Re: Wrong DNs

Tue, 16 Apr 2002 00:47:22 -0700 

On Mon, Apr 15, 2002 at 08:57:00PM +0200, Michael Bell wrote:
> Hi,
> 
> we found today a big problem with the DNs which OpenSSL displays because
> our application (OpenCA) produce DNs which are conform to the
> directorystandards but OpenSSL interprets them in the opposite order.
> What does this mean?
> 
> Here an example:
> 
> The root of our directory is the following: o=HU, c=de
> 
> The organizational unit for the PKI is Test-CA. So the next DN in the
> directory must be:
> ou=Test-CA, o=HU, c=de
> 
> A certificate would have the DN "cn=bell, ou=Test-CA, o=HU, c=de".
> 
> It is no problem to produce this DN with OpenSSL but then we were a
> little bit shocked when we see the DNs of Thawte, VeriSign, Entrust etc.
> with OpenSSL. They have all the format "c=US, o=VeriSign, ..."
> (openssl-*/cerst/). All these trustcenters use LDAP-servers but these
> DNs can never be stored in a directoryserver!
> 
> So it looks like OpenSSL displays the different parts of a DN in the
> wrong order. Did I make a misinterpretation? If this is a bug then I
> have the next question, can you fix this in the 0.9.7-tree?
> 
> It is possible to protect the old index.txt etc. by adding an option
> -x500 or something like this to get a DN which can be inserted in a
> directoryserver. The problem is that OpenSSL interprets a correct DN
> with "openssl req -subj 'cn=...,c=de'" in the wrong order (so we get a
> "wrong" certificate).
> 
> I know no optimal solution except of adding such an option to every
> related command or add an option like -oldstyledn to "openssl x509" and
> "openssl ca" but before starting discussing solutions I will wait for an
> answer (bug or misinterpretation).

Hmm. As far as I could see with "openssl x509" and "openssl asn1parse",
certificates are printed in the order of the data inside the certificate.
Whatever this means :-)

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to