On 11/03/2015 12:04 PM, Walter H. wrote: > On 03.11.2015 14:46, John Lewis wrote: >> I created a local certification authority using this tutorial >> https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian >> >> and made a certification request using this tutorial and I use this >> tutorial to learn how to make a request with a Subject Alternate Name. >> >> I actually did manage to get lucky just now and I hypothesize that >> running a command like this 'openssl ca -in ldap01.req -out >> certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as >> opposed to running a command like this 'openssl ca -in ldap01.req -out >> certs/new/ldap04.pem -config ./openssl.cnf' got my CA to create a cert >> with subject alternate names. How do I add '-extensions v3_req' to my ca >> configuration and have it be not be ignored? >> > > add the following parameter(s): > > -extensions sslcertext -extfile file > this file is similar to the following > > [ sslcertext ] > basicConstraints = CA:false > keyUsage = critical, digitalSignature, keyEncipherment > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always, issuer:always > authorityInfoAccess = OCSP;URI:#OCSP-URL#/, > caIssuers;URI:#DER-CACERT-URL# > > issuerAltName = issuer:copy > subjectAltName = #SUBJECTALTNAME# > > extendedKeyUsage = serverAuth, msSGC, nsSGC > > certificatePolicies = ia5org, @policy_section > crlDistributionPoints = URI:#CRL-URL# > > [ policy_section ] > policyIdentifier = #POLICYID# > CPS.1 = #CPS-URL# > > > > > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users Do I replace my current [v3_req] section with the contents of [sslcertext]? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151103/7210c322/attachment.html>
