On Wed, Jan 04, 2012, Mick wrote: > On Wednesday 04 Jan 2012 12:33:06 you wrote: > > > I've found many articles how I can add that attribute by using a > > custom config file and the -extfile <file> and -extensions <section> > > parameters. I've used that as a "work around" to get subjectAltName > > into certificates, but it would be better if I could just sign CSRs > > and use subjectAltName already specified there. > > What you can do is set the parameter: > > # Extension copying option: use with caution. > copy_extensions = copy > > under your CA_default section in your openssl.cnf >
Yes that works, but only for the 'ca' utility. > > > Are there any security reasons as to why "openssl x509 -req" strips > > the attributes or how can I make a custom config file that let's me > > use the X509v3 extended attributes exactly as they are in the CSR? > > In the sense that you may not know who's created the CSR or what they've > allowed in it (the whole signing process can be automated), a copy by default > option would seem a bit loose. > > However, I better leave the openssl devs or someone more knowledgeable to > comment on this. > Yes that's the reason it isn't enabled by default. If you copy extensions you should be *really* sure that the extensions are acceptable (e.g. using the interactive mode of 'ca') because otherwise a CSR could contain (for example) basicConstraints CA=TRUE and the recipient would get a CA certificate if this was overlooked. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
