Oh, sorry my message got labeled as spam, is it because I pasted the conf? THANK YOU for replying anyway. Question:
>> Summary: CSR has x509v3 extensions, certificate does not > <snip> >> I found on internet how we can make CSR (request) have subjectAltName, > (and verified) > >> PROBLEM is when take a request to make new user certificate, I get no >> x509v3 fields in certificate like subjectAltName and the certificate >> is in Version 1, not Version 3. I thought putting copy_extensions=copy >> in the CA_default fix this, but not true. >> >> Created user cert with this: >> >> openssl x509 -req -days 365 -in user-host.example.com.csr -CA >> host.example.com_CA.crt -CAkey host.example.com_CA.key -CAcreateserial >> -CAserial serial_numbers -out user-host.example.com.crt > > OpenSSL has two ways to create a cert from a CSR: > 'ca' # the original most complete way > 'x509 -req' # a simplified way without the 'database' etc. > > Only 'ca' fully uses the config file settings and in particular > copy_extensions. Ohhhhhh! I wish that documented. :) > 'x509 -req' can use the config file for extensions but nothing else. > > Use 'ca' if you want to copy extensions from the CSR. > > You *can* use 'x509 -req' and put extensions including SAN in the config > file > at 'x509 -req' time (not 'req -new' time), and that's good for CA-related > extensions like crldp, but you usually want SAN to vary for each cert. Yes correct, but can't SAN email:copy make unique every cert? I only want this extetnsion, doesnt need come from request. Can I still use x509 -req for this? I did try the command adding "-extensions v3_req" but didn't do anything. Did I do it wrong? Thanks again! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
