On Tue, Aug 23, 2005 at 03:58:31PM +0100, Jason McIntyre wrote:
>
> yes, it was removed a little while ago. you can get the same
> functionality from openssl(1) req. see also isakmpd(8).
i checked on the isakmpd(8), it gives an example how to make
a subjectAltName extension field using IP or FQDN, but
how does one make UFQDN now that certpatch is gone?
i did a 'find /usr/src -type f | xargs egrep -i "(u|user).*fqdn"',
but didn't find much who could hint me on how to add an
[x509v3_UFQDN] section to /etc/ssl/x509v3.cnf correctly.
i made a few random guesses and tried these type of things
individually:
---
[x509v3_USER_FQDN]
subjectAltName=emailAddress:$ENV::CERTUFQDN
---
---
[x509v3_USERFQDN]
subjectAltName=emailAddress:$ENV::CERTUFQDN
---
---
[x509v3_User_FQDN]
subjectAltName=emailAddress:$ENV::CERTUFQDN
---
---
[x509v3_UFQDN]
subjectAltName=emailAddress:$ENV::CERTUFQDN
---
and using ~:
openssl x509 -req -days 365 -in peer.csr \
-CA CA/crt \
-CAkey CA/key \
-CAcreateserial \
-extfile /etc/ssl/x509v3.cnf -extensions <whatever i tried in brackets>
\
-out peer.crt
but it keeps yelling at me about the invalid line in x509v3.cnf
(meaning obviously that what i'm trying to add to the .cnf is wrong).
is there a right way to add a UFQDN declaration to the x509v3.cnf ?
jared
-
[ openbsd 3.8 GENERIC ( aug 29 ) // i386 ]
