Cannot Automatically Create Empty-Sequenced-Subject-DN CSR Using Openssl CLI

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Cannot Automatically Create Empty-Sequenced-Subject-DN CSR Using Openssl CLI

Sabahattin Gucukoglu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I have a burning desire to make a CSR for my host, which has multiple
names.  That CSR ideally wants to make use of a critical subjectAltName
listing all possible DNS names and the one IP address.  It'll go off to
cacert.org, which looks for CN and DNS alternate names for validation.  It
also wants an empty subject sequence, which RFC 3280 assures me is
possible, and which apparently go down best with implementations sticking
to the letter about acceptable names being one of either CN or alternate
DNS.  The idea is to satisfy the requirement for the vast majority of TLS-
enabled/available services with one cert (SMTP, POP3, IMAP, HTTP ...).

I created a cfg file, at first with no distinguished_name entry, then with
no [dn-section] contents (blank section).  In both cases code in
apps/req.c seems to prevent me.

A kludgy workaround appears to be to make the request up with an alias CN
temporarily, then pipe it back through req with "-subj /".  Yuck.  It also
transpires that the temporary CSR, which uses the unqualified hostname as
CN, simply has the CN rubbed out by cacert when it finds the alias
unresolvable/invalid.  In that sense, this question really only serves to
help either discover a bug or make me aware of the right way of doing this
(which documentation and Google do not answer between them).  I'd also be
interested to know if/why others chose different techniques to solve this
problem, since it seems to me to be more-or-less at the whim of the
implementer how to interpret/match names in the CN and/or DNS alternates
when verifying server certs.

So, basically, I wonder: what's the right way to make a CSR, using the
config file and no prompts, in one command, with an empty Subject sequence
DN?

Cheers,
Sabahattin

- --
If an email tells you to forward it to all your friends, please
temporarily forget that I am your friend.

Sabahattin Gucukoglu <[hidden email]>
Phone: +44 20 88008915
Mobile: +44 7986 053399


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 -- QDPGP 2.70

iQA/AwUBRByH5yNEOmEWtR2TEQL8qACgyZANtTMld5Ayt3nQh3ZJQ16w5yIAoLyV
fDXeoSFIS50xpkgEZXb7r2C0
=bwLf
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]