The DN reordering done by OKS is due to the default behavior of openssl ca. This command will reorder the fields from a CSR to match the order that they're defined in the config (specifically the policy section) unless it is told to do otherwise (-preserveDN on the command line, or preserve=yes in the config). I'm not sure how much pain and suffering this is causing on the permslip side and we can be more flexible in oks for sure. That said, the damage may already have been done since we've generated the certs :grimacing:
The DN reordering done by OKS is due to the default behavior of
openssl ca. This command will reorder the fields from a CSR to match the order that they're defined in the config (specifically thepolicysection) unless it is told to do otherwise (-preserveDNon the command line, orpreserve=yesin the config). I'm not sure how much pain and suffering this is causing on the permslip side and we can be more flexible inoksfor sure. That said, the damage may already have been done since we've generated the certs :grimacing:Originally posted by @flihp in https://github.com/oxidecomputer/permission-slip/issues/81#issuecomment-1568723770