I know that these days, certificates need a subject alternative name (SAN). But how best to specify that, using openssl, where I don't have to hardcode that into an extensions file?
For example, in my CSR (generated on a Windows Active Directory domain controller, there is no entry that says "subject alt name". I imagine I want my SAN to be the DNS name of the requesting client.
But how do I put that into a certificate extensions file, so that I don't have to manually add a line "subjectAltName=DNS:<FQDN>" for each different certificate I want to sign? I want that SAN to be auto-generated. All of the examples I see (such as
http://wiki.cacert.org/FAQ/subjectAltName) seem to hardcode specific names, which means I have to edit the file each time. I don't want to do that, I just want to sign the CSR, and have openssl figure out how to add a SAN (based on the DNS of the client) itself.
Is that doable? I haven't seen how ...
Anyone?
TIA