Hello, I'm trying to make subject alternative names work as extensions specified in the request and not during the signing process.
I can specify "subjectAltName = DNS:whatever" in the extensions section of the configuration file. If I do this during signing the request (as a CA) then the signed certificate will have the subjectAltName extension in it. If, however, I specify subjectAltName in the configuration file while generating a request then the request will have an extension stating the alternative names, but the signed certificate will not. Obviously it's not a huge problem but still, I'd like to know if I can somehow tell the signing process to leave the extensions specified in the request alone. We're using OpenSSL to generate our requests, and signing them with either OpenSSL or Microsoft's certificate services on the AD controller. Generating a request with the subjectAltName extension is the ONLY way to get it included with Microsoft's solution. It looks like with OpenSSL it's the other way around: no matter what the request contains, if the signing config file does not explicitly specify subjectAltName fields they will not be included in the certificate. For what it's worth, here's the config file we use for signing: [ ca ] default_ca = ca_default [ ca_default ] x509_extensions = usr_cert [ usr_cert ] keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment basicConstraints = critical, CA:false nsCertType = server extendedKeyUsage = serverAuth, clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always nsComment = "Certificate test." And this is the config file for generating the request: [ req ] default_bits = 1024 distinguished_name = req_distinguished_name req_extensions = usr_cert [ req_distinguished_name ] commonName = commonName commonName_value = test.test.com commonName_max = 128 [ usr_cert ] subjectAltName = DNS:test.test.com, DNS:localhost Copying the subjectAltName line from usr_cert to the same section in the signing configuration file produces the correct results, but I'd rather not specify the alternate names twice if possible. Any ideas? Thanks in advance, Marton Anka ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
