On May 23, 2013, at 10:28 AM, Jakob Bohm wrote:
> On 5/23/2013 6:21 PM, Craig White wrote:
>> hmmm… I guess it may not be there but it's there in the cert that I signed
>> with my CA self which is using the same csr
>>
>> Is there something wrong with the way I am generating them?
>>
>> openssl req -new -nodes \
>> -out $CERTPATH/http.csr \
>> -keyout $CERTPATH/http.key \
>> -days 3650 \
>> -config $CONFIG
>
> Depends what is in your config!
>
> In the config I use for such I have (other lines omitted for clarity):
>
> [req]
>
> # Other stuff
>
> req_extensions = v3_req
>
> [ v3_req ]
>
> # Other stuff
>
> subjectAltName = @alt_names
>
> [alt_names]
> # Remember to repeat the CN as one of the ALT Names,
> # Someone published an RFC that said to ignore the CN if there are
> # any ALT names and some idiots implemented this misprint
> # literally.
> # The lines that start with DNS are for "DNS names", that is web
> # servers etc., there are other words to use for other name
> # types, and those type indicators become part of the request
> # (and the certificate if it copies the alt names)
> DNS.0 = www.example.com
> DNS.1 = example.com
> DNS.2 = web.example.com
>
>
>>
>> openssl ca \
>> -config $CONFIG \
>> -policy policy_anything \
>> -out $CERTPATH/http.pem \
>> -infiles $CERTPATH/http.csr
>
> Does the config file used by your CA say to copy the Alt names
> extension from the requests?
----
I think you have hit the nail on the head. The subjectAltName(s) aren't getting
included in requests but are being included in certificates which are drawn
from the same config file. I was assuming that it would work but it isn't.
I moved the subjectAltName definition to various sections included v3_req and
changed it to this…
subjectAltName = email:copy, DNS:copy, @alt_names
but still no go - subjectAltName is not making it into the csr.
Finally tried
$ openssl req -new -nodes \
-out $CERTPATH/http.csr \
-keyout $CERTPATH/http.key \
-days 3650 \
-config $CONFIG \
-extensions v3_req
but still not in the csr.
Obviously I am missing something important in my reading of the documentation.
Thanks
Craig______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]