Signing Certificate corrupts Subject Name using name_opt or cert_opt

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Signing Certificate corrupts Subject Name using name_opt or cert_opt

Duncan Brannen

Hi,
   I've got a certificate request with the the subjectname

cn=database,cn=OracleContext,dc=st-andrews,dc=ac,dc=uk

I've signed one of these previously with openssl after adding
domainComponent        = optional
to the openssl.cnf file under policy_anything.

However, since installing a new version of openssl, the .cnf file now
contains
two additional lines

name_opt     = ca_default        # Subject Name options
cert_opt     = ca_default        # Certificate field options

If I uncomment either of these, my signed certificate's subject becomes
dc=st-andrews,dc=ac,dc=uk,cn=dunktest,cn=OracleContext
which is unusable in this case.

Is this working as designed or a bug for this case.  It's only doing
this, as far
as I've seen for certificates with multiple cn and dc fields

Here's the command and output from openssl ca when the lines are removed

> /usr/local/ssl/bin/openssl ca -config old_openssl.cnf -policy
> policy_anything -infiles newreq.pem
> Using configuration from old_openssl.cnf
> Enter pass phrase for cakey.pem:
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> domainComponent       :IA5STRING:'uk'
> domainComponent       :IA5STRING:'ac'
> domainComponent       :IA5STRING:'st-andrews'
> commonName            :T61STRING:'OracleContext'
> commonName            :T61STRING:'dunktest'
> Certificate is to be certified until Jun 17 11:05:19 2006 GMT (150 days)
> Sign the certificate? [y/n]:n
> CERTIFICATE WILL NOT BE CERTIFIED


and when the lines are left in

> /usr/local/ssl/bin/openssl ca -config new_openssl.cnf -policy
> policy_anything -infiles newreq.pem
> Using configuration from new_openssl.cnf
> Enter pass phrase for cakey.pem:
> Check that the request matches the signature
> Signature ok
> Certificate Details:
>         Serial Number: 4111 (0x100f)
>         Validity
>             Not Before: Jan 18 11:05:47 2006 GMT
>             Not After : Jan 18 11:05:47 2008 GMT
>         Subject:
>             commonName                = OracleContext
>             commonName                = dunktest
>             domainComponent           = uk
>             domainComponent           = ac
>             domainComponent           = st-andrews
>         X509v3 extensions:
>             X509v3 Basic Constraints:
>                 CA:FALSE
>             Netscape Comment:
>                 OpenSSL Generated Certificate
>             X509v3 Subject Key Identifier:
>                
> 2C:73:41:0C:34:4F:73:91:87:EC:A2:3A:1F:77:07:B5:54:A0:E7:67
>             X509v3 Authority Key Identifier:
>                
> keyid:45:59:29:AD:8A:91:EA:BA:7C:82:2D:4A:63:A6:F6:3B:AA:A8:93:93
>                 DirName:/C=UK/ST=Fife/L=St Andrews/O=University of St
> Andrews/OU=I.T. Services/CN=Master Signing
> Certificate/emailAddress=[hidden email]
>                 serial:B8:E9:3F:CB:37:39:E6:DB
>
>             Netscape CA Revocation Url:
>                 http://www.st-andrews.ac.uk/ca-crl.pem
> Certificate is to be certified until Jan 18 11:05:47 2008 GMT (730 days)
> Sign the certificate? [y/n]:n
> CERTIFICATE WILL NOT BE CERTIFIED






______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Signing Certificate corrupts Subject Name using name_opt or cert_opt

Dr. Stephen Henson
On Wed, Jan 18, 2006, Duncan Brannen wrote:

>
> Hi,
>   I've got a certificate request with the the subjectname
>
> cn=database,cn=OracleContext,dc=st-andrews,dc=ac,dc=uk
>
> I've signed one of these previously with openssl after adding
> domainComponent        = optional
> to the openssl.cnf file under policy_anything.
>
> However, since installing a new version of openssl, the .cnf file now
> contains
> two additional lines
>
> name_opt     = ca_default        # Subject Name options
> cert_opt     = ca_default        # Certificate field options
>
> If I uncomment either of these, my signed certificate's subject becomes
> dc=st-andrews,dc=ac,dc=uk,cn=dunktest,cn=OracleContext
> which is unusable in this case.
>

Are you sure it actually alters the subject and not just the way it is
displayed?

I'd suggest comparing the two using the 'x509' utility to see if they are
actually any different.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Signing Certificate corrupts Subject Name using name_opt or cert_opt

Duncan Brannen
Dr. Stephen Henson wrote:

>On Wed, Jan 18, 2006, Duncan Brannen wrote:
>
>  
>
>>Hi,
>>  I've got a certificate request with the the subjectname
>>
>>cn=database,cn=OracleContext,dc=st-andrews,dc=ac,dc=uk
>>
>>I've signed one of these previously with openssl after adding
>>domainComponent        = optional
>>to the openssl.cnf file under policy_anything.
>>
>>However, since installing a new version of openssl, the .cnf file now
>>contains
>>two additional lines
>>
>>name_opt     = ca_default        # Subject Name options
>>cert_opt     = ca_default        # Certificate field options
>>
>>If I uncomment either of these, my signed certificate's subject becomes
>>dc=st-andrews,dc=ac,dc=uk,cn=dunktest,cn=OracleContext
>>which is unusable in this case.
>>
>>    
>>
>
>Are you sure it actually alters the subject and not just the way it is
>displayed?
>
>I'd suggest comparing the two using the 'x509' utility to see if they are
>actually any different.
>
>Steve.
>  
>
Thanks Steve,
       It shows as mis ordered using the below commands

# openssl x509 -subject -in newcert.pem -noout
subject= /DC=uk/DC=ac/DC=st-andrews/CN=OracleContext/CN=dunktest


# openssl x509 -subject -in newCA/newcert.pem -noout
subject= /CN=OracleContext/CN=dunktest/DC=uk/DC=ac/DC=st-andrews

I'm assuming here that order is important. It's an oracle wallet I'm
importing into
and the SSL handshake breaks down when I import the new certificate.

Cheers,
      Duncan


>--
>Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
>OpenSSL project core developer and freelance consultant.
>Funding needed! Details on homepage.
>Homepage: http://www.drh-consultancy.demon.co.uk
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]
>
>
>  
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Solved: Signing Certificate corrupts Subject Name using name_opt or cert_opt

Duncan Brannen
In reply to this post by Dr. Stephen Henson

It seems the old CA.pl file used -preserveDN when signing a certificate,
adding
this created a certificate with the correct subject whether name_opt and
cert_opt
are commented out or not

> # openssl x509 -subject -in test.name_opt.preserveDN.crt -noout
> subject= /DC=uk/DC=ac/DC=st-andrews/CN=OracleContext/CN=dunktest
> # openssl x509 -subject -in test.no_name_opt.preserveDN.crt -noout
> subject= /DC=uk/DC=ac/DC=st-andrews/CN=OracleContext/CN=dunktest


Thanks for the help
     
    Duncan
.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]