From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout
Sent: Saturday, 03 December, 2011 02:56
My TLS client can validate both CN and SN i need to test both the
scenario.
I don't know how to create certificate with subjectAltName
extension using openssl commands.
In the RFC-2818 , there are two ways of Certificate
Validation for Host name
1)CN (Common Name)
2)SN( Subject Name)
1. Common Name part of subject name which is the value of Subject.
2. Subject *Alternative* Name which is an extension.
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
As this says, although a bit tersely.
I created Self-signed certificate using open-ssl commands and my
certificate chain looks like below where CN=10.204.4.69
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr
-signkey server.key -out server.crt
Please tell how to create certificate with subjectAltName
extension using openssl commands ?
The same way(s) you create a cert with any extension(s).
See man req; man x509; man ca; man x509v3_config
In x509 -req supply -extfile with the name of a config file,
and -extsect with the name of a section in that file
unless it is default or pointed to by default.extensions,
specifying the extension(s) you want. You want something like
subjectAltName=DNS:my.host.example
For selfsigned you can save a step (or two) with req -x509 (and
-newkey) in which case use -extensions or req.x509_extensions .
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org