This didn't go through the first time. Re-sending. -------- Original Message -------- Subject: Re: CAs and SubjectAltNames Date: Wed, 12 Jul 2006 22:23:14 -0700 From: Phil Dibowitz <[EMAIL PROTECTED]> To: openssl-users@openssl.org References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
On Thu, Jun 08, 2006 at 04:21:52PM -0700, Dr. Stephen Henson wrote: > On Thu, Jun 08, 2006, Phil Dibowitz wrote: > > > Dr. Stephen Henson wrote: > > > > > > You have to explicitly enable copying extensions from a certificate > > > request to > > > a certificate in the config file. This is off by default because it is > > > potentially dangerous for the unwary. See the docs for more info. > > > > Thanks, though I'm not sure which docs you're referring to - don't see > > anything to that effect in 'man ca'... > > > > Hmmm I think the 'noemailDN' option will do what I want upon more > > perusing of the man page... > > > > Look for the "copy_extensions" option in the ca manual page. You need OpenSSL > 0.9.8 or later for that. Gotcha. OK, so here's what I did to make this work. However, it seems like I did a bit more work than I had to... so I'd like some feedback. In order to get my req (and thus the "Issuer" of my self-signed certificate) correct, under "[ req ]", I set: req_extensions = v3_req And then under "[ v3_req ]", I set: subjectAltName = email:move With any other setting req didn't have the email ONLY in SubjectAltNames. Then, to get it right in the final certificate, under "[ CA_default ]", I set: copy_extensions = copyall And under "[ v3_ca ]", I set: subjectAltName=email:move And the commands I used were: openssl req -new -keyout private/cakey.pem -out careq.pem -config \ ./openssl.cnf openssl ca -create_serial -out cacert.pem -days 365 -batch -keyfile \ private/cakey.pem -selfsign -extensions v3_ca -config ./openssl.cnf \ -infiles careq.pem Note here, I'm forcing use of the v3_ca section when I do the self-sign. Now, 1. It seems silly I have to set copy_extensions to "copyall", but if I don't (if I just set it to "copy"), SubjectAltNames ends up being empty. This is presumably because "subjectAltName=email:move" is moving it out of the DN, and then "copy_extensions" has nothing to copy in. 2. Given #1, wouldn't that mean that "subjectAltName=email:move" is accomplishing my goal? Thus it makes no sense to me I need copy_exensions. 3. It seems that I'm missing something just by virtue of the fact I'm having to use "copyall"... Thoughts? -- Phil Dibowitz P: 310-360-2330 C: 213-923-5115 Unix Admin, Ticketmaster.com "I don't need a reference, I have you!" - Pippenger, to me.
signature.asc
Description: OpenPGP digital signature
