[kmf-discuss] signing/verifying certificates with pktool(1)
Massimiliano Pala
pala at cs.dartmouth.edu
Tue Jan 8 12:50:20 PST 2008
Wyllys Ingersoll wrote:
[...]
> Regarding the subject DN - is it common practice to override the one that
> was requested? If the requested Subject DN does not match up with the
> domain components of the issuer, does the CA just assume it was a mistake
> and change it or does it reject the request and tell the requestor that
> why it was not signed?
Yes, it is a common practice. An error in the name.. or simply a missing
field in the DN. Or a field which is added by the RA and that the user
was not aware of (or the application used by the client does not support).
I do remember that I had to patch OpenSSL to support the '-subj' both in
ca, x509 and req commands. I think it is a valuable option and it should
be included.
Later,
Max
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3088 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.opensolaris.org/pipermail/kmf-discuss/attachments/20080108/118009ec/attachment.bin
More information about the kmf-discuss
mailing list