Many thanks again, okay a little progress now... after creating the request by running; > openssl req -new -key server.key -out server.csr -config customopenssl.cnf
then viewing with; > openssl req -in server.csr -text -noout I can see the S-A-N. However when I then sign with; > openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 And then view with; > openssl x509 -in server.crt -text -noout I do not see the S-A-N? I assume I should I expect to see this in the signed .crt? When I created my ca.crt I did not have an updated customopenssl.cnf do I need to re-create my ca.crt? -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 01 September 2011 20:51 To: openssl-users@openssl.org Subject: RE: Becoming a CA for group of internal servers? > From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Wednesday, 31 August, 2011 21:32 > I tested with below, all looks good. After running I am converting > to .der files and generating a keystore with ImportKey.java - > could this be removing what is needed? "looks good" means 'x509 -text -noout' DOES show S-A-N? If it's in the cert at all, it's within the signed part, so nothing that processes the cert can remove or modify it without invalidating the signature, which should cause (hopefully obvious) errors whenever it is used for anything. > From: owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org> > Before using the cert, test it with the command: > openssl x509 -in yourcert.cer -noout -text > If the parameters were in the right place, you should see all the extra > names as > "SubjectAlternativeName" attributes in the cert. > On 8/31/2011 11:52 PM, Hopkins, Nathan wrote: <snip> > > I have also observed when viewing the certificates I am unable to see > > any references to the alt_names added, I have double checked the CA > > certificate created with below steps has been successfully added to > > Authorities and for the CN it works as expected. 'viewing the certificates' where and how? If it's in a java keystore, keytool -list -v should show all extensions including S-A-N. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
