[openssl-users] How do I configure my Certification Authority to pay attention to Subject Alternate Names

Walter H. Walter.H at mathemainzel.info
Wed Nov 4 04:31:44 UTC 2015


On 03.11.2015 18:45, John Lewis wrote:
> On 11/03/2015 12:04 PM, Walter H. wrote:
>> On 03.11.2015 14:46, John Lewis wrote:
>>> I created a local certification authority  using this tutorial
>>> https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian 
>>>
>>> and made a certification request using this tutorial and I use this
>>> tutorial to learn how to make a request with a Subject Alternate Name.
>>>
>>> I actually did manage to get lucky just now and I hypothesize that
>>> running a command like this 'openssl ca -in ldap01.req -out
>>> certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as
>>> opposed to running a command like this 'openssl ca -in ldap01.req -out
>>> certs/new/ldap04.pem  -config ./openssl.cnf' got my CA to create a cert
>>> with subject alternate names. How do I add '-extensions v3_req' to 
>>> my ca
>>> configuration and have it be not be ignored?
>>>
>>
>> add the following parameter(s):
>>
>> -extensions sslcertext -extfile file
>> this file is similar to the following
>>
>> [ sslcertext ]
>> basicConstraints = CA:false
>> keyUsage = critical, digitalSignature, keyEncipherment
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid:always, issuer:always
>> authorityInfoAccess = OCSP;URI:#OCSP-URL#/, 
>> caIssuers;URI:#DER-CACERT-URL#
>>
>> issuerAltName = issuer:copy
>> subjectAltName = #SUBJECTALTNAME#
>>
>> extendedKeyUsage = serverAuth, msSGC, nsSGC
>>
>> certificatePolicies = ia5org, @policy_section
>> crlDistributionPoints = URI:#CRL-URL#
>>
>> [ policy_section ]
>> policyIdentifier = #POLICYID#
>> CPS.1 = #CPS-URL#
>>
>
> Do I replace my current [v3_req] section with the contents of 
> [sslcertext]
>
No, you add this part, because v3_req is used for the certificate 
request ...

and I have forgotten to mention, that #...# must be replaced with the 
right values;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151104/eba3cc8a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151104/eba3cc8a/attachment-0001.bin>


More information about the openssl-users mailing list