Thank you very much ! I will try it today.
Thanks for the advices about the lack of interoperability. Actually, I did not choose this configuration, my job is to set up an ldap directory on which users will be able to authenticate via TLS with their certificate in this PKI, and I have to test this architecture, that's why I would like to set up openssl to do exactly the same thing, without asking somebody to make test certificates for me
thank you again
Francois
Dr. Stephen Henson wrote:
This is only supported in 'req' and only then in 0.9.8-dev. You just precede the component with a + so you have "+commonName" etc in openssl.cnf and it should output a request in the appropriate format. You'll need -nameopt though if you want it to display properly because the default (broken) DN format doesn't notice the difference.
If you use 'ca' to sign the request any kind of policy data is likely to mess things up but if you use the preserveDN quirk it should sign the request properly.
These things are called multi-valued RDSs of AVAs and several less polite names. Its been reported that some software doesn't handle them properly.
Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
