[openssl-users] Signing a csr with subjectAltName using x509 command

Gareth Williams gareth at garethwilliams.me.uk
Thu Jan 14 08:07:18 UTC 2016

On Wednesday 13 January 2016 16:22:10 Mauro Romano Trajber 
> In which section?
> On section [CA_default] I have 'copy_extensions = copy'

Is that the issue?  You have copy_extensions in the CA_default 
section, which is no doubt referenced to by the default_ca = ... stanza 
earlier in the config file.

My understanding is that this is only read when you use the openssl 
ca command.  As you stated you're using the openssl x509 command 
to sign your request, then this isn't being read.

Any reason you're not signing with the openssl ca command?  I've just 
checked and it works as you expected when using this command.

Kind regards,


> Can I do this using only command line options?
> On Wed, Jan 13, 2016 at 3:42 PM, Salz, Rich <rsalz at akamai.com> 
> > >But when I try to sign it using my own CA using the x509 
command this
> > 
> > data is removed
> > 
> > You need to make sure that subjectAltName is marked as copy in 
your config
> > file.
> > _______________________________________________
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list