Looks like there is a bug in openssl when handling the subjectAltName. Can somebody confirm? Are fixes within reach? Am I doing something wrong here?
Openssl version used for testing is the CVS version from today. Details for bug reproduction should be below. Bug #1: An empty X509v3 Subject Alternative Name: extention is created. Bug #2: The email address in the request is not used. Bernhard $ openssl version OpenSSL 0.9.8-dev XX xxx XXXX CVS from today 20020620 $ openssl req -in newreq.pem -text Certificate Request: Data: Version: 0 (0x0) Subject: CN=Aegypten Test5, L=Osnabrueck, OU=Labs, O=Intevation GmbH, C=DE Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e8:ef:56:06:d0:67:d0:9d:bb:03:98:ce:de:6b: 88:88:b1:83:76:5d:08:ba:62:eb:15:a7:e3:ac:5a: 4f:93:0d:33:8f:6a:28:3c:ee:cb:47:59:43:8a:ed: f8:bb:99:83:91:4b:71:54:a9:e7:3a:94:63:1d:ae: 2d:93:bc:20:e4:d9:39:53:5a:53:5d:50:d5:d2:2a: d3:c2:c0:0a:6f:e0:03:19:4e:5f:40:72:16:89:eb: 9a:42:84:98:c5:cd:a9:26:69:de:3d:4f:4d:39:fb: 14:0c:a5:bb:bd:56:f6:4a:14:e6:cb:78:b3:94:ce: b4:96:d4:40:8d:24:9d:c3:25 Exponent: 41 (0x29) Attributes: Requested Extensions: X509v3 Subject Alternative Name: email:[EMAIL PROTECTED] Signature Algorithm: sha1WithRSAEncryption 03:c7:f2:cc:71:8c:87:d9:5c:48:ee:ef:fc:cb:82:09:52:60: 40:de:be:6c:40:d4:fc:64:f0:b0:3a:ac:0f:fb:58:38:ff:db: 0d:da:68:06:af:05:cc:73:5c:db:10:b5:bb:c1:5f:9d:66:c8: e1:28:96:4a:f5:59:4c:ed:ab:f1:b5:64:32:87:88:34:17:1f: 99:cc:ca:48:df:93:06:6d:87:39:88:13:81:ee:22:bd:1b:4a: 16:41:f0:ff:89:ae:cb:a7:da:c4:a0:77:ec:8c:e2:59:e2:ed: 91:60:24:be:f4:b3:95:bc:b8:0d:67:c6:fc:63:44:b1:de:46: b0:86 -----BEGIN CERTIFICATE REQUEST----- MIIB2zCCAUQCAQAwZDEXMBUGA1UEAxMOQWVneXB0ZW4gVGVzdDUxEzARBgNVBAcT Ck9zbmFicnVlY2sxDTALBgNVBAsTBExhYnMxGDAWBgNVBAoTD0ludGV2YXRpb24g R21iSDELMAkGA1UEBhMCREUwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBAOjv VgbQZ9CduwOYzt5riIixg3ZdCLpi6xWn46xaT5MNM49qKDzuy0dZQ4rt+LuZg5FL cVSp5zqUYx2uLZO8IOTZOVNaU11Q1dIq08LACm/gAxlOX0ByFonrmkKEmMXNqSZp 3j1PTTn7FAylu71W9koU5st4s5TOtJbUQI0kncMlAgEpoDkwNwYJKoZIhvcNAQkO MSowKDAmBgNVHREEHzAdgRthZWd5cHRlbnRlc3Q1QGludGV2YXRpb24uZGUwDQYJ KoZIhvcNAQEFBQADgYEAA8fyzHGMh9lcSO7v/MuCCVJgQN6+bEDU/GTwsDqsD/tY OP/bDdpoBq8FzHNc2xC1u8FfnWbI4SiWSvVZTO2r8bVkMoeINBcfmczKSN+TBm2H OYgTge4ivRtKFkHw/4muy6faxKB37IziWeLtkWAkvvSzlby4DWfG/GNEsd5GsIY= -----END CERTIFICATE REQUEST----- grep '^subjectAltName' /spare/aegypten/openssl/ssl/openssl.cnf subjectAltName=email:move openssl ca -noemailDN -policy policy_anything -out newcert.pem -infiles newreq.pem Using configuration from /spare/aegypten/openssl/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 20 17:04:17 2002 GMT Not After : Jun 20 17:04:17 2003 GMT Subject: countryName = DE localityName = Osnabrueck organizationName = Intevation GmbH organizationalUnitName = Labs commonName = Aegypten Test5 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 72:7C:E9:78:AA:BB:01:A2:6F:92:7C:22:03:D1:D0:9E:74:7F:F3:F3 X509v3 Authority Key Identifier: keyid:75:D0:0F:DB:51:35:F0:94:93:D6:53:F6:28:BF:04:CE:C9:F3:58:27 DirName:/C=de/ST=Some-State/O=Intevation [EMAIL PROTECTED] serial:00 X509v3 Subject Alternative Name: <EMPTY> Certificate is to be certified until Jun 20 17:04:17 2003 GMT (365 days) Sign the certificate? [y/n]:n CERTIFICATE WILL NOT BE CERTIFIED
msg12110/pgp00000.pgp
Description: PGP signature