Harald Koch schrieb: > > > In LDAP, the convention is to display the DNs in the opposite order, > > but the semantic meaning of the DN is unchanged. The X.500 representation > > /c=us/o=foo/ou=people/cn=joe > > specifies the exact same object as the LDAP DN > > cn=joe,ou=people,o=foo,c=us > > > > The difference is purely a matter of presentation. > > And I believe that thee root of the confusion is syntax. > > X.500 uses the '/' convention, while RFC 2253 uses the ',' convention. > > OpenSSL 0.9.7-dev (and possibly other versions) print the DN using ',' > notation but in the wrong order in the case where you dump the entire > certificate, eg. > > openssl x509 -in foo.pem -noout -text > gives > Subject: C=CA, ST=ON, O=cfrq.net, OU=SSL Client, CN=Harald Koch > > > If you say: > > openssl x509 -in ~/lib/CA/client-cert.pem -noout -subject > you get > subject= /C=CA/ST=ON/O=cfrq.net/OU=SSL Client/CN=Harald Koch > > and if you say: > openssl x509 -in ~/lib/CA/client-cert.pem -noout -subject -nameopt rfc2253 > you get: > subject= CN=Harald Koch,OU=SSL Client,O=cfrq.net,ST=ON,C=CA
Thanks for this hint. This really helps. The only bad detail is now "openssl -subj" which use a DN with "," inside but the order is the one from X.500. Best Regards, Michael -- ------------------------------------------------------------------- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
