On Tue, Aug 23, 2005 at 03:58:31PM +0100, Jason McIntyre wrote: > > yes, it was removed a little while ago. you can get the same > functionality from openssl(1) req. see also isakmpd(8).
i checked on the isakmpd(8), it gives an example how to make a subjectAltName extension field using IP or FQDN, but how does one make UFQDN now that certpatch is gone? i did a 'find /usr/src -type f | xargs egrep -i "(u|user).*fqdn"', but didn't find much who could hint me on how to add an [x509v3_UFQDN] section to /etc/ssl/x509v3.cnf correctly. i made a few random guesses and tried these type of things individually: --- [x509v3_USER_FQDN] subjectAltName=emailAddress:$ENV::CERTUFQDN --- --- [x509v3_USERFQDN] subjectAltName=emailAddress:$ENV::CERTUFQDN --- --- [x509v3_User_FQDN] subjectAltName=emailAddress:$ENV::CERTUFQDN --- --- [x509v3_UFQDN] subjectAltName=emailAddress:$ENV::CERTUFQDN --- and using ~: openssl x509 -req -days 365 -in peer.csr \ -CA CA/crt \ -CAkey CA/key \ -CAcreateserial \ -extfile /etc/ssl/x509v3.cnf -extensions <whatever i tried in brackets> \ -out peer.crt but it keeps yelling at me about the invalid line in x509v3.cnf (meaning obviously that what i'm trying to add to the .cnf is wrong). is there a right way to add a UFQDN declaration to the x509v3.cnf ? jared - [ openbsd 3.8 GENERIC ( aug 29 ) // i386 ]