OpenCA displays at every time DNs like defined by RFC 2253. There are five options which influence the subject during the issuing itself:
Table 4.3. Common stuff configuration
Parameter | Description |
---|---|
SET_REQUEST_SERIAL_IN_DN |
This options enforce the inclusion of the request's
serial in the subject of the certificate. This is a
simple method to guarantee that the subject is unique.
True values are
Y , YES and
ON .
|
REQUEST_SERIAL_NAME | If the serial of the request will be included then this option defines which attribute is used for the serial. |
SET_CERTIFICATE_SERIAL_IN_DN |
This options enforce the inclusion of the certificate's
serial in the subject of the certificate. This is a
simple method to guarantee that the subject is unique.
This option is more recommended than
SET_REQUEST_SERIAL_IN_DN because the
value is tranparent. True values are
Y , YES and
ON .
|
CERTIFICATE_SERIAL_NAME | If the serial of the certificate will be included then this option defines which attribute is used for the serial. |
DN_WITHOUT_EMAIL |
This option is used to enforce recommendations of S/MIME
v3. If you don't want to include the emailaddress in the
subject then you can use this option. OpenCA will remove
the emailaddress from the subject before it issues the
certificate. True values are again
Y , YES and
ON .
|
OpenCA uses by default the old “o=University,c=de” style. Several users like international companies, universities or other big organizations need the new dc style. Therefore we support the dc style too. It is necessary to change several files because the configuration of the subjects is highly integrated into the software. We will explain it with an example.
base dn or suffix: dc=university,dc=edu user dn: dc=mike tester,dc=university,dc=edu webserver dn:dc=www,dc=university,dc=edu ca dn:dc=CA,dc=university,dc=edu
There are five things which you have to check for the change to the dc style. The steps will be now described:
There are two things which must be changed in the configuration files of the servers.
The LDAP configuration must be adapted to the new dc-style. The
variables - which you must modify - are basedn
and ldaproot
. The basedn
is
the suffix of the LDAP server. The ldaproot
is
the dn of the user root to bind to the LDAP server. The
ldaproot
has not to be changed because it is
freely configurable by the administrator of the LDAP server.
basedn "dc=university,dc=edu" ldaproot "dc=manager,dc=univesity,dc=edu"
The configuration of the requests must be changed too because they are prepared for the old style. Please read the following example to get an overview of a dc-styled configuration. Please read the section about the CSR configuration to understand how the normal requests can be configured.
DN_TYPE_BASIC_BODY "YES" DN_TYPE_BASIC_KEYGEN_MODE "SERVER" DN_TYPE_BASIC_KEYGEN_SHEET "/usr/local/OpenCA/lib/servers/pub/sheets/basic_csr_confirm_request.html" DN_TYPE_BASIC_BASE "DC" "DC" DN_TYPE_BASIC_ELEMENTS "DC" DN_TYPE_BASIC_NAME "Basic User Request" DN_TYPE_BASIC_BASE_1 "University" DN_TYPE_BASIC_BASE_2 "edu" DN_TYPE_BASIC_ELEMENT_1 "Name"
Please check the installed or prepared files with the name
main.html
because several HTML files
display the suffix of all the DNs.
You can find these files in
lib/servers/ra/mails
. They are the default
templates for the mails which RA Operators can send to the
users. They include the suffix of the LDAP server. This suffix is
called Dir Root
. This suffix must be changed
according to the real suffix of your LDAP server.
You must modify the files
OPENCADIR/etc/openssl/openssl.cnf
and
OPENCADIR/etc/openssl/openssl/*.conf
. The
policy and req sections must be changed to support requests and
certificates with subjects in the dc-style. If you don't know how to
configure OpenSSL then please read the documentation of OpenSSL.
If you generate the initial request for the CA request then please ignore all the fields for the normal subjectstyle. Simply enter nothing in all field until the software displays the window which show you the complete subject. There you have to enter the complete subject of the CA request. The subject is in RFC 2259 format and all “DC” must be written in big letters because OpenSSL is case sensitive.