On Sun, Dec 17, 2006 at 06:24:22PM -0800, David Newman wrote:
> One last question: Generating a cert for multiple virtual hosts is only
> an occasional requirement. Generally this CA will generate certs
> for one CN and zero alternates.
In that case don't add "copy_extensions = copy" to "CA_default" and
create a "CA_with_exts" that is like "CA_default", but enables extension
copying. Use an explicit "-name CA_with_exts" only when you need it.
> Through trial and error I found that I can leave the subjectAltName
> stuff in openssl.cnf, and just comment out the "req_extensions = v3_ext"
> statement in the req section. Is this valid, or am I losing some other
> needed functionality?
If you always generate the certs yourself, you can suppress the
alternative names either in the request, in the CA or perhaps in both.
I am fond of building ".cnf" files on the fly and using them via
"-config".
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
