> Nit: I forgot to say last time, but this doesn't sign the CSR. > It creates a cert from the CSR, and signs the cert.
Got it. Thanks. > copy_extensions = copy or copyall Bingo! Thanks again. > Per 'man ca', All the information may be out there but it is hard to know where to look for the answer to which problem. Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Monday, August 20, 2012 5:11 PM To: openssl-users@openssl.org Subject: RE: Losing extension Alternative Names on signing > From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills > Sent: Monday, 20 August, 2012 16:05 > I create a certificate request that includes -reqexts usr_cert. The [ > usr_cert ] section specifies two additional names. > > I display the request and see them: <snip> > I then sign the request with > Nit: I forgot to say last time, but this doesn't sign the CSR. It creates a cert from the CSR, and signs the cert. The cert is related to the CSR in important ways, but is NOT the same thing. This is a too-common mistake but actually somewhat relevant here. > openssl.exe ca -in MYNOTEBOOK_server.req.pem -config > CMC_root_config.cnf -out MYNOTEBOOK_server.pem -verbose -cert > CMC_root.pem -keyfile CMC_root.key.pem > > I see the two alternative names in the verbose output. The signed > certificate issues. But now it's missing the two alternative names. I > see only > > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Signature Algorithm: sha1WithRSAEncryption > ca -verbose displays the request and the extension is in the request, but not the cert. The cert is not the request. > How do I get ca to keep my alternative names? > Per 'man ca', in the config file used for 'ca' in the (selected) ca section, copy_extensions = copy or copyall . The manpage warns against the latter, unless you completely trust the source of the requests. Here the source of the requests is yourself and you presumably trust yourself. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
