Dean Willis wrote: > OpenSSL can generate SAN. None of my certs have it . > > Oddly enough, the SAN settings appear to go into the master config > file and affect every CSR generated. So you have to reconfigure the > software for each CSR generated. Yuck.
Could you not use the -extfile parameter to the "openssl x509 -req" command? In other words: $ openssl x509 -req -in <...>.pem -extfile foo.cfg -extensions v3 ... and in foo.cfg [ v3 ] subjectKeyIdentifier = hash basicConstraints = CA:false subjectAltName = DNS:foo.example.com, URI:sip:foo.com This works for me, of course, at least for the limited use that I put openssl x509 command to. I cannot speak for the CAs that do this for a living on how they put SANs in the CSR they get. - vijay -- Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent 2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA) Email: [EMAIL PROTECTED],bell-labs.com,acm.org} WWW: http://www.alcatel-lucent.com/bell-labs _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
