On Tue, Dec 11, 2012 at 6:10 PM, Dave Thompson <dthomp...@prinpay.com>wrote:
> >From: owner-openssl-us...@openssl.org On Behalf Of Michael Mueller > >Sent: Tuesday, 11 December, 2012 15:45 > > >Could I get a nudge. I'd like to get the SANs to show up in my certs. > > >in my request: <snip BC, KU, SAN> > > >what I get in the resulting certificate: <snip only BC> > > It depends on the CA, i.e. the person or organization who issues the certs. > > If you are the CA, and you are using openssl 'ca' commandline, > configure copy_extensions as per the man page (and read the warning). > If you don't have man pages on your system e.g. Windows > http://www.openssl.org/docs/apps/ca.html > > Right now, I am the CA using 'openssl ca' in a closed environment. I think copy_extensions will do the trick; I'll give it a try tomorrow AM. > If you are the CA using openssl 'x509 -req', you can't take > it from the CSR, but you can supply this (or any other) extension > directly at issue time. If you do both the CSR and the issue > yourself, a few seconds apart, this difference may not matter. > > This sounds like what my CA will be doing - they told me to list my SANs in an email along with my reqs because they had to add it in. > If the CA is somebody else, ask them. Maybe you can click > a form. Maybe you must sacrifice a goat. It's up to the CA. > I'll keep the goat advice handy just in case. Hope it doesn't come to that. Big thanks.
