Cannot Automatically Create Empty-Sequenced-Subject-DN CSR Using Openssl CLI
-----BEGIN PGP SIGNED MESSAGE-----
I have a burning desire to make a CSR for my host, which has multiple
names. That CSR ideally wants to make use of a critical subjectAltName
listing all possible DNS names and the one IP address. It'll go off to
cacert.org, which looks for CN and DNS alternate names for validation. It
also wants an empty subject sequence, which RFC 3280 assures me is
possible, and which apparently go down best with implementations sticking
to the letter about acceptable names being one of either CN or alternate
DNS. The idea is to satisfy the requirement for the vast majority of TLS-
enabled/available services with one cert (SMTP, POP3, IMAP, HTTP ...).
I created a cfg file, at first with no distinguished_name entry, then with
no [dn-section] contents (blank section). In both cases code in
apps/req.c seems to prevent me.
A kludgy workaround appears to be to make the request up with an alias CN
temporarily, then pipe it back through req with "-subj /". Yuck. It also
transpires that the temporary CSR, which uses the unqualified hostname as
CN, simply has the CN rubbed out by cacert when it finds the alias
unresolvable/invalid. In that sense, this question really only serves to
help either discover a bug or make me aware of the right way of doing this
(which documentation and Google do not answer between them). I'd also be
interested to know if/why others chose different techniques to solve this
problem, since it seems to me to be more-or-less at the whim of the
implementer how to interpret/match names in the CN and/or DNS alternates
when verifying server certs.
So, basically, I wonder: what's the right way to make a CSR, using the
config file and no prompts, in one command, with an empty Subject sequence
If an email tells you to forward it to all your friends, please
temporarily forget that I am your friend.