diff options
| author | Bodo Möller <bodo@openssl.org> | 2001-10-25 08:25:19 +0000 |
|---|---|---|
| committer | Bodo Möller <bodo@openssl.org> | 2001-10-25 08:25:19 +0000 |
| commit | 89da653fa62598c29dc29b7e1741985f51172837 (patch) | |
| tree | 125bd52dc9658889f916c84b0298185be4c76314 /doc | |
| parent | af50b58c3ff69fbee269c452f0a05f05c7d44265 (diff) | |
| download | openssl-89da653fa62598c29dc29b7e1741985f51172837.tar.gz | |
Add '-noemailDN' option to 'openssl ca'. This prevents inclusion of
the e-mail address in the DN (i.e., it will go into a certificate
extension only). The new configuration file option 'email_in_dn = no'
has the same effect.
Submitted by: Massimiliano Pala madwolf@openca.org
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/apps/ca.pod | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 420a0e376d..ea59c252a8 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -34,6 +34,7 @@ B<openssl> B<ca> [B<-spkac file>] [B<-ss_cert file>] [B<-preserveDN>] +[B<-noemailDN>] [B<-batch>] [B<-msie_hack>] [B<-extensions section>] @@ -157,6 +158,15 @@ is the same as the request. This is largely for compatibility with the older IE enrollment control which would only accept certificates if their DNs match the order of the request. This is not needed for Xenroll. +=item B<-noemailDN> + +The DN of a certificate can contain the EMAIL field if present in the +request DN, however it is good policy just having the e-mail set into +the altName extension of the certificate. When this option is set the +EMAIL field is removed from the certificate' subject and set only in +the, eventually present, extensions. The B<email_in_dn> keyword can be +used in the configuration file to enable this behaviour. + =item B<-batch> this sets the batch mode. In this mode no questions will be asked @@ -308,6 +318,12 @@ the same as B<-crlexts>. the same as B<-preserveDN> +=item B<email_in_dn> + +the same as B<-noemailDN>. If you want the EMAIL field to be removed +from the DN of the certificate simply set this to 'no'. If not present +the default is to allow for the EMAIL filed in the certificate's DN. + =item B<msie_hack> the same as B<-msie_hack> @@ -437,6 +453,7 @@ A sample configuration file with the relevant sections for B<ca>: default_md = md5 # md to use policy = policy_any # default policy + email_in_dn = no # Don't add the email into cert DN nameopt = default_ca # Subject name display option certopt = default_ca # Certificate display option @@ -518,8 +535,11 @@ exposed at either a command or interface level so a more friendly utility B<CA.pl> help a little but not very much. Any fields in a request that are not present in a policy are silently -deleted. This does not happen if the B<-preserveDN> option is used. -The behaviour should be more friendly and configurable. +deleted. This does not happen if the B<-preserveDN> option is used. To +enforce the absence of the EMAIL field within the DN, as suggested by +RFCs, regardless the contents of the request' subject the B<-noemailDN> +option can be used. The behaviour should be more friendly and +configurable. Cancelling some commands by refusing to certify a certificate can create an empty file. |