Hi, I have some firewalls that puts an subjectAltName X509v3 attribute into the CSR, but when I sign them with my openssl CA, it just throws that attribute away. VPN clients later requires the subjectAltName to match the host it connects to, hence it must be present.
I've found many articles how I can add that attribute by using a custom config file and the -extfile <file> and -extensions <section> parameters. I've used that as a "work around" to get subjectAltName into certificates, but it would be better if I could just sign CSRs and use subjectAltName already specified there. Are there any security reasons as to why "openssl x509 -req" strips the attributes or how can I make a custom config file that let's me use the X509v3 extended attributes exactly as they are in the CSR? //Greger ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
