Hi,
RFC 2459 states the following (see section 4.1.2.6, "Subject") : Where it is non-empty, the subject field MUST contain an X.500 distinguished name (DN). The DN MUST be unique for each subject entity certified by the one CA as defined by the issuer name field. A CA may issue more than one certificate with the same DN to the same subject entity. However, I couldn't find a way to have OpenCA create more than one certificate for the same DN. Reported error is : General Error Trapped 6735: A Valid Certificate with same DN exists! at /usr/loc al/OpenCA/lib/functions/misc-utils.lib line 38. Compilation failed in require at /usr/local/apache/cgi-bin/ca/ca line 194. It seems OpenCA refuses to do so, using the certificate's DN as an unique identifier. I though i could use more than one certificate per user, using for LDAP the same DN and many usercertificate;binary attributes ? Is it by design ? Is this behaviour documented in any PKIX compliant draft ? I didn't find good links on this topic. I guess this has something to do with the SET_REQUEST_SERIAL_IN_DN or DN_WITHOUT_EMAIL options - can you point me to the drafts they are refering to ? Thanks in advance! Here is my current configuration for DN generation : ###################### ## support for PKIX ## ###################### SET_REQUEST_SERIAL_IN_DN "N" REQUEST_SERIAL_NAME "sn" SET_CERTIFICATE_SERIAL_IN_DN "N" CERTIFICATE_SERIAL_NAME "serialNumber" DN_WITHOUT_EMAIL "Y" AUTOMATIC_SUBJECT_ALT_NAME "Y" DEFAULT_SUBJECT_ALT_NAME "Email" -- Christophe Bailleux - Network & System Security Engineer Club-Internet / T-Online France Voice:+33-(0)1-5545-4789 - mailto:[EMAIL PROTECTED] ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
