> From: owner-openssl-us...@openssl.org On Behalf Of incogn...@mixnym.net > Sent: Wednesday, 01 February, 2012 16:31
> Not sure if this is an OpenSSL bug. > > When making a key and certificate: > > When going through the dos request and coming to this: > I'm no sure what you mean by 'dos request', but it appears you are running openssl commandline 'req' with options -new -x509 (and possibly others). > You are about be asked to enter that will be incorporated > into your certificate request. > What are enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default ualue. > If you enter '.', the field will be left blank. > > Country Name <2 letter code> [AU]: > ... > You didn't transcribe this quite correctly, but it's obvious what you mean. Note this wording is a bit loose for lay users; a field (aka name entry aka RDN) that is specified as '.' or is defaulted to nothing (empty) is *omitted* from the DN. > Her I have entered the suggested '.' for everything. When '.' isn't really suggested; it is allowed -- for "some fields". You can't omit (explicitly or implicitly) *all* fields. The purpose of an X.509 certificate is to bind a (public)key (with conditions/qualifications) to an identity, and classically the only way to express an identity was nonempty DN. Since v3 SubjectAltName provides an alternate way to identify, and PKIX (5280) allows empty Subject if SAN is used and critical, but not for cert-issuing or CRL-issuing certs. It is arguable whether a selfsigned cert should be treated as its own issuer or not in principle. openssl req can include SAN in the request or selfsigned cert as applicable, but not in the default config and not prompted. And it still prohibits empty Subject. > I do this, I only get the [privatekey not also cert] You should have gotten two (related) error messages: error, no objects specified in config file problems making Certificate Request While worded poorly, these do identify the problem: there are no RDNs after doing the prompting configured. This could occur because there were no (valid) prompt items in the config file, or as here because none of the prompt items resulted in creating an RDN. The same error occurs for prompt=no, where the wording is correct, and an equivalent one for -subj. And without a valid request, 'req -x509' can't create a (selfsigned) cert, hence no cert is output. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
