On May 23, 2013, at 10:28 AM, Jakob Bohm wrote: > On 5/23/2013 6:21 PM, Craig White wrote: >> hmmm… I guess it may not be there but it's there in the cert that I signed >> with my CA self which is using the same csr >> >> Is there something wrong with the way I am generating them? >> >> openssl req -new -nodes \ >> -out $CERTPATH/http.csr \ >> -keyout $CERTPATH/http.key \ >> -days 3650 \ >> -config $CONFIG > > Depends what is in your config! > > In the config I use for such I have (other lines omitted for clarity): > > [req] > > # Other stuff > > req_extensions = v3_req > > [ v3_req ] > > # Other stuff > > subjectAltName = @alt_names > > [alt_names] > # Remember to repeat the CN as one of the ALT Names, > # Someone published an RFC that said to ignore the CN if there are > # any ALT names and some idiots implemented this misprint > # literally. > # The lines that start with DNS are for "DNS names", that is web > # servers etc., there are other words to use for other name > # types, and those type indicators become part of the request > # (and the certificate if it copies the alt names) > DNS.0 = www.example.com > DNS.1 = example.com > DNS.2 = web.example.com > > >> >> openssl ca \ >> -config $CONFIG \ >> -policy policy_anything \ >> -out $CERTPATH/http.pem \ >> -infiles $CERTPATH/http.csr > > Does the config file used by your CA say to copy the Alt names > extension from the requests?
---- I think you have hit the nail on the head. The subjectAltName(s) aren't getting included in requests but are being included in certificates which are drawn from the same config file. I was assuming that it would work but it isn't. I moved the subjectAltName definition to various sections included v3_req and changed it to this… subjectAltName = email:copy, DNS:copy, @alt_names but still no go - subjectAltName is not making it into the csr. Finally tried $ openssl req -new -nodes \ -out $CERTPATH/http.csr \ -keyout $CERTPATH/http.key \ -days 3650 \ -config $CONFIG \ -extensions v3_req but still not in the csr. Obviously I am missing something important in my reading of the documentation. Thanks Craig______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org