-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/17/06 7:14 PM, Victor Duchovni wrote: > On Sun, Dec 17, 2006 at 06:24:22PM -0800, David Newman wrote: > >> One last question: Generating a cert for multiple virtual hosts is only >> an occasional requirement. Generally this CA will generate certs >> for one CN and zero alternates. > > In that case don't add "copy_extensions = copy" to "CA_default" and > create a "CA_with_exts" that is like "CA_default", but enables extension > copying. Use an explicit "-name CA_with_exts" only when you need it. > >> Through trial and error I found that I can leave the subjectAltName >> stuff in openssl.cnf, and just comment out the "req_extensions = v3_ext" >> statement in the req section. Is this valid, or am I losing some other >> needed functionality? > > If you always generate the certs yourself, you can suppress the > alternative names either in the request, in the CA or perhaps in both. > > I am fond of building ".cnf" files on the fly and using them via > "-config".
Hmmm. If I comment out only "copy_extensions" statement and generate a request, I still see the alternative names. However, the alternative names are gone if I comment out only "req_extensions". This seems to contradict what you said above. But is it a valid config? thanks again dn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFhhiByPxGVjntI4IRAn1XAKC9Tiyl3ZO4I+hWJafpAJLn8eWVeQCghUvX CDAdHvqAglMUi5xKLxA6p1A= =jXYI -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]