Hi
After a lot of false starts I have finally managed to generate a cert
with a subjectAltName extension. I still don't understand the solution
though...
Basically I modified the default openssl.cnf file to have
x509_extensions = v3_req in the [ req ] section and then then updated
the v3_req section to list my subjectAltNames. Now when I generate a
request and self sign it with:
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out
server.crt
...then all I get is a v1 cert with no extensions section, but if
instead I use:
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out
server.crt -extfile ../openssl.cnf
(and edit openssl.cnf to have an "extensions=v3_req" line) then I get
the v3 certificate with what appears to be the correct extensions... wahoo!
My question is whether it's possible to avoid having to write "-extfile"
on the signing request above? It's not that the extra typing is a big
deal, it's just that I have torn my hair out for several days over this
because all the examples on the web don't seem to have this extra
stanza? Am I just missing something really simple in my config file to
avoid needing this on my command line? I would like to try and
understand why this is necessary if possible please?
Can someone please also confirm that the CA.pl script supplied with my
gentoo openssl install will NOT correctly generate certs with a
subjectAltName?
Thanks
Ed W
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
