ENV for DN

On Fri, Aug 18, 2017 at 08:48:07AM -0400, Jeffrey Walton wrote: > If this is a private PKI, then you can do things like that. > > But I believe you need a distinguished name if you are following the > RFCs. Maybe you can modify your script to stuff the principal name > from the SAN in the DN

[openssl-users] Throwing in the towel on ENV for DN

Jakob had it right On 08/17/2017 07:01 PM, Jakob Bohm wrote: Given all these problems with the Distinguished Name prompting mechanism, just add the -subject option to the req command line (using appropriate environment variables in the shell script). Enjoy Jakob It is coming down that

Re: [openssl-users] Throwing in the towel on ENV for DN

> It is coming down that I would need a unique cnf for each cert type, rather > than one per signing CA. Things just don't work well without prompting or > very consistent DN content. So I am going to pull most of my. ENV. I am > leaving it in for dir and SAN. > > I feel it is a bug that if in

Re: [openssl-users] Throwing in the towel on ENV for DN

This has been a long email thread. Can you open a github issue and summarize the improvements you think we should make? Thanks. And thanks for your patience! -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users