Hi,
I'm trying to create a CSR with subjectAltName = IP
address of "10.1.2.34" (dotted decimal) by specifying
it in the openssl.cnf .
(This is for an IPsec gateway machine on Linux, for
which I've already created an RSA private-key. The
intention is to get the CA to issue a machine
certificate for this IP address.)
But when I did an "openssl asn1parse ... -dump" on my
CSR, the hex dump didn't show subjectAltName.
So I have the following 2 urgent questions:
(1) What exactly are the changes I need to make to
openssl.cnf?
Do I need to specify subjectAltName in the new_oids
section? If so, what is its OID -- Is it 2.5.29.17,
or 2.5.29.18 ?
Or should the changes be to a different section?
How do I actually specify that it's an IP address?
How do I specify its actual value, "10.1.2.34"?
(2) How can I display the CSR's subjectAltName
extension and value to confirm that it's "10.1.2.34"?
And the following non-urgent question:
(3) Ideally, I'd like to specify the subjectAltName
and leave the subject DN empty. RFC 3280 allows that.
But OpenSSL seems to have a bug in that it doesn't
let me leave the subject DN empty. Or is it the case
that I've misconfigured subjectAltName, so that
leaving out subject DN as well results in an RFC 3280
violation?
Thank you very much, in advance.
Eva Brick
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
