[gnutls-help] certtool: overriding certain fields of a cert req?

Daiki Ueno ueno at gnu.org
Mon Mar 20 02:47:58 CET 2023


Hello,

Michael Tokarev <mjt at tls.msk.ru> writes:

> Is there a way in certtool to override certain fields in a certificate
> request when issuing a certificate, such as subject/dn, for example like
> this can be done with openssl:
>
>  openssl ca -infiles user.crs -out user.crt -subj "/CN=foo/C=BAR/O=baz"
>
> ?
>
> I tried to list dn in the template file, but apparently it is being
> ignored when processing a crq and doing --generate-certificate.

Just to confirm: is my understanding correct that you are trying to
override DN of an existing certificate request something like the
following, right?

  certtool --generate-certificate --load-request user.crs \
           --load-ca-privkey=... --load-ca-certificate=... \
           --template=overriding-dn.tmpl

As far as I read the certtool code, this doesn't seem to be supported:
values from the template are only respected when no certificate requests
are given:
https://gitlab.com/gnutls/gnutls/-/blob/5005e0825a0dba81ed94bc262e11cc67b1d50beb/src/certtool.c#L365

If there is a specific use-case for this feature, feel free to file a
ticket at the issue tracker:
https://gitlab.com/gnutls/gnutls/-/issues

Regards,
-- 
Daiki Ueno



More information about the Gnutls-help mailing list