Subject comparing #14
Comments
|
I am afraid I do not understand the problem properly. So if the program complains about differing subjects but continues anyway you should be fine. |
|
May be it is OpenSsl issue when executed X509_NAME_cmp(). I need to find matches in certificate subject: |
|
I understand you actually WANT to match the cert subject against the csr subject? I don't know why this would be useful (in fact it can cause a lot of trouble, which is why the original check was removed from the sscep code). Your problem is very likely caused by a nasty side effect of the OpenSSL X509_NAME_cmp() function: even if the string representation of a subject looks exactly the same, the corresponding DER representation does not necessarily have to match. For example, I had the problem that the request contained a BMPString with the requested subject. The CA then returned a certificate with the exact same subject, but encoded as IA5String (or vice versa). The OpenSSL compare function considers the string as different even if their ASCII representation is identical. |
|
Ok, I understood. Best solution it is to disable subject comparison. I'm right? |
|
In my opinion and from my experience designing and developing PKI solutions (OpenXPKI and CertNanny) I think it is best to disable it - it does hurt more than help. |
I have a problem and I need your advice.
I create CSR with CN=Test User, and after enroll I get receive certificate with subject like: (/C=US/ST=Qwerty/L=Asdfg/O=Test organization/CN=Test User)
And when sscep compared subjects I have a false:
X509_NAME_cmp() workaround: strcmp request subject (/CN=Test User) to cert subject (/C=US/ST=Qwerty/L=Asdfg/O=Test organization/CN=Test User)
How I can check if certificate subject contain request subject?
The text was updated successfully, but these errors were encountered: