At 07:00 PM 05/10/1999 , Dr Stephen N. Henson wrote: >Dave Clark wrote: >> >> Hello, new OpenSSL user here; >> >> How does one go about specifying an X509 V3 extension when generating >> a certificate request with the OpenSSL 'req' utility, such that the >> extension will be transferred to the certificate generated with the >> 'ca' utility? >> >> Specifically I'm attempting to specify the subjectAltName. I was able >> to tweak my config file such that I successfully inserted the following >> into my certificate request (as reported by 'req -text'): >> >> Attributes: >> X509v3 Subject Alternative >> Name:IP:111.111.111.111,DNS:blah.blah.com >> > >Strange, how did you get it to display that? I inserted the following into the "req_distinguished_name" section of my config file: subjectAltName = Subject Alt Name subjectAltName_default = IP:111.111.111.111,DNS:blah.blah.com and took the default when req prompted me for it. As I said, I'm new. ;-) >> but then the subjectAltName did not appear in the "X509v3 extensions" section >> of the corresponding cert generated by 'ca'. >> >> Thanks for any help you can send my way; > >You can't do this at present, it would need some additional >functionality in 'req' and 'ca'. For example it is quite likely that >you'd want 'ca' to automatically ban the use of certain extensions in >requests, basicConstraints being an obvious one. OK, thank you for your help. - Dave ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
