Hello, I'd like to set individual v3 extensions (in particular subjectAltname) when signing certificate requests (CSR) and use CA defaults for the other extensions. Is it possible to achieve this without passing the complete list of extensions for the certificate via -config or -extfile ? Example: I have a certificate request with subj=/CN=foo/emailAddress=foo at bar.com/ and subjectAltname=email:foo at bar.com,DNS:bar.com and a default section for extensions v3_ext in openssl.cnf (authorityInfoAccess etc). I can change the subject of the CSR using "openssl req -subj newsubj". However, changing the extensions isn't that easy: I have tried to change the subjectAltname of the CSR to no avail with "openssl req -config extcfg -reqexts ext" with extcfg: [ext] subjAltname=newaltname If this was working, I would have added copy_extensions=copy in openssl.cnf and removed subjectAltname from the v3_ext section, so that subjectAltName would be copied from the modified CSR and merged with the defaults. It seems I need copy the whole v3_ext section from openssl.cnf, replace subjectAltname with the desired value and run "openssl ca -extfile extcfg -extensions v3_ext" Is there any other solution that does not require extracting v3_ext from openssl.cnf? Thank you!
