On Wed, Jan 4, 2012 at 1:57 PM, Mick <michaelkintz...@gmail.com> wrote: > On Wednesday 04 Jan 2012 12:33:06 you wrote: >> Hi, >> >> I have some firewalls that puts an subjectAltName X509v3 attribute >> into the CSR, but when I sign them with my openssl CA, it just throws >> that attribute away. VPN clients later requires the subjectAltName to >> match the host it connects to, hence it must be present. > > Theoretically at least the VPN client would search the Subject: string for a > Distinguished Name. > If it can't find it there it will look at the subjAltName which as you say is > not always available in a certificate. Yeah, in theory, but in practise the Android/VPN/Racoon client in this case requires subjAltName to work...
>> I've found many articles how I can add that attribute by using a >> custom config file and the -extfile <file> and -extensions <section> >> parameters. I've used that as a "work around" to get subjectAltName >> into certificates, but it would be better if I could just sign CSRs >> and use subjectAltName already specified there. > > What you can do is set the parameter: > > # Extension copying option: use with caution. > copy_extensions = copy > under your CA_default section in your openssl.cnf Yeah, I found the problem now! I did try before to set that parameter, but what I didn't get was that "openssl x509 -req" does not read the openssl.cnf file at all and thusly never saw the copy_extension parameter. Now that I tried signing the CSR with the "openssl ca" utility instead, it worked. I'll try to defend myself (before myself) with that I was colored by all the lists with "Here's the 10 openssl commands you'll ever need", which for some reason all seem to recommend "openssl x509 -req" instead of "openssl ca" for csr signing... //Greger ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
