![]() To enforce the absence of the EMAIL field within the DN, as suggested by RFCs, regardless the contents of the request' subject the -noemailDN option can be used. ![]() This does not happen if the -preserveDN option is used. Any fields not mentioned in the policy section are silently deleted, unless the -preserveDN option is set but this can be regarded more of a quirk than intended behaviour.Īny fields in a request that are not present in a policy are silently deleted. If the value is "optional" then it may be present. If the value is "supplied" then it must be present. If the value is "match" then the field value must match the same field in the CA certificate. ![]() The policy section consists of a set of variables corresponding to certificate DN fields. # CRL Download address for the intermediate CAįrom the man page for ca(1) (ca(1ssl) or similar on some systems), emphasis added: # Certificate Authorities Alternative NamesĮmail = Certificate download addresses for the intermediate CA KeyUsage = critical, digitalSignature, keyEnciphermentĮxtendedKeyUsage = critical, serverAuth, clientAuthĮxtendedKeyUsage = critical, clientAuth, emailProtection SubjectAltName = Distinguished Name (DN)ĬommonName = Intermediate Certification AuthorityĮmailAddress = Server Certificate Extensions ![]() #xmppAddr = optional # Added to SubjAltName by reqĭefault_keyfile = private/ # Distinguished Name Policy for Personal Certificates CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -days 365 What is the difference between openssl ca and openssl x509 commands? I'm using it to create and sign my root-ca, intermed-ca and clients certificates, but the openssl ca command does not register the cellphone and emailAddress on the certificates while openssl x509 does. ![]()
0 Comments
Leave a Reply. |