thanks - sorry my previous post wasn't clear enough, the req_extensions value references the section I put the subject. and alt names in...
req_extensions = v3_req [ v3 req ] SubjectAltName = @alt_names Should this work? ----- Original Message ----- From: owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org> To: openssl-users@openssl.org <openssl-users@openssl.org> Sent: Thu Sep 01 18:26:42 2011 Subject: Re: Becoming a CA for group of internal servers? Ah, there it is. The "SubjectAltName = @alt_names" line is in the wrong section of your file. You need to find the line that says "x509_extensions" (There may be more than one, try to find the one that is used). That line contains the name of another section, and that other section is the one that needs to say "SubjectAltName = @alt_names" when you are generating the multi-name certificate. The mail you quote below mentions another way that does not involve putting the names in an openssl.cnf file, but in another file that looks almost like an openssl.cnf file. His example file does not contain multiple names, and contains some other options that you probably won't need today, making it hard to understand. On 9/1/2011 7:09 PM, Hopkins, Nathan wrote: > > Apologies I'm not sure I follow what you mean with below; > > I have copied openssl.cnf to customopenssl.cnf then edited the below > lines to allow multiple hosts…. > > > req_extensions = v3_req > > SubjectAltName = @alt_names > > [alt_names] > > DNS.1 = server.domain.com > > DNS.2 = server > > Do I need to add more? > > > > ----- Original Message ----- > From: owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org> > To: openssl-users@openssl.org <openssl-users@openssl.org> > Sent: Thu Sep 01 08:00:17 2011 > Subject: Re: Becoming a CA for group of internal servers? > > > you might want to read the description of the -extfile parameter of > the x509 command > > an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh > available at curl.haxx.se > > $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout > $PREFIX-sv.key -out $PREFIX-sv.csr > $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key > $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days > $DURATION -CA $CAPREFIX-ca.cacert > -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt > -text -nameopt multiline -sha1 > > with a $PREFIX-sv.prm like the following > > extensions = x509v3 > [ x509v3 ] > subjectAltName = DNS:localhost > keyUsage = keyEncipherment > extendedKeyUsage = serverAuth > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid > basicConstraints = critical,CA:false > [ req ] > default_bits = 1024 > distinguished_name = req_DN > default_md = sha256 > string_mask = utf8only > [ req_DN ] > countryName = "Country Name is Northern Nowhere" > countryName_value = NN > organizationName = "Organization Name" > organizationName_value = Edel Curl Arctic Illudium Research Cloud > commonName = "Common Name" > commonName_value = localhost > > [something] > # The key > # the certficate > # some dhparam > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
