- Newest
- Most votes
- Most comments
To answer my own question:
Yes, there is a flag on the openssl ca command that will preserve the order of fields in the subject DN:
-preserveDN
Normally the DN order of a certificate is the same as the order of the fields in the relevant policy section. When this option is set the order is the same as the request. This is largely for compatibility with the older IE enrollment control which would only accept certificates if their DNs match the order of the request. This is not needed for Xenroll.
So, this solves the immediate problem.
However, in the long run it would be better if the AWS Private CA put the subject DN fields in the more usual order of C=,ST=,O=,OU=,CN= This is supposed to represent a descent into an X.500 directory tree, and the order of C=,O=,OU=,ST=,CN=,L= is just bizarre.
Also note that the openssl ca man page specifically indicates that this option was created for a really old IE quirk, and is no longer needed. The OpenSSL/LibreSSL devs may remove this option and then we'd be stuck again. We could re-order the fields in the openssl.conf file, but this seems to be overkill for a single oddball case.
Relevant content
- AWS OFFICIALUpdated 4 months ago
- Can I use ACM to issue private certificates when the AWS Private CA validity is less than 13 months?AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago