On Thu, Feb 14, 2013 at 11:55:59AM -0800, Matthew Hall wrote:
> I used this configuration file:
>
> [req]
> default_bits = 4096
> prompt = no
> encrypt_key= no
> default_md = sha256
> distinguished_name = dn
> req_extensions = san
>
> [dn]
> [san]
> subjectAl
On Thu, Feb 14, 2013 at 05:37:00AM +, Viktor Dukhovni wrote:
> On Thu, Feb 14, 2013 at 04:11:33AM +, Viktor Dukhovni wrote:
> A more complete example:
>
> $ cat openssl.cnf
> [ req ]
> distinguished_name = dn
> req_extensions = san
> [ dn ]
> [ san ]
> subjectAl
Hi Erwann,
On Thu, Feb 14, 2013 at 11:09:23AM +0100, Erwann Abalea wrote:
> RFC5280 was not "written by the CAs themselves".
Some of them are listed in the authorship; they also reference 5280 and other
PKI RFCs in their standards they created as part of the CAB Forum and the
Webtrust auditing
RFC5280 was not "written by the CAs themselves".
The deprecation of CNs in favor of elements found in the SAN extension
is logical and comes from CAs as well as browser vendors; CN use has
been abused to contain names (human readable), IP addresses, and host
names (either simple or fully quali
I am sure at least some would sign it because RFC 5280 PKIX standard was
written by the CAs themselves and they are the ones deprecating CN in favor of
SAN.
--
Sent from my mobile device.
Viktor Dukhovni wrote:
>On Thu, Feb 14, 2013 at 04:11:33AM +, Viktor Dukhovni wrote:
>
>> You'll natu
On Thu, Feb 14, 2013 at 04:11:33AM +, Viktor Dukhovni wrote:
> You'll naturally need to add the requisite subjectAltName extensions.
A more complete example:
$ cat openssl.cnf
[ req ]
distinguished_name = dn
req_extensions = san
[ dn ]
[ san ]
subjectAltName
On Wed, Feb 13, 2013 at 07:46:10PM -0800, Matthew Hall wrote:
> Hello,
>
> I tried to figure out how to create a certification request which has an
> empty
> CN and only uses SANs, in line with the recommendations of the latest PKIX
> RFC
> 5280.
>
> I tried various permutations of commentin
