client certs with no subjectName only SAN
Robert Moskowitz
rgm at htt-consult.com
Thu Aug 15 20:06:48 UTC 2019
There are a number of things I am not clear on, and so far my searching
and reading is coming up short.
If there is no subjectName, only subjectAltName, is the subjectName
still present in the cert only empty or is it totally gone.
I have found that if I put
-subj /
in the openssl req, I end up with an empty subjectName. Or is there
someway to totally remove this from the cert?
For the subjectAltName, is it suppose to be flagged critical? I have
seen references of:
subjectAltName=critical,email:certtest at example.com
Is this correct and the way to set SAN as critical?
thanks
The cert I have made so far is:
$openssl x509 -noout -text -in $dir/certs/device1.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c9:8f:b2:7b:e1:95:74:cf
Signature Algorithm: ED25519
Issuer: CN = 2001:24:28:14::/64
Validity
Not Before: Aug 15 19:51:17 2019 GMT
Not After : Aug 24 19:51:17 2020 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: ED25519
ED25519 Public-Key:
pub:
7a:a6:f2:7d:14:8f:fd:a9:55:d9:6f:d6:04:a1:e6:
6d:9e:34:1f:d3:2b:59:80:cc:2f:4c:83:4f:81:a0:
10:36
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Client Certificate
X509v3 Subject Key Identifier:
97:B0:DC:A2:74:93:CF:76:5E:82:6C:08:9C:46:73:83:D3:86:8E:9A
X509v3 Authority Key Identifier:
keyid:B1:45:18:9B:33:82:6C:74:29:69:2A:15:93:3B:1C:31:D2:37:D6:CA
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection
X509v3 Subject Alternative Name:
IP Address:2001:24:28:14:B8AF:2789:CBB9:F7AC
Signature Algorithm: ED25519
32:2e:7d:4d:ad:4d:87:4c:57:1a:df:ef:e3:ec:2b:b5:a7:fe:
2f:48:73:32:72:1a:b6:4a:cd:e4:88:75:98:4d:b0:9a:79:48:
2b:2c:12:68:0f:c0:86:bd:d9:4e:4b:85:fb:f3:91:68:f4:ec:
18:99:dd:7e:d5:f8:b6:f0:08:0e
More information about the openssl-users
mailing list