req_extensions will put the names in a CSR (signing request) file when
running the "req" command.
x509_extensions will put the names in the actual certificate file when
running the "x509" command.
On 9/1/2011 7:37 PM, Hopkins, Nathan wrote:
thanks - sorry my previous post wasn't clear enough, the
req_extensions value references the section I put the subject. and alt
names in...
req_extensions = v3_req
[ v3 req ]
SubjectAltName = @alt_names
Should this work?
----- Original Message -----
From: owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org>
To: openssl-users@openssl.org <openssl-users@openssl.org>
Sent: Thu Sep 01 18:26:42 2011
Subject: Re: Becoming a CA for group of internal servers?
Ah, there it is.
The "SubjectAltName = @alt_names" line is in the wrong section of your
file.
You need to find the line that says "x509_extensions" (There may be more
than
one, try to find the one that is used). That line contains the name of
another
section, and that other section is the one that needs to say
"SubjectAltName = @alt_names" when you are generating the multi-name
certificate.
The mail you quote below mentions another way that does not involve
putting
the names in an openssl.cnf file, but in another file that looks almost
like an
openssl.cnf file. His example file does not contain multiple names, and
contains
some other options that you probably won't need today, making it hard to
understand.
On 9/1/2011 7:09 PM, Hopkins, Nathan wrote:
>
> Apologies I'm not sure I follow what you mean with below;
>
> I have copied openssl.cnf to customopenssl.cnf then edited the below
> lines to allow multiple hosts….
>
>
> req_extensions = v3_req
>
> SubjectAltName = @alt_names
>
> [alt_names]
>
> DNS.1 = server.domain.com
>
> DNS.2 = server
>
> Do I need to add more?
>
>
>
> ----- Original Message -----
> From: owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org>
> To: openssl-users@openssl.org <openssl-users@openssl.org>
> Sent: Thu Sep 01 08:00:17 2011
> Subject: Re: Becoming a CA for group of internal servers?
>
>
> you might want to read the description of the -extfile parameter of
> the x509 command
>
> an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh
> available at curl.haxx.se
>
> $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout
> $PREFIX-sv.key -out $PREFIX-sv.csr
> $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key
> $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days
> $DURATION -CA $CAPREFIX-ca.cacert
> -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt
> -text -nameopt multiline -sha1
>
> with a $PREFIX-sv.prm like the following
>
> extensions = x509v3
> [ x509v3 ]
> subjectAltName = DNS:localhost
> keyUsage = keyEncipherment
> extendedKeyUsage = serverAuth
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid
> basicConstraints = critical,CA:false
> [ req ]
> default_bits = 1024
> distinguished_name = req_DN
> default_md = sha256
> string_mask = utf8only
> [ req_DN ]
> countryName = "Country Name is Northern Nowhere"
> countryName_value = NN
> organizationName = "Organization Name"
> organizationName_value = Edel Curl Arctic Illudium Research Cloud
> commonName = "Common Name"
> commonName_value = localhost
>
> [something]
> # The key
> # the certficate
> # some dhparam
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
