[kmf-discuss] signing/verifying certificates with pktool(1)

[Wyllys Ingersoll]

Massimiliano Pala wrote:
> Wyllys Ingersoll wrote:
> [...]
>> I don't follow.  Why would the CA override the requestor's subject 
>> name or SubjectAltName
>> or any of those fields in the CSR.  If they don't match the policies 
>> of the CA, it can reject
>> the signing request altogether, but I don't think it would be 
>> appropriate for the signing
>> agent to change the request without the requestors consent.
>>
>> The "lifetime" parameters are not part of a CSR and are always set by 
>> the CA.
>> keyusage, subject name, and other extensions are set by the requestor.
>
> In my experience you should not trust any extensions in the CSR... as 
> most
> of the times these are *wrong*. It is common practice in CA software to
> simply ignore them and have the RA/CA (especially at RA level) to set 
> them
> correctly - also the subject DN should be 'override-able'... this would
> allow to issue the certificate with the correct fields without having the
> client to make another request (and eventually generate a new keypair).
>
> Later,
> Max
>

The only extensions that pktool allows a user to set now are subjectAltName,
KeyUsage, and extendedKeyUsage.   I was not really considering the myriad of
other extensions.   I would understand ignoring them if they conflict with
a local CA policy.

Regarding the subject DN - is it common practice to override the one that
was requested?  If the requested Subject DN does not match up with the
domain components of the issuer, does the CA just assume it was a mistake
and change it or does it reject the request and tell the requestor that
why it was not signed?

-Wyllys