On 10/4/13, Hum Brai <humb...@gmail.com> wrote: > Oh, sorry my message got labeled as spam, is it because I pasted the > conf? THANK YOU for replying anyway. Question: > >>> Summary: CSR has x509v3 extensions, certificate does not >> <snip> >>> I found on internet how we can make CSR (request) have subjectAltName, >> (and verified) >> >>> PROBLEM is when take a request to make new user certificate, I get no >>> x509v3 fields in certificate like subjectAltName and the certificate >>> is in Version 1, not Version 3. I thought putting copy_extensions=copy >>> in the CA_default fix this, but not true. >>> >>> Created user cert with this: >>> >>> openssl x509 -req -days 365 -in user-host.example.com.csr -CA >>> host.example.com_CA.crt -CAkey host.example.com_CA.key -CAcreateserial >>> -CAserial serial_numbers -out user-host.example.com.crt >> >> OpenSSL has two ways to create a cert from a CSR: >> 'ca' # the original most complete way >> 'x509 -req' # a simplified way without the 'database' etc. >> >> Only 'ca' fully uses the config file settings and in particular >> copy_extensions. > > Ohhhhhh! I wish that documented. :) > >> 'x509 -req' can use the config file for extensions but nothing else. >> >> Use 'ca' if you want to copy extensions from the CSR. >> >> You *can* use 'x509 -req' and put extensions including SAN in the config >> file >> at 'x509 -req' time (not 'req -new' time), and that's good for CA-related >> extensions like crldp, but you usually want SAN to vary for each cert. > > Yes correct, but can't SAN email:copy make unique every cert? I only > want this extetnsion, doesnt need come from request. Can I still use > x509 -req for this? I did try the command adding "-extensions v3_req" > but didn't do anything. Did I do it wrong?
Yes! I missing "-extfile PATH". Now SAN email:copy works! Followup quetsion. If I want to generate SAN with DNSName for only one certificate, this same process work? Just change v3_req in conf file with the DNSName? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
