On Fri, Jan 24, 2014 at 1:18 PM, Jakob Bohm <[email protected]> wrote: > On 1/24/2014 6:54 PM, Jeffrey Walton wrote: >> >> I don't see a dumb mistake with this one.... >> >> ... >> [ signing_req ] >> subjectKeyIdentifier=hash >> authorityKeyIdentifier=keyid,issuer >> basicConstraints = CA:FALSE >> keyUsage = nonRepudiation, digitalSignature, keyEncipherment >> >> # subjectAltName=copy >> # subjectAltName=dns:copy >> >> Attempting to use `subjectAltName=dns:copy` results in a parse error, >> so I know the section is being read. >> >> The disconnect here seems to be I cannot put `subjectAltName = >> @alternate_names` (with appropriate section) in the CA's conf. In this >> case, the CA has the SANs in the CSR, but it does not have access to >> the other conf file with the `alternate_names` section. >> >> Any ides how to proceed? > > This is a common problem with the openssl interface. It is practically > a FAQ. > > There are two methods, either should work: > > - Temporarily edit/duplicate the CA openssl.conf, adding the alternate > specific alternate_names section for the duration of a single signing. > > - Use the setting to copy *all* extensions from the CSR, and carefully > examine each CSR before signing it. Perfect, thanks.
I tired it earlier, but the `openssl ca` verification screen did not show them, so I moved on. Sigh..... Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
