On Thu, Feb 14, 2013 at 04:11:33AM +0000, Viktor Dukhovni wrote: > You'll naturally need to add the requisite subjectAltName extensions.
A more complete example: $ cat openssl.cnf [ req ] distinguished_name = dn req_extensions = san [ dn ] [ san ] subjectAltName = DNS:mail.example.com, DNS:smtp.example.com $ umask 077 $ openssl req -new -newkey rsa:1024 -keyout key.pem -nodes \ -config openssl.cnf -sha1 -subj "/" -out csr.pem $ umask 022 $ openssl req -in csr.pem -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: ... Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:mail.example.com, DNS:smtp.example.com Signature Algorithm: sha1WithRSAEncryption ... Don't know whether any public CA will sign such a request, but it should not be a problem with your own CA. With a CA configured to not require or match any DN fields I get: Certificate: Data: Version: 3 (0x2) Serial Number: 17062333067833592498 (0xecc995866b9f4ab2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=New York, L=New York, O=Example Corp, CN=Insecure CA Validity Not Before: Feb 14 05:34:12 2013 GMT Not After : Feb 14 05:34:12 2014 GMT Subject: Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Key Identifier: B4:25:8D:EF:99:F4:EA:29:13:1E:C8:CE:DC:83:78:F1:38:F1:81:F7 X509v3 Authority Key Identifier: keyid:A3:11:A1:89:97:FE:66:BA:4B:93:4D:EA:91:87:F7:F5:07:AC:7B:E5 DirName:/C=US/ST=New York/L=New York/O=Example Corp/CN=Insecure CA serial:EC:C9:95:86:6B:9F:4A:AE Signature Algorithm: sha1WithRSAEncryption ... -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org