>From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole
>Sent: Friday, 12 October, 2012 17:06
>Interesting. While I was playing around with this, I actually
>noticed that if I use the -subj option on the CSR, I am not able
>to do this. I was able to get it working by adding the common name
>on the actual cert generation from that CSR. The config file was
>modified so that for my priority_match, which had some match fields,
>was changed to priority_any which only had a common name required,
>firefox was happy.
>Just thought I'd post this workaround in case anyone else stumbles across
it.
I think you mixed up two or maybe three things here,
and you meant "policy" not "priority".
Generating a CSR with req -new -subj works if the config file
has prompt specified or defaulted yes. I tested that. You can
generate a CSR with only CommonName by either -subj, prompted,
or unprompted. I (now) tested all of those. The distro config
file prompts all and defaults some DN fields, so you must enter
dots to get CN only. OTOH you can specify more than CN with -subj.
*Issuing* a cert using 'ca' from a CSR containing only CommonName,
however the CSR was created, is a different issue. *That* depends
on the policy in the config file, and distro policy_match won't
allow it. You can either edit config or use -policy sect.
You can override the subject in the CSR with ca -subj, but policy
still applies. If you specify -subj with only CN it will work
only if the configured policy or -policy sect allows that --
and in that case, CSR with only CN works just as well.
<snip previous>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
