> From: owner-openssl-us...@openssl.org On Behalf Of Hum Brai > Sent: Friday, October 04, 2013 12:00
> Summary: CSR has x509v3 extensions, certificate does not <snip> > I found on internet how we can make CSR (request) have subjectAltName, (and verified) > PROBLEM is when take a request to make new user certificate, I get no > x509v3 fields in certificate like subjectAltName and the certificate > is in Version 1, not Version 3. I thought putting copy_extensions=copy > in the CA_default fix this, but not true. > > Created user cert with this: > > openssl x509 -req -days 365 -in user-host.example.com.csr -CA > host.example.com_CA.crt -CAkey host.example.com_CA.key -CAcreateserial > -CAserial serial_numbers -out user-host.example.com.crt OpenSSL has two ways to create a cert from a CSR: 'ca' # the original most complete way 'x509 -req' # a simplified way without the 'database' etc. Only 'ca' fully uses the config file settings and in particular copy_extensions. 'x509 -req' can use the config file for extensions but nothing else. Use 'ca' if you want to copy extensions from the CSR. You *can* use 'x509 -req' and put extensions including SAN in the config file at 'x509 -req' time (not 'req -new' time), and that's good for CA-related extensions like crldp, but you usually want SAN to vary for each cert. <snip rest> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
