On 2005-11-06 0:51 Goetz Babin-Ebell wrote: An extract from my openssl.cnf:
> [...] > [ ssl_cert ] > > # These extensions are added when 'ca' signs a request. > [...] > > # This stuff is for subjectAltName and issuerAltname. > # Import the email address. > # subjectAltName=email:copy > # An alternative to produce certificates that aren't > # deprecated according to PKIX. > subjectAltName=email:move,DNS:copy.commonName,DNS:shomitefo.dyndns.org > [...] > > description: > generate an subjectAltName extension containing > 1. an generalName of type emailAddress containing > the email address from the DN of the request (deleted from the DN) > (if set) > 2. an generalName of type dnsName containing a copy of > the DN entry commonName of the request (if set) > (this requires my patch in ticket 1050 / 1052) > 3. an generalName of type dnsName containing my dyndns.org domain. > > Since you are not the first one I point to my patch I would > like somebody from the core team to have a look at it and > include it into the head... > (nag, nag,,, :-) ) I really want this for my certicates, as the same webserver is used for various domains in our setup. I can't get this working though. I've started with http://www.eclectica.ca/howto/ssl-cert-howto.php#cnfig and the commands I do are (in directory containing this openssl.cnf): mkdir newcerts private echo '01' > serial touch index.txt openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem \ -out cacert.pem -days 3650 -config ./openssl.cnf openssl req -new -nodes -out req.pem -config ./openssl.cnf openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem all according the above mentioned document. And if I run openssl x509 -in cert.pem -text I should see the subjectAltName when inserted in the openssl.cnf (at least according to http://wiki.cacert.org/wiki/VhostTaskForce and firefox is heavily complaining with a domain mismatch). I've tried it in sections v3_ca/v3_req/ssl_cert all without luck. I must do something wrong, but sinse there are some many variables, maybe one can assist me where I should put the line: subjectAltName=email:move,DNS:copy.commonName,DNS:foo.com,DNS:foo.nl,\ DNS:bar.com,DNS:zzz.intern if correct of course. Tia, Koos Vriezen ***************DISCLAIMER*************** Bewijs van Afstand: Dit emailbericht is slechts bestemd voor de personen aan wie het is gericht en kan informatie bevatten die persoonlijk of vertrouwelijk is en niet openbaar mag worden gemaakt zonder goedkeuring van de auteur. Indien u dit bericht per vergissing heeft ontvangen, verzoeken wij u ons op de hoogte te stellen en het bericht te vernietigen zonder het te kopiƫren of te distribueren. Ons bedrijf staat niet in voor juiste en volledige overbrenging van de inhoud van een verzonden bericht, noch voor de tijdige ontvangst daarvan. Disclaimer: This E-mail is for use of the intended recipient(s) only and can contain information that is personal or confidential. It is prohibited to distribute the content of this message without the author's prior permission. If you have received it in error, please notify the sender and immediately delete this message without distributing or retaining copies hereof. Our company is not responsible for the comprehensiveness of this message nor it's time of delivery. ********************************************* ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
