On 10/15/19 17:57, David Woodhouse wrote:
> On Thu, 2019-10-10 at 20:03 +0200, Laszlo Ersek wrote:
>> (I can't test it easily myself, as I don't even know how to create a
>> server certificate with a SAN -- any kind of SAN, let alone GEN_IP.)
>
> I had to look it up again, but here goes...
>
> $ cat v3.ext
> subjectAltName = @alt_names
> [alt_names]
> DNS.1 = lersek-test.redhat.com
> IP.2 = 192.168.124.2
> IP.3 = fd33:eb1b:9b36::2
> $ openssl req -nodes -newkey rsa:2048 -keyout key.pem -out cert.csr
> ...
> $ openssl x509 -signkey ca-key.pem -in cert.csr -req -days 3650 -out cert.pem
> -extfile v3.ext
I'm not familiar with this x509 invocation ("-signkey").
Thus far I've used x509 to sign self-signed certificate requests with a
CA key:
openssl x509 -req -in request.csr -out signedcert.pem \
-CA ca-cert.pem -CAkey ca-key.pem [-CAcreateserial]
I guess "-signkey ca-key.pem" is a shorthand for the (-CA, -CAkey) pair?
(I've tried to look at the manual; I couldn't say I'm wiser now.)
Either way: why do we add the subject alternative names when the CA
signs the request? Shouldn't the *original* certificate request state
what alternative names can stand for the same subject?
(I don't even understand how a CA can usefully insert such an extension;
after all, it cannot be signed by the original certificate requestor!)
The "openssl req" command too seems to accept "-extensions" -- why are
we not required to use that? To me it seems like the only acceptable
place, to add alternative names.
Thanks!
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#49025): https://edk2.groups.io/g/devel/message/49025
Mute This Topic: https://groups.io/mt/34307578/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
