[openssl-users] How do I configure my Certification Authority to pay attention to Subject Alternate Names
John Lewis
oflameo2 at gmail.com
Tue Nov 3 17:45:41 UTC 2015
On 11/03/2015 12:04 PM, Walter H. wrote:
> On 03.11.2015 14:46, John Lewis wrote:
>> I created a local certification authority using this tutorial
>> https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
>>
>> and made a certification request using this tutorial and I use this
>> tutorial to learn how to make a request with a Subject Alternate Name.
>>
>> I actually did manage to get lucky just now and I hypothesize that
>> running a command like this 'openssl ca -in ldap01.req -out
>> certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as
>> opposed to running a command like this 'openssl ca -in ldap01.req -out
>> certs/new/ldap04.pem -config ./openssl.cnf' got my CA to create a cert
>> with subject alternate names. How do I add '-extensions v3_req' to my ca
>> configuration and have it be not be ignored?
>>
>
> add the following parameter(s):
>
> -extensions sslcertext -extfile file
> this file is similar to the following
>
> [ sslcertext ]
> basicConstraints = CA:false
> keyUsage = critical, digitalSignature, keyEncipherment
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always, issuer:always
> authorityInfoAccess = OCSP;URI:#OCSP-URL#/,
> caIssuers;URI:#DER-CACERT-URL#
>
> issuerAltName = issuer:copy
> subjectAltName = #SUBJECTALTNAME#
>
> extendedKeyUsage = serverAuth, msSGC, nsSGC
>
> certificatePolicies = ia5org, @policy_section
> crlDistributionPoints = URI:#CRL-URL#
>
> [ policy_section ]
> policyIdentifier = #POLICYID#
> CPS.1 = #CPS-URL#
>
>
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Do I replace my current [v3_req] section with the contents of [sslcertext]?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151103/7210c322/attachment.html>
More information about the openssl-users
mailing list