Hi Mukilan,
> Does it mean that we can't ignore signature verification for CSR? I will > explain the use case. We would like to modify the SubjectDN/SAN as part of > our own policy while internal clients (devices, computers and etc) are > raising certificate requests. The internal clients will send the CSR to a > proxy, then proxy will contact on behalf of client to send CSR and receive > certificate. The proxy will do all the policy implementation related to > Subject and SAN. > Since the Subject DN/SAN is modified in proxy, we would like to instruct the > OpenXPKI to ignore signature validation for CSR. Is there any > way/configuration parameter to instruct the OpenXPKI to ignore the signature > validation for CSR. Well, this is not how it's supposed to work. ;) I honestly cannot imagine a use case in which it would be necessary to modify the CSR itself in order to enforce a naming policy (and I have seen a *lot* of really strange requirements). OpenXPKI itself provides sufficient means to selectively process data provided in the CSR to form the desired DN/SANs. Get rid of that proxy and configure your policy correctly. Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users