OpenSSL "policy" Options for "ca" Command

Q

What are policy options in the configuration file for the OpenSSL "ca" command?

✍: FYIcenter.com

A

Policy options in the configuration file are used by the OpenSSL "ca" command for 2 purposes:

  • Defines validation rules for DN (Distinguished Name) fields.
  • Defines the order of DN (Distinguished Name) fields in the certificate.

Policy options must provided in a named section, like [my_ca_policy], in the configuration file. Then you can:

  • Use "policy=my_ca_policy" option in the configuration to point to that section.
  • Use "-policy my_ca_policy" option in the command line to point to that section.

A policy option is defined with the DN field name and one of 3 possible values: "optional" - value not required for this DN field, "supplied" - value required for this DN field, "match" - value must match between subject and issuer.

Below is a good example of policy option section. It requires only the "commonName" field to have value. And "commonName" will be listed as the first field in the subject.

# section for DN field validation and order
[my_ca_policy]
commonName             = supplied
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
emailAddress           = optional

 

Simple Working Configuration File for OpenSSL "ca"

OpenSSL "ca" Error "cannot lookup how many days ..."

OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-04, 4423👍, 0💬