On Sun, Dec 17, 2006 at 06:24:22PM -0800, David Newman wrote: > One last question: Generating a cert for multiple virtual hosts is only > an occasional requirement. Generally this CA will generate certs > for one CN and zero alternates.
In that case don't add "copy_extensions = copy" to "CA_default" and create a "CA_with_exts" that is like "CA_default", but enables extension copying. Use an explicit "-name CA_with_exts" only when you need it. > Through trial and error I found that I can leave the subjectAltName > stuff in openssl.cnf, and just comment out the "req_extensions = v3_ext" > statement in the req section. Is this valid, or am I losing some other > needed functionality? If you always generate the certs yourself, you can suppress the alternative names either in the request, in the CA or perhaps in both. I am fond of building ".cnf" files on the fly and using them via "-config". -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]