Here's an example of an OpenSSL configuration file that appears to generate the right kind of CSRs and self-signed certs. Note that you need OpenSSL 0.9.8 or newer.
oid_section = new_oids [ new_oids ] # RFC 3920 section 5.1.1 defines this OID xmppAddr = 1.3.6.1.5.5.7.8.5 [ req ] default_bits = 1024 default_keyfile = dotat.key distinguished_name = distinguished_name req_extensions = v3_extensions x509_extensions = v3_extensions # don't ask about the DN prompt = no [ distinguished_name ] countryName = GB stateOrProvinceName = England localityName = Cambridge organizationName = dotat labs commonName = dotat.at [ v3_extensions ] # for certificate requests (req_extensions) # and self-signed certificates (x509_extensions) basicConstraints = CA:FALSE extendedKeyUsage = serverAuth,clientAuth subjectAltName = @subject_alternative_name [ subject_alternative_name ] DNS = dotat.at otherName = xmppAddr;UTF8:dotat.at Tony. -- f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/ DOGGER FISHER GERMAN BIGHT: WEST OR NORTHWEST 4 OR 5, OCCASIONALLY 6 IN FISHER, BECOMING VARIABLE 3 OR 4 IN DOGGER AND GERMAN BIGHT. RAIN OR SHOWERS. MODERATE OR GOOD.