-subj is under the CRL option of openssl ca
(http://www.openssl.org/docs/apps/ca.html#). Can it be used for CA option ?
Please note that my suggestion was to decouple the verification and signing,
and to let openssl ca verify by default.
If -subj cannot be used to override DN in the request, what other option do
we have, but to tell openssl ca to ignore the signature in this particular
special case ?
Regards,
Sandipan
----- Original Message -----
From: "Massimiliano Pala" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, April 16, 2001 2:18 PM
Subject: Re: Request for a -noverify option for openssl ca
> Sandipan Gangopadhyay wrote:
> >
> > Hi.
> >
> > openssl ca performs a signature check on the CSR prior to issuing the
> [...]
> > the DN that needs to be expanded or modified or marked up by the CA.
> [...]
> > This feature is essential for openssl to implement what Microsoft (and
other
> > commercial CAs) call the Enterprise CA mode. Though I needed it for a
> > different reason, it seems corporations often need this feature to
install
> > Digital IDs in clients on their intranets.
>
> There should be the -subj <arg> in the ca command which will let you
> issue the certificate using the modified dn (<arg>) instead of the one
> within the request.
>
> This is also logical because if you alter the request then it is no more
> valid to verification and you cannot state the authenticity of the
request.
>
> --
>
> C'you,
>
> Massimiliano Pala
>
> --o-----------------------------------------------------------------------
--
> Massimiliano Pala [OpenCA Project Manager]
[EMAIL PROTECTED]
>
[EMAIL PROTECTED]
> http://www.openca.org Tel.: +39 (0)59 270
094
> http://openca.sourceforge.net Mobile: +39 (0)347 7222
365
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
