Table 4.3. Common stuff configuration
Parameter | Description |
---|---|
SET_REQUEST_SERIAL_IN_DN | This options enforce the inclusion of the request's serial in the subject of the certificate. This is a simple method to guarantee that the subject is unique. True values are Y, YES and ON. |
REQUEST_SERIAL_NAME | If the serial of the request will be included then this option defines which attribute is used for the serial. |
SET_CERTIFICATE_SERIAL_IN_DN | This options enforce the inclusion of the certificate's serial in the subject of the certificate. This is a simple method to guarantee that the subject is unique. This option is more recommended than SET_REQUEST_SERIAL_IN_DN because the value is tranparent. True values are Y, YES and ON. |
CERTIFICATE_SERIAL_NAME | If the serial of the certificate will be included then this option defines which attribute is used for the serial. |
DN_WITHOUT_EMAIL | This option is used to enforce recommendations of S/MIME v3. If you don't want to include the emailaddress in the subject then you can use this option. OpenCA will remove the emailaddress from the subject before it issues the certificate. True values are again Y, YES and ON. |
base dn or suffix: dc=university,dc=edu user dn: dc=mike tester,dc=university,dc=edu webserver dn:dc=www,dc=university,dc=edu ca dn:dc=CA,dc=university,dc=edu
There are two things which must be changed in the configuration files of the servers.
basedn "dc=university,dc=edu" ldaproot "dc=manager,dc=univesity,dc=edu"
DN_TYPE_BASIC_BODY "YES" DN_TYPE_BASIC_KEYGEN_MODE "SERVER" DN_TYPE_BASIC_KEYGEN_SHEET "/usr/local/OpenCA/lib/servers/pub/sheets/basic_csr_confirm_request.html" DN_TYPE_BASIC_BASE "DC" "DC" DN_TYPE_BASIC_ELEMENTS "DC" DN_TYPE_BASIC_NAME "Basic User Request" DN_TYPE_BASIC_BASE_1 "University" DN_TYPE_BASIC_BASE_2 "edu" DN_TYPE_BASIC_ELEMENT_1 "Name"
Please check the installed or prepared files with the name main.html because several HTML files display the suffix of all the DNs.
You can find these files in lib/servers/ra/mails. They are the default templates for the mails which RA Operators can send to the users. They include the suffix of the LDAP server. This suffix is called Dir Root. This suffix must be changed according to the real suffix of your LDAP server.
You must modify the files OPENCADIR/etc/openssl/openssl.cnf and OPENCADIR/etc/openssl/openssl/*.conf. The policy and req sections must be changed to support requests and certificates with subjects in the dc-style. If you don't know how to configure OpenSSL then please read the documentation of OpenSSL.
If you generate the initial request for the CA request then please ignore all the fields for the normal subjectstyle. Simply enter nothing in all field until the software displays the window which show you the complete subject. There you have to enter the complete subject of the CA request. The subject is in RFC 2259 format and all “DC” must be written in big letters because OpenSSL is case sensitive.