Mike Wiseman <mike.wise...@utoronto.ca> wrote: > You're right. I guess what this boils down to is I don't know how to > create a CSR that contains an email address that can be inserted > into SAN at cert issue time (other than how I've done it). Do you > have a suggestion?
I think this might work, but I haven't tested. Put in your openssl.cnf (client): CERTUSERFQDN = r...@localhost #will be overridden then later: req_extensions = v3_req [ v3_req ] ... subjectAltName=email:$ENV::CERTUSERFQDN ... Then create a request using openssl without email in DN (in one line): bash ~# CERTUSERFQDN="mike.wise...@utoronto.ca" openssl req -new -newkey rsa:2048 -nodes -keyout mike.key -subj "/C=CA/O=Bla/OU=Blurb/CN=Mike Wiseman" -out mike.req If that doesn't work, try to add "-extensions v3_req" at the end of the command. > BTW, thanks for your work on getting the CRR signing to work with > recent browsers - I haven't got around to installing the patch yet > but will soon. You can simply change the file. :-) Ralf ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users