On Sat, 03 Sep 2005 at 10:31 -0600, jared r r spiegel wrote: > On Tue, Aug 23, 2005 at 03:58:31PM +0100, Jason McIntyre wrote: > > > > yes, it was removed a little while ago. you can get the same > > functionality from openssl(1) req. see also isakmpd(8). > > i checked on the isakmpd(8), it gives an example how to make > a subjectAltName extension field using IP or FQDN, but > how does one make UFQDN now that certpatch is gone? > > i did a 'find /usr/src -type f | xargs egrep -i "(u|user).*fqdn"', > but didn't find much who could hint me on how to add an > [x509v3_UFQDN] section to /etc/ssl/x509v3.cnf correctly. > > i made a few random guesses and tried these type of things > individually:
hmm i don't relly know what you are doing wrong here but for me this has worked almost any time. [x509v3_UFQDN] subjectAltName=email:$ENV::CERTUFQDN CERTUFQDN must be provided as environment variable and you might want to use it with somthing like that. openssl genrsa -out $CERTDIR/$SUBJECT/$SUBJECT.key \ $CERTBITS openssl req -batch -config $REQUEST_CONFIG -sha1 -new \ -key $CERTDIR/$SUBJECT/$SUBJECT.key \ -out $CERTDIR/$SUBJECT/$SUBJECT.csr openssl x509 -req -sha1 -days $CERTDAYS \ -in $CERTDIR/$SUBJECT/$SUBJECT.csr \ -CA $CADIR/certs/ca.crt -CAkey $CADIR/private/ca.key \ -extfile $EXTFILE -extensions x509v3_FQDN \ -CAcreateserial -CAserial $CADIR/serial \ -out $CERTDIR/$SUBJECT/$SUBJECT.crt \ -passin env:PASSPHRASE adding the section to you x509v3.cnf you should have something like: # default settings CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 CERTFQDN = nohost.nodomain # This section should be referenced when building an x509v3 CA # Certificate. # The default path length and the key usage can be overriden # modified by setting the CERTPATHLEN and CERTUSAGE environment # variables. [x509v3_CA] basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN keyUsage=$ENV::CERTUSAGE # This section should be referenced to add an IP Address # as an alternate subject name, needed by isakmpd # The address must be provided in the CERTIP environment variable [x509v3_IPAddr] subjectAltName=IP:$ENV::CERTIP # This section should be referenced to add a FQDN hostname # as an alternate subject name, needed by isakmpd # The address must be provided in the CERTFQDN environment variable [x509v3_FQDN] subjectAltName=DNS:$ENV::CERTFQDN # This section should be referenced to add a UFQDN hostname # as an alternate subject name, needed by isakmpd # The address must be provided in the CERTUFQDN environment variable [x509v3_UFQDN] subjectAltName=email:$ENV::CERTUFQDN if you want to have a script doing this work for you i will upload one. Tim -- Darksun rising over blood red sea [demime 1.01d removed an attachment of type application/pgp-signature]