> From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout > Sent: Saturday, 03 December, 2011 02:56
> My TLS client can validate both CN and SN & i need to test both the > scenario. > > I don't know how to create certificate with "subjectAltName > extension" using openssl commands. > > In the RFC-2818 , there are two ways of Certificate > Validation for Host name > 1) CN (Common Name) > 2) SN( Subject Name) 1. Common Name part of subject name which is the value of Subject. 2. Subject *Alternative* Name which is an extension. > If a subjectAltName extension of type dNSName is present, that MUST > be used as the identity. Otherwise, the (most specific) Common Name > field in the Subject field of the certificate MUST be used. Although > the use of the Common Name is existing practice, it is deprecated and > Certification Authorities are encouraged to use the dNSName instead. > As this says, although a bit tersely. > I created Self-signed certificate using open-ssl commands and my > certificate chain looks like below where CN=10.204.4.69 > openssl genrsa -des3 -out server.key 1024 > openssl req -new -key server.key -out server.csr > openssl x509 -req -days 365 -in server.csr > -signkey server.key -out server.crt > Please tell how to create certificate with "subjectAltName > extension" using openssl commands ? The same way(s) you create a cert with any extension(s). See man req; man x509; man ca; man x509v3_config In x509 -req supply -extfile with the name of a config file, and -extsect with the name of a section in that file unless it is default or pointed to by default.extensions, specifying the extension(s) you want. You want something like subjectAltName=DNS:my.host.example For selfsigned you can save a step (or two) with req -x509 (and -newkey) in which case use -extensions or req.x509_extensions . ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org