On Sat, 03 Sep 2005 at 10:31 -0600, jared r r spiegel wrote:
> On Tue, Aug 23, 2005 at 03:58:31PM +0100, Jason McIntyre wrote:
> >
> > yes, it was removed a little while ago. you can get the same
> > functionality from openssl(1) req. see also isakmpd(8).
>
> i checked on the isakmpd(8), it gives an example how to make
> a subjectAltName extension field using IP or FQDN, but
> how does one make UFQDN now that certpatch is gone?
>
> i did a 'find /usr/src -type f | xargs egrep -i "(u|user).*fqdn"',
> but didn't find much who could hint me on how to add an
> [x509v3_UFQDN] section to /etc/ssl/x509v3.cnf correctly.
>
> i made a few random guesses and tried these type of things
> individually:
hmm i don't relly know what you are doing wrong here but for me this
has worked almost any time.
[x509v3_UFQDN]
subjectAltName=email:$ENV::CERTUFQDN
CERTUFQDN must be provided as environment variable and you might
want to use it with somthing like that.
openssl genrsa -out $CERTDIR/$SUBJECT/$SUBJECT.key \
$CERTBITS
openssl req -batch -config $REQUEST_CONFIG -sha1 -new \
-key $CERTDIR/$SUBJECT/$SUBJECT.key \
-out $CERTDIR/$SUBJECT/$SUBJECT.csr
openssl x509 -req -sha1 -days $CERTDAYS \
-in $CERTDIR/$SUBJECT/$SUBJECT.csr \
-CA $CADIR/certs/ca.crt -CAkey $CADIR/private/ca.key \
-extfile $EXTFILE -extensions x509v3_FQDN \
-CAcreateserial -CAserial $CADIR/serial \
-out $CERTDIR/$SUBJECT/$SUBJECT.crt \
-passin env:PASSPHRASE
adding the section to you x509v3.cnf you should have something like:
# default settings
CERTPATHLEN = 1
CERTUSAGE = digitalSignature,keyCertSign
CERTIP = 0.0.0.0
CERTFQDN = nohost.nodomain
# This section should be referenced when building an x509v3 CA
# Certificate.
# The default path length and the key usage can be overriden
# modified by setting the CERTPATHLEN and CERTUSAGE environment
# variables.
[x509v3_CA]
basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
keyUsage=$ENV::CERTUSAGE
# This section should be referenced to add an IP Address
# as an alternate subject name, needed by isakmpd
# The address must be provided in the CERTIP environment variable
[x509v3_IPAddr]
subjectAltName=IP:$ENV::CERTIP
# This section should be referenced to add a FQDN hostname
# as an alternate subject name, needed by isakmpd
# The address must be provided in the CERTFQDN environment variable
[x509v3_FQDN]
subjectAltName=DNS:$ENV::CERTFQDN
# This section should be referenced to add a UFQDN hostname
# as an alternate subject name, needed by isakmpd
# The address must be provided in the CERTUFQDN environment variable
[x509v3_UFQDN]
subjectAltName=email:$ENV::CERTUFQDN
if you want to have a script doing this work for you i will upload
one.
Tim
--
Darksun rising over blood red sea
[demime 1.01d removed an attachment of type application/pgp-signature]
