On Tue, Dec 29, 2009, michaelfmichaelf wrote: > > Hi! > I try to use OpenSSL 0_9_8l version for creation of certificate with > SubjectAlternativeName. > I have couple of problems and may be you will be able to help me. > 1) I did not success to create certificate with more than one alternative > identifier. > I used the command: > > openssl x509 -req -days 365 -passin pass:pwd -in cert.csr -extfile ext.txt > -signkey certkey.pem -out certcert.pem > > In the ext.txt file I have used the example described here: > http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ > > The problem that after the creation of the certificate it contains only one > alternative identifier ??? the last identifier listed in the file. > For example, if the last line is the following: > > subjectAltName=IP:13::17 > > the certificate contains only this identifier: > > X509v3 Subject Alternative Name: > IP Address:13:0:0:0:0:0:0:17 > > If the last line is the following: > > subjectAltName=dirName:dir_sect > > the certificate contains only this identifier: > > X509v3 Subject Alternative Name: > DirName:/C=UK/O=My Organization/OU=My Unit/CN=My Name > > How can I create the certificate with more than one alternative identifier? > Should I change any configuration in openssl.cnf? >
You can't include more than one subjectAlternativeNAme extension because that would violate the standard. You can include multiple alternate names in a single extension however. You either use a comma separates list of types as the examples show or the @section version. See: http://www.openssl.org/docs/apps/x509v3_config.html#NOTES for details. > 2) Where can I find the example for otherName in ASN1 format? > Unfortunately, the example shown in the link above does not contain the ASN1 > format: > > subjectAltName=otherName:1.2.3.4;UTF8:some other identifier > > In addition, the provided link > http://www.openssl.org/docs/crypto/ASN1_generate_nconf.html# does not > contain ASN1 example that can be used for the creation of otherName > Alternative identifier. > Can you provide the example of the external file that will allow the > creation of otherName Alternative identifier in ASN1 format? > All of the examples in: http://www.openssl.org/docs/crypto/ASN1_generate_nconf.html# can be used in the otherName format. You just append the initial line after the semicolon. For example: subjectAltName=otherName:1.2.3.4;IA5STRING:Hello World Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org