On Mon, Apr 23, 2007 at 07:03:19PM +0500, Arsen Hayrapetyan wrote:
> The user created a PKCS#10 request using 'openssl req -subj...' and
> specified some subject distinguished name (DN), say
> '/C=AM/O=Org/OU=Dep/DN=ABC'. When the certification authority signs this
> request (for example, with command 'openssl ca...'), can it modify the
> DN, say, set it to '/C=AM/O=Org/OU=Dep/OU=DepNew/DN=ABC' (add delete or
> replace an attribute)?
In theory yes, they have the public key in the request, and they are
free to mint any certificate they want. All they need is the right
software.
The only thing they should not be able to do is come up with the
corresponding private key, but it is not needed for certificate generation
(the private key is needed to generate a well-formed signed CSR, but
the CA does not strictly need a CSR).
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
