On 03.11.2015 18:45, John Lewis wrote: > On 11/03/2015 12:04 PM, Walter H. wrote: >> On 03.11.2015 14:46, John Lewis wrote: >>> I created a local certification authority using this tutorial >>> https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian >>> >>> and made a certification request using this tutorial and I use this >>> tutorial to learn how to make a request with a Subject Alternate Name. >>> >>> I actually did manage to get lucky just now and I hypothesize that >>> running a command like this 'openssl ca -in ldap01.req -out >>> certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as >>> opposed to running a command like this 'openssl ca -in ldap01.req -out >>> certs/new/ldap04.pem -config ./openssl.cnf' got my CA to create a cert >>> with subject alternate names. How do I add '-extensions v3_req' to >>> my ca >>> configuration and have it be not be ignored? >>> >> >> add the following parameter(s): >> >> -extensions sslcertext -extfile file >> this file is similar to the following >> >> [ sslcertext ] >> basicConstraints = CA:false >> keyUsage = critical, digitalSignature, keyEncipherment >> subjectKeyIdentifier = hash >> authorityKeyIdentifier = keyid:always, issuer:always >> authorityInfoAccess = OCSP;URI:#OCSP-URL#/, >> caIssuers;URI:#DER-CACERT-URL# >> >> issuerAltName = issuer:copy >> subjectAltName = #SUBJECTALTNAME# >> >> extendedKeyUsage = serverAuth, msSGC, nsSGC >> >> certificatePolicies = ia5org, @policy_section >> crlDistributionPoints = URI:#CRL-URL# >> >> [ policy_section ] >> policyIdentifier = #POLICYID# >> CPS.1 = #CPS-URL# >> > > Do I replace my current [v3_req] section with the contents of > [sslcertext] > No, you add this part, because v3_req is used for the certificate request ... and I have forgotten to mention, that #...# must be replaced with the right values; -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151104/eba3cc8a/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4312 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151104/eba3cc8a/attachment-0001.bin>
