On Thu, Jan 05, 2006, Koos Vriezen wrote: > > I really want this for my certicates, as the same webserver is used for > various domains in our setup. I can't get this working though. > I've started with http://www.eclectica.ca/howto/ssl-cert-howto.php#cnfig > and the commands I do are (in directory containing this openssl.cnf): > > mkdir newcerts private > echo '01' > serial > touch index.txt > openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem \ > -out cacert.pem -days 3650 -config ./openssl.cnf > openssl req -new -nodes -out req.pem -config ./openssl.cnf > openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem > > all according the above mentioned document. And if I run > > openssl x509 -in cert.pem -text > > I should see the subjectAltName when inserted in the openssl.cnf (at > least according to http://wiki.cacert.org/wiki/VhostTaskForce and > firefox is heavily complaining with a domain mismatch). > > I've tried it in sections v3_ca/v3_req/ssl_cert all without luck. I must > do something wrong, but sinse there are some many variables, maybe one > can assist me where I should put the line: > > subjectAltName=email:move,DNS:copy.commonName,DNS:foo.com,DNS:foo.nl,\ > DNS:bar.com,DNS:zzz.intern >
Your problem is that that non-standard openssl.cnf from that site doesn't include an X509 extensions section for the "ca" command at all! You'd be better off starting from the standard openssl.cnf configuration file and using the standard CA.pl script from OpenSSL. Another problem above is the manual setup of the serial number file. This can create certificates with duplicate serial numbers which can cause all manner of hard to trace problems later on... CA.pl can do most of the above safely: the first four commands are covered by "CA.pl -newca". Note: if you are using OpenSSL 0.9.8 then use the latest snapshot because that fixes a bug in CA.pl. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
