I am sure at least some would sign it because RFC 5280 PKIX standard was written by the CAs themselves and they are the ones deprecating CN in favor of SAN. -- Sent from my mobile device.
Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: >On Thu, Feb 14, 2013 at 04:11:33AM +0000, Viktor Dukhovni wrote: > >> You'll naturally need to add the requisite subjectAltName extensions. > >A more complete example: > > $ cat openssl.cnf > [ req ] > distinguished_name = dn > req_extensions = san > [ dn ] > [ san ] > subjectAltName = DNS:mail.example.com, DNS:smtp.example.com > > $ umask 077 > $ openssl req -new -newkey rsa:1024 -keyout key.pem -nodes \ > -config openssl.cnf -sha1 -subj "/" -out csr.pem > $ umask 022 > > $ openssl req -in csr.pem -noout -text > Certificate Request: > Data: > Version: 0 (0x0) > Subject: > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (1024 bit) > Modulus: > ... > Exponent: 65537 (0x10001) > Attributes: > Requested Extensions: > X509v3 Subject Alternative Name: > DNS:mail.example.com, DNS:smtp.example.com > Signature Algorithm: sha1WithRSAEncryption > ... > >Don't know whether any public CA will sign such a request, but it >should >not be a problem with your own CA. With a CA configured to not require >or match any DN fields I get: > >Certificate: > Data: > Version: 3 (0x2) > Serial Number: 17062333067833592498 (0xecc995866b9f4ab2) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=US, ST=New York, L=New York, O=Example Corp, CN=Insecure CA > Validity > Not Before: Feb 14 05:34:12 2013 GMT > Not After : Feb 14 05:34:12 2014 GMT > Subject: > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (1024 bit) > Modulus: > ... > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: critical > CA:FALSE > X509v3 Key Usage: > Digital Signature, Key Encipherment > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client Authentication > X509v3 Subject Key Identifier: > B4:25:8D:EF:99:F4:EA:29:13:1E:C8:CE:DC:83:78:F1:38:F1:81:F7 > X509v3 Authority Key Identifier: > keyid:A3:11:A1:89:97:FE:66:BA:4B:93:4D:EA:91:87:F7:F5:07:AC:7B:E5 > DirName:/C=US/ST=New York/L=New York/O=Example Corp/CN=Insecure CA > serial:EC:C9:95:86:6B:9F:4A:AE > > Signature Algorithm: sha1WithRSAEncryption > ... ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org