-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sign-req not honoring --req-c, --req-st, --req-city, ... and falling back to CSR values #1087
Comments
OpenSSL does not work the way you expect. |
@TinCanTech That openssl command did what I wanted to do. So maybe my explanation wasn't that great then... |
If you mean OpenSSL
I guess not. |
|
Hi, the sign-req command doesn't honer explicitly provided values for req-c, req-st, req-city, req-org, req-email, req-ou, and probably more.
It always just uses the values from within the CSR which is undesirable in many cases. Also it is not possible to "patch" a CSR without knowing the private key (in this case stored within a HSM). So the only way to modify them is while signing.
Also the integrated help doesn't say that they're not supported in this context either.
I also tried using them together with "--dn-mode=org" as well as an additional "--batch". But neither worked.
Edit: Or add an equivalent to
openssl x509 --req --force_pubkey
, but that would be way more confusing than just "allowing" these parameters to work also for sign-req as one would expect.The text was updated successfully, but these errors were encountered: