On Thu, Oct 02, 2003, François Beretti wrote: > hello all > > I would like to create a PKI (with openssl of course) which generate > certificates with such DNs : > givenName=Francois+sn=beretti+cn=0123456789,ou=myorganizationalunit,l=mylocality,o=myorganisation,c=mycountry > > how must I configure my openssl.cnf file to do this ? > > my only problem is the "+" stuff, I know how to generate certs with DNs > of the form attr1=value,attr2=value,attr3=value >
This is only supported in 'req' and only then in 0.9.8-dev. You just precede the component with a + so you have "+commonName" etc in openssl.cnf and it should output a request in the appropriate format. You'll need -nameopt though if you want it to display properly because the default (broken) DN format doesn't notice the difference. If you use 'ca' to sign the request any kind of policy data is likely to mess things up but if you use the preserveDN quirk it should sign the request properly. These things are called multi-valued RDSs of AVAs and several less polite names. Its been reported that some software doesn't handle them properly. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
