On Sun, Dec 17, 2006 at 11:06:20AM -0800, David Newman wrote: > > the extensions are not by default copied into the signed > > certificate. The "copy_extensions" option described in > > > > http://www.openssl.org/docs/apps/ca.html > > > > is AFAIK the supported mechanism for importing SubjectAlternativeNames > > from the request into the certificate. > > - From previous posts my understanding was that for subjectAltName to > work, openssl.cnf required: > > - - v3_req and alt_names sections > - - req_extensions and x509_extensions statements in the [req] section
Yes. > - - subjectAltName statements in the policy section(s) No, this has no effect, because the policy section is used to filter the components of the subject DN. It does not apply to v3 extensions. > The warnings in that URL above make me unsure where or how to apply > copy_extensions as well. http://www.openssl.org/docs/apps/ca.html#CONFIGURATION_FILE_OPTIONS The section of the configuration file containing options for ca is found as follows: If the -name command line option is used, then it names the section to be used. Otherwise the section to be used must be named in the default_ca option of the ca section of the configuration file (or in the default section of the configuration file). So list this in the section named via default_ca or command-line "-name" option. > [ ca ] > default_ca = CA_default > > [ CA_default ] > serial = $dir/serial > database = $dir/index.txt > new_certs_dir = $dir/newcerts > certs = $dir/certs > certificate = $dir/cacert.pem > private_key = $dir/private/cakey.pem > default_days = 365 > default_md = md5 > preserve = no > email_in_dn = no > nameopt = default_ca > certopt = default_ca > policy = policy_match Add "copy_extensions = copy" above. Of course validate the extensions before you sign the request. > [ policy_match ] > countryName = match > stateOrProvinceName = match > organizationName = match > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > subjectAltName = optional This only checks the subject DN, so listing subjectAltName here is not useful. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]