On 2010-09-22, at 6:38 PM, Gaiseric Vandal wrote: > Thanks for the link. > > I still need the CA to load the SAN parameter from the request- it looks > like a lot of the defaults would be to copy the e-mail address into the SAN > field. >
Why? Why not just have the CA just put the appropriate value into the end Certificate? > I don't use openssl at this point to generate certs for users. No one > besides me uses openssl ca on this server anyway. Of course, that doesn't > stop anyone from using openssl on their own machine to create whatever keys > and certs they want anyway- I could create CA configuration for > microsoft.com and use it to create send "Secure" e-mail from "microsoft." > If you don't use OpenSSL to generate certs, what tool are you using to Sign them then (generating and signing certs are pretty much the same option - perhaps you meant that you don't use OpenSSL to generate keypairs and CSRs?)? > If I start dealing with user certificates then I would probably need a more > full featured CA solution that allows web-based user requests and key escrow. > I have started tinkering with the "DogTag" (opensource version of redhat > cert server) but so far not sure if it supports the SAN extensions properly. > I may have to suck it up and just install the MS CA services to have > something that plays nice with MS Exchange and other MS services. I try to > avoid MS Solutions because they tend to "optimize" standards. > I'm not sure what you are talking about - DogTag (and RedHat cert server) definitely can be configured to do just about anything you may need. And OpenSSL has absolutely no problem generating any certs that a Microsoft environment may need. Having OpenSSL generate certs that are usable for Exchange is rather trivial. Anyways - Have fun. --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org