Everything good now. Solution below. Thank to Dave very much. >>>> Summary: CSR has x509v3 extensions, certificate does not >>> <snip> >>>> I found on internet how we can make CSR (request) have subjectAltName, >>> (and verified) >>> >>>> PROBLEM is when take a request to make new user certificate, I get no >>>> x509v3 fields in certificate like subjectAltName and the certificate >>>> is in Version 1, not Version 3. I thought putting copy_extensions=copy >>>> in the CA_default fix this, but not true. >>>> >>>> Created user cert with this: >>>> >>>> openssl x509 -req -days 365 -in user-host.example.com.csr -CA >>>> host.example.com_CA.crt -CAkey host.example.com_CA.key -CAcreateserial >>>> -CAserial serial_numbers -out user-host.example.com.crt >>> >>> OpenSSL has two ways to create a cert from a CSR: >>> 'ca' # the original most complete way >>> 'x509 -req' # a simplified way without the 'database' etc. >>> >>> Only 'ca' fully uses the config file settings and in particular >>> copy_extensions. >> >>> You *can* use 'x509 -req' and put extensions including SAN in the config >>> file >>> at 'x509 -req' time (not 'req -new' time), and that's good for >>> CA-related >>> extensions like crldp, but you usually want SAN to vary for each cert.
So I can release some of my changes to conf file. Only need ONE change! This: 1. add subjectAltName=email:copy to [v3_req] Note if you want server certificate, change to subjectAltName=DNS:host.example.com Now corrected command with missing -extensions and -extfile openssl x509 -req -days 365 -in user-host.example.com.csr -CA host.example.com_CA.crt -CAkey host.example.com_CA.key -CAcreateserial -CAserial serial_numbers -out user-host.example.com.crt -extensions v3_req -extfile /etc/pki/tls/openssl.cnf ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
