Re: subjectAltName setup

Victor Duchovni
Sun, 17 Dec 2006 19:14:30 -0800

On Sun, Dec 17, 2006 at 06:24:22PM -0800, David Newman wrote:

> One last question: Generating a cert for multiple virtual hosts is only
> an occasional requirement. Generally this CA will generate certs
> for one CN and zero alternates.


In that case don't add "copy_extensions = copy" to "CA_default" and
create a "CA_with_exts" that is like "CA_default", but enables extension
copying. Use an explicit "-name CA_with_exts" only when you need it.

> Through trial and error I found that I can leave the subjectAltName
> stuff in openssl.cnf, and just comment out the "req_extensions = v3_ext"
> statement in the req section. Is this valid, or am I losing some other
> needed functionality?

If you always generate the certs yourself, you can suppress the
alternative names either in the request, in the CA or perhaps in both.

I am fond of building ".cnf" files on the fly and using them via
"-config".

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to