This didn't go through either. Resending. -------- Original Message -------- Subject: Re: CAs and SubjectAltNames Date: Wed, 12 Jul 2006 22:46:27 -0700 From: Phil Dibowitz <[EMAIL PROTECTED]> To: openssl-users@openssl.org References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
On Wed, Jul 12, 2006 at 10:23:14PM -0700, Phil Dibowitz wrote: > On Thu, Jun 08, 2006 at 04:21:52PM -0700, Dr. Stephen Henson wrote: > > On Thu, Jun 08, 2006, Phil Dibowitz wrote: > > > > > Dr. Stephen Henson wrote: > > > > > > > > You have to explicitly enable copying extensions from a certificate > > > > request to > > > > a certificate in the config file. This is off by default because it is > > > > potentially dangerous for the unwary. See the docs for more info. > > > > > > Thanks, though I'm not sure which docs you're referring to - don't see > > > anything to that effect in 'man ca'... > > > > > > Hmmm I think the 'noemailDN' option will do what I want upon more > > > perusing of the man page... > > > > > > > Look for the "copy_extensions" option in the ca manual page. You need > > OpenSSL > > 0.9.8 or later for that. > > Gotcha. OK, so here's what I did to make this work. However, it seems > like I did a bit more work than I had to... so I'd like some feedback. Sorry to reply to myself, I need to make a correction. I can set "copy_extensions = copy" if I remove "subjectAltName=email:move" from v3_ca. Given that _this_ works, it leads me to ask the question... shouldn't "subjectAltName=email:move" only apply when there is something to move? It'd be nice to have a config that says, basically "If the email is in SubjectAltName, like PKIX wants, just copy that extension. However, if it's in the DN, move it from the DN to the subjectAltName extension." I seem unable to do this, though I seem to be much closer. Thanks for all your help. -- Phil Dibowitz P: 310-360-2330 C: 213-923-5115 Unix Admin, Ticketmaster.com "I don't need a reference, I have you!" - Pippenger, to me.
signature.asc
Description: OpenPGP digital signature
