Closed agowa closed 5 months ago
My vote is for #995 -- Easy and correct.
Linking: #1089
Linking: #439
Edit: Or add an equivalent to
openssl x509 --req --force_pubkey
, but that would be way more confusing than just "allowing" these parameters to work also for sign-req as one would expect.
OpenSSL does not work the way you expect.
@TinCanTech That openssl command did what I wanted to do. So maybe my explanation wasn't that great then...
That openssl command did what I wanted to do
If you mean OpenSSL --force_pubkey
[sic] then that has nothing to do with EasyRSA --req-*
values.
maybe my explanation wasn't that great
I guess not.
sign-req
does not honor any Easy-RSA --req-*
values because they are only valid in a request context. IE. gen-req
.
Hi, the sign-req command doesn't honer explicitly provided values for req-c, req-st, req-city, req-org, req-email, req-ou, and probably more. It always just uses the values from within the CSR which is undesirable in many cases. Also it is not possible to "patch" a CSR without knowing the private key (in this case stored within a HSM). So the only way to modify them is while signing.
Also the integrated help doesn't say that they're not supported in this context either. I also tried using them together with "--dn-mode=org" as well as an additional "--batch". But neither worked.
Edit: Or add an equivalent to
openssl x509 --req --force_pubkey
, but that would be way more confusing than just "allowing" these parameters to work also for sign-req as one would expect.