I have made it through the basics. Thanks for all the help. The fruits
of my labor can be found at:
http://www.htt-consult.com/pki
under roll your own CA and 802.1AR
There is a link there for my current 'lessons learned'. I will be
adding more to this:
http://www.htt-consult.com/pki/open
On 08/18/2017 01:16 PM, Dr. Stephen Henson wrote:
On Thu, Aug 17, 2017, Robert Moskowitz wrote:
In the [ ca ] section I have:
prompt = no
If I leave the = out I get an error, so I am assuming I got the
format of this right.
Then I have
[ req ]
distinguished_name = req_distinguished_nam
On Thu, Aug 17, 2017, Robert Moskowitz wrote:
> In the [ ca ] section I have:
>
> prompt = no
>
> If I leave the = out I get an error, so I am assuming I got the
> format of this right.
>
> Then I have
>
> [ req ]
> distinguished_name = req_distinguished_name
>
> [ req_distinguished_name ]
On 08/18/2017 08:48 AM, Jeffrey Walton wrote:
It is coming down that I would need a unique cnf for each cert type, rather
than one per signing CA. Things just don't work well without prompting or
very consistent DN content. So I am going to pull most of my. ENV. I am
leaving it in for dir an
On 08/18/2017 08:46 AM, Salz, Rich via openssl-users wrote:
This has been a long email thread. Can you open a github issue and summarize
the improvements you think we should make?
Thanks.
And thanks for your patience!
When I get through the "lessons learned" step, I will ask you how to
op
> Le 18 août 2017 à 15:18, Mark H. Wood a écrit :
>
> On Thu, Aug 17, 2017 at 03:29:56PM +, Erwann Abalea via openssl-users
> wrote:
>> The BR are for public CAs, not private CAs; even if some of those
>> requirements are considered « good practice » (the 64 bits out of a CSPRNG
>> is suc
On Thu, Aug 17, 2017 at 03:29:56PM +, Erwann Abalea via openssl-users wrote:
> The BR are for public CAs, not private CAs; even if some of those
> requirements are considered « good practice » (the 64 bits out of a CSPRNG is
> such a req), they cannot be forced on private CAs.
> And unless so
On Fri, Aug 18, 2017 at 08:48:07AM -0400, Jeffrey Walton wrote:
> If this is a private PKI, then you can do things like that.
>
> But I believe you need a distinguished name if you are following the
> RFCs. Maybe you can modify your script to stuff the principal name
> from the SAN in the DN some
> It is coming down that I would need a unique cnf for each cert type, rather
> than one per signing CA. Things just don't work well without prompting or
> very consistent DN content. So I am going to pull most of my. ENV. I am
> leaving it in for dir and SAN.
>
> I feel it is a bug that if in '
This has been a long email thread. Can you open a github issue and summarize
the improvements you think we should make?
Thanks.
And thanks for your patience!
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Jakob had it right
On 08/17/2017 07:01 PM, Jakob Bohm wrote:
Given all these problems with the Distinguished Name prompting
mechanism, just add the -subject option to the req command line
(using appropriate environment variables in the shell script).
Enjoy
Jakob
It is coming down that
11 matches
Mail list logo