Hi.
openssl ca performs a signature check on the CSR prior to issuing the
certificate. I could not find (I had posted on the list before) anyway to
shut it off, and had to finally add a line to openssl ca to generate a
warning on signature verification failure rather than a fatal error.
Can we have a -noverify option in openssl ca (ca.c) that will make the ca
process ignore results of the verification check ?
This is why one might need this feature:
Suppose if a client machine has generated a PKCS10 (such as with Xenroll
from Microsoft) and this PKCS10 arrives at the OpenSSL server. Now at the
server, some parts of the CSR needs modifications. This could be a part of
the DN that needs to be expanded or modified or marked up by the CA.
The server would normally do the verification prior to modification. After
modification (by a pre-processor), there is no need to again sign the
modified CSR. This is also not possible as the private key never came to the
Server with the PKCS10 (which we like for better security, anyway.) In this
case, openssl ca will currently fail.
If the experts agree, and want this kind of a feature, I could submit a
patch.
This feature is essential for openssl to implement what Microsoft (and other
commercial CAs) call the Enterprise CA mode. Though I needed it for a
different reason, it seems corporations often need this feature to install
Digital IDs in clients on their intranets.
Am I making sense ?
Regards,
Sandipan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
