<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>If you are asking me, by all means yes. Thanks for asking, I respect the value of honesty in world that has so very few people left.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Sent from <a href="https://go.microsoft.com/fwlink/?LinkId=550986">Mail</a> for Windows 10</p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='border:none;padding:0in'><b>From: </b><a href="mailto:openssl-users@dukhovni.org">Viktor Dukhovni</a><br><b>Sent: </b>Wednesday, April 26, 2017 1:55 PM<br><b>To: </b><a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br><b>Subject: </b>Re: [openssl-users] RFC2818 and subjectAltName</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> On Apr 26, 2017, at 11:55 AM, Murray, Ronald-1 (ANF) <murrayr@dor.state.ma.us> wrote:</p><p class=MsoNormal>> </p><p class=MsoNormal>> Our certificates, of course, only contained the Common Name (CN), with no subjectAltName (SAN). I solved the problem by creating new certificates and hacking openssl.cnf to request a SAN in the CSR.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>An appropriate openssl.cnf is the supported way to populate DNS altnames</p><p class=MsoNormal>into certificates created with the req(1), x509(1) and ca(1) utilities.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> Is there any chance of this being included in openssl?</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It is already included, via the openssl.cnf interface. You can</p><p class=MsoNormal>also create openssl.cnf sections on the fly, without creating</p><p class=MsoNormal>any persistent files, with "bash" or similar shells. See, for</p><p class=MsoNormal>example:</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-- </p><p class=MsoNormal> Viktor.</p><p class=MsoNormal>-- </p><p class=MsoNormal>openssl-users mailing list</p><p class=MsoNormal>To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users</p><p class=MsoNormal><o:p> </o:p></p></div></body></html>