sign-req not honoring --req-c, --req-st, --req-city, ... and falling back to CSR values

[agowa]

Hi, the sign-req command doesn't honer explicitly provided values for req-c, req-st, req-city, req-org, req-email, req-ou, and probably more. It always just uses the values from within the CSR which is undesirable in many cases. Also it is not possible to "patch" a CSR without knowing the private key (in this case stored within a HSM). So the only way to modify them is while signing.

Also the integrated help doesn't say that they're not supported in this context either. I also tried using them together with "--dn-mode=org" as well as an additional "--batch". But neither worked.

Version: 3.1.7
Generated: Fri Oct 13 17:27:51 CDT 2023
SSL Lib: OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)
Git Commit: 3c233f....08f0c0f

Edit: Or add an equivalent to openssl x509 --req --force_pubkey, but that would be way more confusing than just "allowing" these parameters to work also for sign-req as one would expect.

[TinCanTech]

My vote is for #995 -- Easy and correct.

Linking: #1089

Linking: #439

[TinCanTech]

Edit: Or add an equivalent to openssl x509 --req --force_pubkey, but that would be way more confusing than just "allowing" these parameters to work also for sign-req as one would expect.

OpenSSL does not work the way you expect.

[agowa]

@TinCanTech That openssl command did what I wanted to do. So maybe my explanation wasn't that great then...

[TinCanTech]

That openssl command did what I wanted to do

If you mean OpenSSL --force_pubkey [sic] then that has nothing to do with EasyRSA --req-* values.

maybe my explanation wasn't that great

I guess not.

[TinCanTech]

sign-req does not honor any Easy-RSA --req-* values because they are only valid in a request context. IE. gen-req.