On 5/23/2013 6:21 PM, Craig White wrote:
hmmm… I guess it may not be there but it's there in the cert that I signed with
my CA self which is using the same csr
Is there something wrong with the way I am generating them?
openssl req -new -nodes \
-out $CERTPATH/http.csr \
-keyout $CERTPATH/http.key \
-days 3650 \
-config $CONFIG
Depends what is in your config!
In the config I use for such I have (other lines omitted for clarity):
[req]
# Other stuff
req_extensions = v3_req
[ v3_req ]
# Other stuff
subjectAltName = @alt_names
[alt_names]
# Remember to repeat the CN as one of the ALT Names,
# Someone published an RFC that said to ignore the CN if there are
# any ALT names and some idiots implemented this misprint
# literally.
# The lines that start with DNS are for "DNS names", that is web
# servers etc., there are other words to use for other name
# types, and those type indicators become part of the request
# (and the certificate if it copies the alt names)
DNS.0 = www.example.com
DNS.1 = example.com
DNS.2 = web.example.com
openssl ca \
-config $CONFIG \
-policy policy_anything \
-out $CERTPATH/http.pem \
-infiles $CERTPATH/http.csr
Does the config file used by your CA say to copy the Alt names
extension from the requests?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
