Thanks Viktor and Buddy, Below is my cnf file and the commands I tried. The key and the crt were both created, however when I render the test website using blah002.mysite.com I get a security warning message anyway. I must have done something wrong or left off a step ...
Cnf File - [ req ] default_bits = 1024 default_md = sha1 #default_keyfile = key.pem distinguished_name = req_distinguished_name prompt = no string_mask = nombstr req_extensions = v3_req [ req_distinguished_name ] countryName = US stateOrProvinceName = NY localityName = NY organizationName = Acme Inc. organizationalUnitName = IT newbie commonName = blah.mysite.com emailAddress = [EMAIL PROTECTED] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # Verisign managed PKI, does not yet support subjectAltName in CSRs, instead # they prompt for these in the enrollment form... # If your CA support SAN CSRs, uncomment below. subjectAltName = @alt_names [ alt_names ] DNS.1 = blah.mysite.com DNS.2 = blah002.mysite.com Commands - gencert -n blah.mysite.com 1024 openssl req -config /shared/san.cnf -new -key blah.mysite.com.key -x509 -out blah.mysite.com.crt -days 360 oh, sorry, just looked at the config. Guessed he will use Windows PKI only with own root. -----Ursprüngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Victor Duchovni Gesendet: Dienstag, 18. September 2007 21:27 An: openssl-users@openssl.org Betreff: Re: Configuration file for subjectAltName On Tue, Sep 18, 2007 at 09:17:23PM +0200, Buddy Butterfly wrote: > # subjectAltName = @alt_names > > should be uncommented :-) Did you read the comment above that line. > # Verisign managed PKI, does not yet support subjectAltName in CSRs, > # instead they prompt for these in the enrollment form... > # If your CA support SAN CSRs, uncomment below. > # subjectAltName = @alt_names > > [ alt_names ] > DNS.1 = www.example.com > DNS.2 = 0wn3d.example.com Some CAs fail to process CSRs that contain subjectAltName extensions. Getting these into a public CA cert is CA-dependent. -- Viktor. ____________________________________________________________________________________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
