On Fri, Feb 7, 2020 at 3:08 PM Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx> wrote: > > > From: Michael Leone [mailto:turgon@xxxxxxxxxxxxxx] > > Sent: Friday, February 07, 2020 11:55 > > > > How is that this works for everyone else, and not me? :-) > > It doesn't. > > I just reviewed this whole note stream, and realized you're using "openssl req" to create the certificate, rather than "openssl ca", according to your first note. > > openssl req doesn't respect copy_extensions, because it doesn't use a CA-section in the configuration file. > > To accomplish what you want, you'll have to use openssl ca. There are a number of walkthroughs online for setting that up. Yep, I've been communicating offlist with another member, and he's finally set me straight. Now I am using "openssl ca", and it is give me the extensions the CSR is asking for. I've got it almost all figured out, except how to get a subjectAltName automatically populated by the CN of the requestor. My requests aren't asking for a SAN, but Chrome isn't happy without one, so I'd like to at least auto-populate 1 SAN by having it be the DNS:<CN> of the requesting CSR. Is that doable?
