[gnutls-help] certtool: overriding certain fields of a cert req?
Daiki Ueno
ueno at gnu.org
Mon Mar 20 02:47:58 CET 2023
Hello,
Michael Tokarev <mjt at tls.msk.ru> writes:
> Is there a way in certtool to override certain fields in a certificate
> request when issuing a certificate, such as subject/dn, for example like
> this can be done with openssl:
>
> openssl ca -infiles user.crs -out user.crt -subj "/CN=foo/C=BAR/O=baz"
>
> ?
>
> I tried to list dn in the template file, but apparently it is being
> ignored when processing a crq and doing --generate-certificate.
Just to confirm: is my understanding correct that you are trying to
override DN of an existing certificate request something like the
following, right?
certtool --generate-certificate --load-request user.crs \
--load-ca-privkey=... --load-ca-certificate=... \
--template=overriding-dn.tmpl
As far as I read the certtool code, this doesn't seem to be supported:
values from the template are only respected when no certificate requests
are given:
https://gitlab.com/gnutls/gnutls/-/blob/5005e0825a0dba81ed94bc262e11cc67b1d50beb/src/certtool.c#L365
If there is a specific use-case for this feature, feel free to file a
ticket at the issue tracker:
https://gitlab.com/gnutls/gnutls/-/issues
Regards,
--
Daiki Ueno
More information about the Gnutls-help
mailing list