On Fri, Jun 13, 2008, Ed W wrote: > Hi > > After a lot of false starts I have finally managed to generate a cert with > a subjectAltName extension. I still don't understand the solution > though... > > Basically I modified the default openssl.cnf file to have x509_extensions = > v3_req in the [ req ] section and then then updated the v3_req section to > list my subjectAltNames. Now when I generate a request and self sign it > with: > > openssl x509 -req -days 365 -in server.csr -signkey server.pem -out > server.crt > > ...then all I get is a v1 cert with no extensions section, but if instead I > use: > > openssl x509 -req -days 365 -in server.csr -signkey server.pem -out > server.crt -extfile ../openssl.cnf > > (and edit openssl.cnf to have an "extensions=v3_req" line) then I get the > v3 certificate with what appears to be the correct extensions... wahoo! > > My question is whether it's possible to avoid having to write "-extfile" on > the signing request above? It's not that the extra typing is a big deal, > it's just that I have torn my hair out for several days over this because > all the examples on the web don't seem to have this extra stanza? Am I > just missing something really simple in my config file to avoid needing > this on my command line? I would like to try and understand why this is > necessary if possible please? > > Can someone please also confirm that the CA.pl script supplied with my > gentoo openssl install will NOT correctly generate certs with a > subjectAltName? >
There are many examples on the web which are *ancient* and "new" one's derived from them. If you don't use the -extfile option the 'x509' command does not know which extensions to use so defaults to none at all in a (now obsolete) v1 certificate. You can also include an -extensions v3_req option on the command line and avoid having to modify openssl.cnf any further. The CA.pl script is the recommended way to generate certificates and should make matters easier. You can use CA.pl to include subjectAltName. However you need a customised openssl.cnf file which you can point to using the OPENSSL_CONF environment variable or you could modify the system one but that is not recommended. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
