Interesting. While I was playing around with this, I actually noticed that if I use the -subj option on the CSR, I am not able to do this. I was able to get it working by adding the common name on the actual cert generation from that CSR. The config file was modified so that for my priority_match, which had some match fields, was changed to priority_any which only had a common name required, firefox was happy.
Just thought I'd post this workaround in case anyone else stumbles across it. On Fri, Oct 12, 2012 at 4:42 PM, Dave Thompson <dthomp...@prinpay.com>wrote: > >From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole > >Sent: Friday, 12 October, 2012 11:22 > > >So I think you were right. I used a command to view the CSR > >that I generated with the following: > >openssl req -new -nodes -subj "/CN=www.myserver.com" -out /tmp/file.csr > >-keyout /tmp/privkey.csr -config /my/openssl.cnf > > >when I do this though, I noticed that my subject line, which I view with > >openssl req -noout -text -in /tmp/file.csr -config /my/openssl.cnf > > Aside: you don't need a config file to view an existing request, > although since 1.0.0 it gives a spurious warning. > > >It seems like the file is getting created with the common name > >in the config file intsead of the one I pass it. Does it not > >overrride the config file? > > req -new has two ways of getting the subject DistinguishedName, > prompted from the terminal and unprompted from the config file. > Apparently -subj substitutes only for prompted; to make it > effective, specify or default prompt=yes in the config file. > (And if that config file will or might be used in actual > prompting mode, make sure you have DNpart = promptstring > not DNpart = actualvalue as you should for prompt=no.) > > In 0.9.8 if you specify all parameters needed for req -new > on the commandline you don't need a config file for that. > Since 1.0.0 -new demands a config file even if not needed. > > >On Thu, Oct 11, 2012 at 7:55 PM, Dave Thompson <dthomp...@prinpay.com> > wrote: > <snip: name(s) in cert must match host desired by client like Firefox> > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >