Hi Francois, Francois Pernet schrieb: > Hi everyone... > > On a running install of OpenCA we discovered the following : > > 1) when we create a CSR (with openssl for instance on a separate serveur) and > then we try to introduce it in OpenCA to create a certificate, the system > claims that our CSR does not follow the rules and we need to correct to O= > field or the certificate name. > edit rules ;) > 2) when we create the CSR directly from the OpenCA Pub node, some defaults > are applied concerning the fields OU=, O= in the distinguished name for the > certificate name. > > Regarding this, we have three questions : > > a) Where can we modifiy these defaults ? We tried in openssl.cnf in > /OpenCA/etc/openssl and in /openssl directly but no way. The way to use the > policies (if i am right it has something to do with this) is really not clear > and the behavior of this feature is not documented AFAIK. > here: etc/servers/pub.conf example: ## ================== [ Basic CSR Section ] =====================
## Basic CSR Forms Basic_CSR_Keysizes "1024" "2048" "4096" "512" "768" #DN_TYPES "BASIC" "TOKEN" "SPKAC" "IE" "PKCS10" DN_TYPES "PKCS10" result: you can only upload "PKCS10" requests ##================== [ PKCS #10 Request DN Policy Section ] ==================== ## ## You may subtitute the value of any Attribute with "ANY" to make it accept any value ## but it will still check for the existance of the attribute ## DN_TYPE_PKCS10_REQUIRED_ELEMENTS "CN" "OU" "O" "C" DN_TYPE_PKCS10_BASE "O" "C" ## YES, EXIST, NO #DN_TYPE_PKCS10_ENFORCE_BASE "EXIST" DN_TYPE_PKCS10_ENFORCE_BASE "NO" #DN_TYPE_PKCS10_BASE_1 "certSign" DN_TYPE_PKCS10_BASE_1 "" #DN_TYPE_PKCS10_BASE_2 "DE" DN_TYPE_PKCS10_BASE_2 "" result: you accept any "PKCS10" request > b) Can we specify different defaults for these fields, related to the type of > certificate we want (User, Web, CAOperator, RAOperator, etc...) > sorry, don't know. any other should help here. > c) We really want to publish all the certificates and stuff in a OpenLDAP > directory running on the RA node. Are we obliged to strictly follow the same > distinguished name, in other words, the distinguished name in the certificate > is the same than in the LDAP directory ? > yes, I think so. any other should confirm this > Many thanks in advance for your advice > > Francois > doesn't matter Christian > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
