- 新しい順
- 投票が多い順
- コメントが多い順
To answer my own question:
Yes, there is a flag on the openssl ca command that will preserve the order of fields in the subject DN:
-preserveDN
Normally the DN order of a certificate is the same as the order of the fields in the relevant policy section. When this option is set the order is the same as the request. This is largely for compatibility with the older IE enrollment control which would only accept certificates if their DNs match the order of the request. This is not needed for Xenroll.
So, this solves the immediate problem.
However, in the long run it would be better if the AWS Private CA put the subject DN fields in the more usual order of C=,ST=,O=,OU=,CN= This is supposed to represent a descent into an X.500 directory tree, and the order of C=,O=,OU=,ST=,CN=,L= is just bizarre.
Also note that the openssl ca man page specifically indicates that this option was created for a really old IE quirk, and is no longer needed. The OpenSSL/LibreSSL devs may remove this option and then we'd be stuck again. We could re-order the fields in the openssl.conf file, but this seems to be overkill for a single oddball case.
関連するコンテンツ
- AWS公式更新しました 1年前