-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/17/06 8:04 AM, Victor Duchovni wrote: > On Sun, Dec 17, 2006 at 02:25:29PM +0100, Dr. Stephen Henson wrote: > >> On Sat, Dec 16, 2006, David Newman wrote: >> >>> For setup of a Postfix box that will serve multiple virtual domains, I >>> would like to generate one cert for all hostnames at which this box will >>> be able to be reached. >>> >>> Following an example in a post from Victor Duchovni [0], I configured the >>> subjectAltName parameter in openssl.cnf with four hostnames and generated >>> a cert. However, I still see only one CN in the resulting cert. >>> >> You will only see one CN. CN and subjectAltName are two different things. The >> approved way to represent multiple host names is via subjectAltName which >> will >> appear in the extensions list when you display the certificate. >> >> If you need multiple CNs (which some software may require) then you need to >> prompt for multiple CNs. > > The OP meant multiple SubjectAlternativeName values in the signed > certificate
Correct. Sorry for the abuse of terminology. , the extensions are not by default copied into the signed > certificate. The "copy_extensions" option described in > > http://www.openssl.org/docs/apps/ca.html > > is AFAIK the supported mechanism for importing SubjectAlternativeNames > from the request into the certificate. - From previous posts my understanding was that for subjectAltName to work, openssl.cnf required: - - v3_req and alt_names sections - - req_extensions and x509_extensions statements in the [req] section - - subjectAltName statements in the policy section(s) The warnings in that URL above make me unsure where or how to apply copy_extensions as well. Here is a barebones config file. What else is needed to generate a cert for multiple hostnames? thanks dn [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/newcerts certs = $dir/certs certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional subjectAltName = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req x509_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #---------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #------------------------------ ------------------------------ 0.organizationName_default = The Sample Company localityName_default = Metropolis stateOrProvinceName_default = New York countryName_default = US [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # Some CAs do not yet support subjectAltName in CSRs. # Instead the additional names are form entries on web # pages where one requests the certificate... subjectAltName = @alt_names [alt_names] DNS.1 = mail.freedonia.gov DNS.2 = mail.potrzebie.org DNS.3 = mail.furshlugginer.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFhZUryPxGVjntI4IRAhOrAKCdO7+kcPZJCUKn47kRml1OubRIiACfQ8h3 MXLzOXzlFOWtsy2ugU8Ih2A= =fAk/ -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
