Lutz Jaenicke wrote:
>
> As you can see, with "openssl ca ..." you violate RFC2459 since you (the CA)
> do not check the subject alternative name, as it is not displayed before
> signing.
>
The only subject alt name's it will use are those in the config file or
the DN email address which ca does display. These have hopefully been
checked :-)
> So if you know, that somebody signs with foreigns certs with "openssl ca .."
> you can submit a request for
> Subject: ... CN=your.host.name
> X509v3 Subject Alternative Name: DNS:name.of.your.favorite.bank-server
>
You can submit a request like this. However request extensions are not
currently copied into the final certificate for this very reason. You
could for example sumbmit a request with CA:true and get a CA
certificate back if it did copy extensions blindly.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
