I had tried that as well with no success, which is what is leading me to believe this is a bug.
In the CSR, I have the emailAddress field set in the DN. In the CA section of the configuration file, I have subjectAltName=email:move in the section referenced from the x509_extensions option: x509_extensions = email_extensions [ email_extensions ] subjectAltName = email:move When the cert. is created, the X509v3 Subject Alternative Name field is set to the string <EMPTY> and the emailAddress that was formerly in the DN is no longer present. If I use the email:copy directive, the DN still has the emailAddress field (not removed), and the X509v3 Subject Alternative Name in the extensions part is still set to <EMPTY>. For whatever reason, the email:move and email:copy directives are not populating the X509v3 Subject Alternative Name with any meaningful data. On Friday, November 21, 2003, at 01:25AM, Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> wrote: >In message <[EMAIL PROTECTED]> on Thu, 20 Nov 2003 19:56:23 -0700, Joseph Bruni ><[EMAIL PROTECTED]> said: > >jbruni> I've been trying to get the "subjectAltName=email:move" directive to >jbruni> work in the "ca" command with no luck, so I think this might be a bug. >jbruni> >jbruni> It seems that the only way I can get this to work is to manually set >jbruni> the line in the CA section to something like: >jbruni> >jbruni> subjectAltName=email:[EMAIL PROTECTED] >jbruni> >jbruni> This isn't very flexible if I must edit this file for every cert. I >jbruni> want to sign. >jbruni> >jbruni> If I try to use either the "move" or "copy" options, the >jbruni> X509v3 Subject Alternative Name: extension ends up being >jbruni> <EMPTY>. > >Where do you expect the email address to come from? The email:copy >and email:move are designed to copy or move an email address found in >the subject RDN with the attribute type emailAddress. So basically, >if you have a subject DN that looks like this: > > C=SE, L= Stockholm, CN=Richard Levitte, [EMAIL PROTECTED] > >... the following can be expected: > > 1. with subjectAltName=email:copy: > > "[EMAIL PROTECTED]" in an email subjectAltName. > Subject is unchanged. > > 1. with subjectAltName=email:move: > > "[EMAIL PROTECTED]" in an email subjectAltName. > Subject is now C=SE, L= Stockholm, CN=Richard Levitte > > >jbruni> I have tried to get this to work two different ways: the first >jbruni> with the subjectAltName in the DN, and the second in the >jbruni> attributes section of the CSR. > >Uhmm, subjectAltName has no business being inside any DN. It's a >certificate extension, pure and simple. > >----- >Please consider sponsoring my work on free software. >See http://www.free.lp.se/sponsoring.html for details. >You don't have to be rich, a $10 donation is appreciated! > >-- >Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] >[EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 > \ SWEDEN \ or +46-708-26 53 44 >Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] >Member of the OpenSSL development team: http://www.openssl.org/ > >Unsolicited commercial email is subject to an archival fee of $400. >See <http://www.stacken.kth.se/~levitte/mail/> for more info. > > -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]