Hi there:
Yes - the right way is to correctly configure the extensions in the openssl.cnf
used on the CA, and have the SAN and Subject NOT be used out of the request,
but be input from the CA.
If you need to see how this might be done, we've got a tutorial at:
Hi there:
Yes - the right way is to correctly configure the extensions on the CA, and
have the SAN and Subject NOT be used out of the request, but be input from the
CA.
If you need to see how this might be done, we've got a tutorial at:
Thanks for the link.
I still need the CA to load the SAN parameter from the request- it
looks like a lot of the defaults would be to copy the e-mail address
into the SAN field.
I don't use openssl at this point to generate certs for users. No one
besides me uses openssl ca on this server
On 2010-09-22, at 6:38 PM, Gaiseric Vandal wrote:
Thanks for the link.
I still need the CA to load the SAN parameter from the request- it looks
like a lot of the defaults would be to copy the e-mail address into the SAN
field.
Why? Why not just have the CA just put the appropriate
-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson
Sent: Wednesday, September 22, 2010 6:48 PM
To: openssl-users@openssl.org
Subject: Re: Confusion about subject alternative names - resolved
On 2010-09-22, at 6:38 PM, Gaiseric Vandal wrote:
Thanks
Hi there:
See my answer inline:
On 2010-09-22, at 8:06 PM, Gaiseric Vandal wrote:
I use openssl to create certs for servers only, not for users. If I create
a key with openssl, then create a CSR with openssl req, it would prompt me
for a subjectAltName.Openssl ca will sign CSR's from
Hey there:
It should be noted that this is an EXCEEDINGLY BAD thing to do, since it more
or less removes any control that the CA has over the certificates that it
issues, and unless the Registration Authority is VERY careful about examining
all of the requests in detail, all manner of evil and
I am mostly using openssl to sign certificates for corporate servers
for corporate users only. So I am the only one using it to issue
certificates. As much as possible I want all certificates to have a
common CA- that way corporate end users only need to manually install
the public cert
FYI, enabling the following line in openssl.cnf has resolved the problem.
copy_extensions = copy
From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com]
Sent: Saturday, September 18, 2010 7:09 PM
To: openssl-users@openssl.org
Subject: RE: Confusion about subject alternative names