<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix">On 11/03/2015 12:04 PM, Walter H.

      wrote:<br>

    </div>

    <blockquote cite="mid:5638E91B.8000300@mathemainzel.info"

      type="cite">On 03.11.2015 14:46, John Lewis wrote:

      <br>

      <blockquote type="cite">I created a local certification authority 

        using this tutorial

        <br>

<a class="moz-txt-link-freetext" href="https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian">https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian</a>

        <br>

        and made a certification request using this tutorial and I use

        this

        <br>

        tutorial to learn how to make a request with a Subject Alternate

        Name.

        <br>

        <br>

        I actually did manage to get lucky just now and I hypothesize

        that

        <br>

        running a command like this 'openssl ca -in ldap01.req -out

        <br>

        certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf'

        as

        <br>

        opposed to running a command like this 'openssl ca -in

        ldap01.req -out

        <br>

        certs/new/ldap04.pem  -config ./openssl.cnf' got my CA to create

        a cert

        <br>

        with subject alternate names. How do I add '-extensions v3_req'

        to my ca

        <br>

        configuration and have it be not be ignored?

        <br>

        <br>

      </blockquote>

      <br>

      add the following parameter(s):

      <br>

      <br>

      -extensions sslcertext -extfile file

      <br>

      this file is similar to the following

      <br>

      <br>

      [ sslcertext ]

      <br>

      basicConstraints = CA:false

      <br>

      keyUsage = critical, digitalSignature, keyEncipherment

      <br>

      subjectKeyIdentifier = hash

      <br>

      authorityKeyIdentifier = keyid:always, issuer:always

      <br>

      authorityInfoAccess = OCSP;URI:#OCSP-URL#/,

      caIssuers;URI:#DER-CACERT-URL#

      <br>

      <br>

      issuerAltName = issuer:copy

      <br>

      subjectAltName = #SUBJECTALTNAME#

      <br>

      <br>

      extendedKeyUsage = serverAuth, msSGC, nsSGC

      <br>

      <br>

      certificatePolicies = ia5org, @policy_section

      <br>

      crlDistributionPoints = URI:#CRL-URL#

      <br>

      <br>

      [ policy_section ]

      <br>

      policyIdentifier = #POLICYID#

      <br>

      CPS.1 = #CPS-URL#

      <br>

      <br>

      <br>

      <br>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

openssl-users mailing list

To unsubscribe: <a class="moz-txt-link-freetext" href="https://mta.openssl.org/mailman/listinfo/openssl-users">https://mta.openssl.org/mailman/listinfo/openssl-users</a>

</pre>

    </blockquote>

    <br>

    Do I replace my current [v3_req] section with the contents of

    [sslcertext]?

  </body>

</html>