> From: owner-openssl-us...@openssl.org On Behalf Of John R Pierce > Sent: Monday, 28 June, 2010 13:18
> I'm trying to process a CRQ that came from a hardware > appliance, and its > apparently missing its country code. > and more. > > $ openssl ca -out tomcat-cert.pem -days 3650 -config ./openssl.cnf > -infiles tomcat_crq.pem <snip> > The Subject's Distinguished Name is as follows > commonName :PRINTABLE:'myhostname' > The mandatory countryName field was missing > That's the default policy check. If you want to allow SubjName with no country (and indeed nothing but commonName) you can use a different policy. The simplest is policy_anything already in the distro configfile; or you can edit/write your own. > I tried adding -subj CN=myhostname.domain.com/OU=Domain\ > Test/O=domain.com/C=US/ST=CA/L=My\ City > That should have given you an error message. The correct format begins with a slash e.g. /CN=myhost/OU=foo etc. and should work, barring bugs, see below. Personally I'd use singlequotes around the string rather than backslash(es) to shell, to avoid confusion with backslash to the program, but that's just style. <snip> > oh, if it matters, I'm using the openssl in Solaris 10.. > > $ openssl version > OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 > CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 > CVE-2007-5135 CVE-2008-5077 CVE-2009-0590) > > I realize this is a rather old release. will a newer one let me > override the location etc ? I don't notice any functional changes in this area in the distros I have. (Some code did move from ca.c to parse_name in apps.c.) But that build is clearly nonstandard to some extent, and if the changes unintentionally screwed up something, it'll be hard for people here to support, and I expect we won't be very eager. If you do demonstrate a problem with that old nonstandard version that vanishes on current or recent distros, you can guess what unpaid advice you'll get. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
