On Mon, 2010-01-18 at 12:51 +0200, Dmitrij Mironov wrote: > Hello, > > By default OpenCA includes incremental serialNumber in Subject DN. Is it > possible to > turn off this > feature? I know about RFC and subject name uniqueness requirement, but i.e. > there are > recomendations for EV SSL profiles, where stated, that SerialNumber in > Subject DN > can be used to > define an ID of legal entity (organization ID). I want to test this profile. > > So, is that auto-serial-number-in-DN feature is configurable or I need to just > comment some lines > in code? <snip> Yes, it is possible. For example, we turn it off when we issue certs for our VPN gateways so that we do not need to redefine the IDs used in the tunnels every time we replace a certificate. Of course, this creates some additional complexities in that we must revoke the current cert before generating the new one to avoid duplicates. The following is from our internal documentation; change the path to match your environment:
The normal settings for OpenCA include the serial number in the DN. To change this behavior, one must edit the configuration files to read: SET_REQUEST_SERIAL_IN_DN "N" SET_CERTIFICATE_SERIAL_IN_DN "N" This change must be made in ca.conf, batch.conf, and ra.conf on the CA/RA. The files are in /opt/OpenCA/etc/openca/servers/ Good luck - John ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
