[openssl-dev] Creating requests and certificates with Subject Alternative Names
Howard Chu
hyc at highlandsun.com
Fri Sep 22 15:51:55 UTC 2017
Angus Robertson - Magenta Systems Ltd wrote:
>> I'm creating X509 certificate requests and certificates in code,
>> trying to add X509v3 Subject Alternative Name, with 1.1.0f.
>>
>> But if I add a list of four domains, ie:
>> The certificate seems to ignore some and repeat others:
>
> To answer my own question, I was using ASN1_STRING_set0 instead of
> ASN1_STRING_set and the original ANSI string was a temporary variable,
> so got lost as a new string was added since it was not copied.
>
> But there must be an easier way of adding SANs to certificates than
> using undocumented GENERAL_NAME APIs.
Fyi, here's how we autogenerate certificates in OpenLDAP, with subjectAltNames
populated.
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=servers/slapd/overlays/autoca.c;h=5a8ec1b481376df08d4ca7d60bc8fe6d5ad56864;hb=HEAD
The corresponding manpage is here
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=doc/man/man5/slapo-autoca.5;h=920c1fe189fc6767b3b8425a985488910b83fadb;hb=HEAD
and our test suite script to put it thru its paces is here
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=tests/scripts/test066-autoca;h=05e221b313225f23fe9986003eebcd3ba2be5ce8;hb=HEAD
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the openssl-dev
mailing list