Problems adding specific extensions to signed certificates

Michael Leone turgon at mike-leone.com
Fri Feb 7 20:12:44 UTC 2020


On Fri, Feb 7, 2020 at 3:08 PM Michael Wojcik
<Michael.Wojcik at microfocus.com> wrote:
>
> > From: Michael Leone [mailto:turgon at mike-leone.com]
> > Sent: Friday, February 07, 2020 11:55
> >
> > How is that this works for everyone else, and not me? :-)
>
> It doesn't.
>
> I just reviewed this whole note stream, and realized you're using "openssl req" to create the certificate, rather than "openssl ca", according to your first note.
>
> openssl req doesn't respect copy_extensions, because it doesn't use a CA-section in the configuration file.
>
> To accomplish what you want, you'll have to use openssl ca. There are a number of walkthroughs online for setting that up.

Yep, I've been communicating offlist with another member, and he's
finally set me straight. Now I am using "openssl ca", and it is give
me the extensions the CSR is asking for.

I've got it almost all figured out, except how to get a subjectAltName
automatically populated by the CN of the requestor. My requests aren't
asking for a SAN, but Chrome isn't happy without one, so I'd like to
at least auto-populate 1 SAN by having it be the DNS:<CN> of the
requesting CSR.

Is that doable?


More information about the openssl-users mailing list