> > [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > > > Hi, I've been using the CR generation tool and I noticed that the > > generated CR are not compatible with other software that expects them. Is > > their format PKCS#10? If Yes is the field 'SubjectAltName' filled when > > creating the CR? I think the other software requires it. > Well this is supported but only partially. You can use the extensionRequest attribute documented in PKCS#9 v2.0. See the req_extensions field in the req manual page. The extensions are currently hard coded in the config file and not prompted for like other fields. You could get round this by using the prompt=no option and having a separate program or script do the prompting: this isn't a bad idea anyway because the standard prompting by 'req' isn't very friendly. Although extensions can be placed in certificate requests both the 'x509' and the 'ca' certificate signing options currently ignore them. This is primarily a security issue because you wouldn't want it to silently add CA:true in a 'user' certificate would you? It will ultimately need some kind of 'policy' for extensions to handle this. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
