[openssl-users] RFC2818 and subjectAltName

Viktor Dukhovni openssl-users at dukhovni.org
Wed Apr 26 16:55:29 UTC 2017


> On Apr 26, 2017, at 11:55 AM, Murray, Ronald-1 (ANF) <murrayr at dor.state.ma.us> wrote:
> 
> Our certificates, of course, only contained the Common Name (CN), with no subjectAltName (SAN). I solved the problem by creating new certificates and hacking openssl.cnf to request a SAN in the CSR.

An appropriate openssl.cnf is the supported way to populate DNS altnames
into certificates created with the req(1), x509(1) and ca(1) utilities.

> Is there any chance of this being included in openssl?

It is already included, via the openssl.cnf interface.  You can
also create openssl.cnf sections on the fly, without creating
any persistent files, with "bash" or similar shells.  See, for
example:

   https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh

-- 
	Viktor.


More information about the openssl-users mailing list