On Sun, Dec 17, 2006 at 08:26:42PM -0800, David Newman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/17/06 7:14 PM, Victor Duchovni wrote:
> > On Sun, Dec 17, 2006 at 06:24:22PM -0800, David Newman wrote:
> >
> >> One last question: Generating a cert for multiple virtual hosts is only
> >> an occasional requirement. Generally this CA will generate certs
> >> for one CN and zero alternates.
> >
> > In that case don't add "copy_extensions = copy" to "CA_default" and
> > create a "CA_with_exts" that is like "CA_default", but enables extension
> > copying. Use an explicit "-name CA_with_exts" only when you need it.
> >
> >> Through trial and error I found that I can leave the subjectAltName
> >> stuff in openssl.cnf, and just comment out the "req_extensions = v3_ext"
> >> statement in the req section. Is this valid, or am I losing some other
> >> needed functionality?
> >
> > If you always generate the certs yourself, you can suppress the
> > alternative names either in the request, in the CA or perhaps in both.
> >
> > I am fond of building ".cnf" files on the fly and using them via
> > "-config".
>
> Hmmm. If I comment out only "copy_extensions" statement and generate a
> request, I still see the alternative names. However, the alternative
> names are gone if I comment out only "req_extensions".
>
> This seems to contradict what you said above. But is it a valid config?
No, you comment out "copy_extensions" to ignore extensions in the request
when generating a certificate. I did not say that this prevents the
extensions from being added to the request. To suppress them in the
request ommit them from the request section of the .cnf file, which
I suggest you build on the fly.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
