It is debatable whether putting SAN in the request is really 'proper'; I don't know of any 'real' (public) CA that accepts it that way.
But for openssl: If you are using 'ca', set copy_extensions in the config file. See the man page. If you are using 'x509 -req', that ignores/discards extensions from the CSR. It can *add* extensions from a config file, but since you usually want SAN to be different for every subject cert that isn't very convenient. Do you really mean 'x509 -signkey' to selfsign, or 'req -x509'? The latter is IME much more common. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Biondo, Brandon A. Sent: Monday, January 06, 2014 16:16 To: openssl-users@openssl.org Subject: OpenSSL CA and signing certs with SANs Hello, Forgive me if I breach etiquette. This is my first post to this list in quite a while. I am having trouble tracking down information regarding how you reconfigure an OpenSSL CA to handle SANs in requests. There is a wealth of information on how to configure OpenSSL to form a proper request, but in my searching I can only ever find people who use the x509 function to self-sign their certs. When you use an OpenSSL CA to sign this type of request, the certificate is made without issue but the SANS are stripped out of the final product. What am I missing here? Regards, Brandon Biondo
