Re: Becoming a CA for group of internal servers?

Thu, 01 Sep 2011 10:10:46 -0700 

Apologies I'm not sure I follow what you mean with below;

I have copied openssl.cnf to customopenssl.cnf then edited the below lines to 
allow multiple hosts….


req_extensions = v3_req

SubjectAltName = @alt_names

[alt_names]

DNS.1 = server.domain.com

DNS.2 = server

Do I need to add more?



----- Original Message -----
From: owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org>
To: openssl-users@openssl.org <openssl-users@openssl.org>
Sent: Thu Sep 01 08:00:17 2011
Subject: Re: Becoming a CA for group of internal servers?


you might want to read the description of the -extfile parameter of the x509 
command

an excerpt from   curl-7.21.6/tests/certs/scripts/genserv.sh  available at  
curl.haxx.se

$OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key 
-out $PREFIX-sv.csr
$OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key
$OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION  -CA 
$CAPREFIX-ca.cacert 
-CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt -text 
-nameopt multiline -sha1

with a $PREFIX-sv.prm like the following

extensions = x509v3
[ x509v3 ]
subjectAltName = DNS:localhost
keyUsage    = keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
basicConstraints = critical,CA:false
[ req ]
default_bits                    = 1024
distinguished_name              = req_DN
default_md            = sha256
string_mask            = utf8only
[ req_DN ]
countryName                     = "Country Name is Northern Nowhere"
countryName_value            = NN
organizationName              = "Organization Name"
organizationName_value     = Edel Curl Arctic Illudium Research Cloud
commonName                      = "Common Name"
commonName_value              = localhost

[something]
# The key
# the certficate
# some dhparam

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to