Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

What do I do to supply the missing DN during certification ?

788 views
Skip to first unread message

Sandipan Gangopadhyay

unread,
Apr 4, 2001, 1:58:00 AM4/4/01
to
I have an otherwise nicely working openssl setup. I am facing a problem only
when I try the following:

1. I have a PKCS10 in user.csr where the DN is a blank (null string). From:
strReq = Enroll.createPKCS10("", "1.3.6.1.5.5.7.3.2") (This works fine
however if DN is say, "CN=sandipan" instead of "")

2. I have the DN in the config file user.cnf that is passed to - ./openssl
ca -config ./user.cnf -out ./user.crt -infiles ./user.csr

Config file is:
[ req ]
...
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C = FR
ST = Nord Pas
L = Lille
O = CAer
OU = Root CA Services
CN = userX

3. openssl ca gives the following error:
...
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
The commonName field needed to be supplied and was missing

What do I do to supply the DN missing in the CSR during certification ?

Thanks,

Sandipan

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Reddie, Steven

unread,
Apr 4, 2001, 2:12:57 AM4/4/01
to
I don't know what "Enroll.createPKCS10" is, but your problem seems to be
occuring at this first step, before you even get to OpenSSL.

Your certificate request doesn't contain the subject name, and from your
point 1 it seems that you've chosen not to set the subject name in the
Enroll.createPKCS10 call. The primary purpose of a certificate is to
associate an entity (subject) with a key. Since the certificate's content
is taken from the certificate request, then the request must also contain
the subject name.

The settings in the user.cnf file that you refer to are used for setting the
fields of the certificate request when running the "openssl req" command.
By the time you run the "openssl ca" command, the subject DN of the
certificate request should already be set.

It sounds like you're trying to automate the generation of certificates, but
perhaps doing it the wrong way.

Steven
--
Steven Reddie <Steven...@ca.com>
Senior Software Engineer
Computer Associates Pty Ltd (Australia)

Sandipan Gangopadhyay

unread,
Apr 4, 2001, 3:57:58 AM4/4/01
to
Thanks. I understand now where I was going wrong.

Can I use the PKCS10 (generated by Xenroll.dll on MSWindows) (that basically
carried the public key) and add the DN with openssl req ?

My intention is to have the public key from the client machine (only PKCS10
available) and then supply the DN at the certification server. Do you have
any advice about how I can go about it ?

Thanks again,

Sandipan

0 new messages