-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/17/06 11:28 AM, Victor Duchovni wrote:
>> [ CA_default ] >> serial = $dir/serial >> database = $dir/index.txt >> new_certs_dir = $dir/newcerts >> certs = $dir/certs >> certificate = $dir/cacert.pem >> private_key = $dir/private/cakey.pem >> default_days = 365 >> default_md = md5 >> preserve = no >> email_in_dn = no >> nameopt = default_ca >> certopt = default_ca >> policy = policy_match > > Add "copy_extensions = copy" above. Of course validate the extensions > before you sign the request. Got it, thanks! For future reference, I've pasted the entire working openssl.cnf below. One last question: Generating a cert for multiple virtual hosts is only an occasional requirement. Generally this CA will generate certs for one CN and zero alternates. Through trial and error I found that I can leave the subjectAltName stuff in openssl.cnf, and just comment out the "req_extensions = v3_ext" statement in the req section. Is this valid, or am I losing some other needed functionality? thanks again dn [ ca ] default_ca = CA_default [ CA_default ] dir = . serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/newcerts certs = $dir/certs certificate = $certs/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match copy_extensions = copy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req x509_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #---------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #------------------------------ ------------------------------ 0.organizationName_default = The Sample Company localityName_default = Metropolis stateOrProvinceName_default = New York countryName_default = US [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # Some CAs do not yet support subjectAltName in CSRs. # Instead the additional names are form entries on web # pages where one requests the certificate... subjectAltName = @alt_names [alt_names] DNS.1 = mail.freedonia.gov DNS.2 = mail.potrzebie.org DNS.3 = mail.furshlugginer.org [ server ] # Make a cert with nsCertType set to "server" basicConstraints=CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always [ client ] # Make a cert with nsCertType set to "client" basicConstraints=CA:FALSE nsCertType = client nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD4DBQFFhfvWyPxGVjntI4IRAmYXAJUTtFXQpKkI+N6mzvuVhPdGcsWRAKCu5G7S kJUs02YmBL+/2ed9qpB5vw== =2LNV -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]