On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:I guess I am making progress. I am not getting SAN into the root cert. my cnf has in it: [ req ] # Options for the `req` tool (`man req`). default_bits = 2048 prompt = no distinguished_name = req_distinguished_name string_mask = utf8only req_extensions = req_ext [ req_ext ] #subjectAltName = email:$ENV::adminemail #subjectAltName = email:admin@xxxxxxxxxxxxxxx subjectAltName = IP:192.168.24.1 I tried all three above alternatives for SAN. No SAN in the root cert created with: openssl req -config openssl-root.cnf -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem Thanks for any insight. This type of cnf worked for creating a CSR and with the copy option the SAN made it into the cert.It looks a bit unusual for a Root CA. As far as signing the CSR, you need copy_extensions = copy
I have that in the [ ca ] section and it did put SAN into the intermediate CA cert.
But I can't seem to get it into the root CA cert. Bob -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
