I reckon the commonName entry has different values depending on the certificateType. E.g., email address if an end user certificate, etc)
---- Parliamentary ICT Houses of Parliament UK http://www.parliament.uk/ Subject: [openssl.org #2590] change commonName entry for default openssl config file From: [email protected] CC: [email protected] Date: Wed, 31 Aug 2011 09:03:18 +0200 Hi, This is just a minor thing that always bugs me whenever I install openssl; by default the openssl configuration file (/etc/ssl/openssl.cnf) has the following line: "commonName = Common Name (eg, YOUR name)" Sometimes when I'm installing a certificate I accidentally forget to write my host name given this prompt (as I just did a few minutes ago). I'd suggest "commonName = Common Name (your host name)" since the X.509 format of course requires the CN to be the host. I suspect this default configuration file is being copied from apps/openssl.cnf, though I confess this is just based on a diff without looking too closely. This is of course very minor, but an easy change so I hope you'll consider it to save lots of future idiots like me 30 seconds. (I am running Ubuntu 10.04 (old!) at the moment, and peeked at the source code from the openssl-fips-1.2.3.tar.gz tarball.) Thanks, Dan Hi, This is just a minor thing that always bugs me whenever I install openssl; by default the openssl configuration file (/etc/ssl/openssl.cnf) has the following line: "commonName??? ??? ??? = Common Name (eg, YOUR name)" Sometimes when I'm installing a certificate I accidentally forget to write my host name given this prompt (as I just did a few minutes ago). I'd suggest "commonName??? ??? ??? = Common Name (your host name)" since the X.509 format of course requires the CN to be the host. I suspect this default configuration file is being copied from apps/openssl.cnf, though I confess this is just based on a diff without looking too closely. This is of course very minor, but an easy change so I hope you'll consider it to save lots of future idiots like me 30 seconds. (I am running Ubuntu 10.04 (old!) at the moment, and peeked at the source code from the openssl-fips-1.2.3.tar.gz tarball.) Thanks, Dan
