Ah, there it is.
The "SubjectAltName = @alt_names" line is in the wrong section of your file.
You need to find the line that says "x509_extensions" (There may be more
than
one, try to find the one that is used). That line contains the name of
another
section, and that other section is the one that needs to say
"SubjectAltName = @alt_names" when you are generating the multi-name
certificate.
The mail you quote below mentions another way that does not involve putting
the names in an openssl.cnf file, but in another file that looks almost
like an
openssl.cnf file. His example file does not contain multiple names, and
contains
some other options that you probably won't need today, making it hard to
understand.
On 9/1/2011 7:09 PM, Hopkins, Nathan wrote:
Apologies I'm not sure I follow what you mean with below;
I have copied openssl.cnf to customopenssl.cnf then edited the below
lines to allow multiple hosts….
req_extensions = v3_req
SubjectAltName = @alt_names
[alt_names]
DNS.1 = server.domain.com
DNS.2 = server
Do I need to add more?
----- Original Message -----
From: owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org>
To: openssl-users@openssl.org <openssl-users@openssl.org>
Sent: Thu Sep 01 08:00:17 2011
Subject: Re: Becoming a CA for group of internal servers?
you might want to read the description of the -extfile parameter of
the x509 command
an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh
available at curl.haxx.se
$OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout
$PREFIX-sv.key -out $PREFIX-sv.csr
$OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key
$OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days
$DURATION -CA $CAPREFIX-ca.cacert
-CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt
-text -nameopt multiline -sha1
with a $PREFIX-sv.prm like the following
extensions = x509v3
[ x509v3 ]
subjectAltName = DNS:localhost
keyUsage = keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
basicConstraints = critical,CA:false
[ req ]
default_bits = 1024
distinguished_name = req_DN
default_md = sha256
string_mask = utf8only
[ req_DN ]
countryName = "Country Name is Northern Nowhere"
countryName_value = NN
organizationName = "Organization Name"
organizationName_value = Edel Curl Arctic Illudium Research Cloud
commonName = "Common Name"
commonName_value = localhost
[something]
# The key
# the certficate
# some dhparam
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
