[rs-dev] CsrSubjectRequest with a wildcard
Dirk-Willem van Gulik
dirkx at webweaving.org
Mon Jan 6 00:24:46 CET 2020
Graham,
With respect to:
# use subject from the certificate sign request unmodified
CsrSubjectRequest * 99
Two questions:
- We only look at the form 'subject-XX' values; not at the DN that is
in the CSR itself ?
Correct ? What was your thinking behind this ?
- When using a wildcard - the default 'just take 1' is a bit funny;
as you will often need to set -CN, -L, -C, etc.
Would it make sense to interpret it as '1' per RN type in that
specific case; so just one CN, one L ?
Below my not quite right attempt to explain what is going on (pname is
needed rather than name->name as the latter is NULL in this case
(perhaps we should set it to *?).
Dw.
Index: mod_csr.c
===================================================================
--- mod_csr.c (revision 201)
+++ mod_csr.c (working copy)
@@ -572,8 +575,8 @@
if (count <= 0) {
log_message(r, APR_SUCCESS,
apr_psprintf(r->pool,
- "Subject name '%s'
cannot be inserted into certificate more than %d times.",
- name->name, name->limit));
+ "Subject name '%s'
cannot be inserted into certificate more than %d times%s.",
+ pname, name->limit,
(name->nid) ? "" : " (across all wildcard matches)"));
More information about the rs-dev
mailing list