Cannot Automatically Create Empty-Sequenced-Subject-DN CSR Using Openssl CLI

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Cannot Automatically Create Empty-Sequenced-Subject-DN CSR Using Openssl CLI

Sabahattin Gucukoglu
Hash: SHA1

Hi all,

I have a burning desire to make a CSR for my host, which has multiple
names.  That CSR ideally wants to make use of a critical subjectAltName
listing all possible DNS names and the one IP address.  It'll go off to, which looks for CN and DNS alternate names for validation.  It
also wants an empty subject sequence, which RFC 3280 assures me is
possible, and which apparently go down best with implementations sticking
to the letter about acceptable names being one of either CN or alternate
DNS.  The idea is to satisfy the requirement for the vast majority of TLS-
enabled/available services with one cert (SMTP, POP3, IMAP, HTTP ...).

I created a cfg file, at first with no distinguished_name entry, then with
no [dn-section] contents (blank section).  In both cases code in
apps/req.c seems to prevent me.

A kludgy workaround appears to be to make the request up with an alias CN
temporarily, then pipe it back through req with "-subj /".  Yuck.  It also
transpires that the temporary CSR, which uses the unqualified hostname as
CN, simply has the CN rubbed out by cacert when it finds the alias
unresolvable/invalid.  In that sense, this question really only serves to
help either discover a bug or make me aware of the right way of doing this
(which documentation and Google do not answer between them).  I'd also be
interested to know if/why others chose different techniques to solve this
problem, since it seems to me to be more-or-less at the whim of the
implementer how to interpret/match names in the CN and/or DNS alternates
when verifying server certs.

So, basically, I wonder: what's the right way to make a CSR, using the
config file and no prompts, in one command, with an empty Subject sequence


- --
If an email tells you to forward it to all your friends, please
temporarily forget that I am your friend.

Sabahattin Gucukoglu <[hidden email]>
Phone: +44 20 88008915
Mobile: +44 7986 053399

Version: PGP 8.0 -- QDPGP 2.70

OpenSSL Project                       
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]