Michael Leone via plug on 5 Feb 2020 08:10:26 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] openssl and specifying subjectAltName


I know that these days, certificates need a subject alternative name (SAN). But how best to specify that, using openssl, where I don't have to hardcode that into an extensions file?

For example, in my CSR (generated on a Windows Active Directory domain controller, there is no entry that says "subject alt name". I imagine I want my SAN to be the DNS name of the requesting client.

But how do I put that into a certificate extensions file, so that I don't have to manually add a line "subjectAltName=DNS:<FQDN>" for each different certificate I want to sign? I want that SAN to be auto-generated. All of the examples I see (such as http://wiki.cacert.org/FAQ/subjectAltName) seem to hardcode specific names, which means I have to edit the file each time. I don't want to do that, I just want to sign the CSR, and have openssl figure out how to add a SAN (based on the DNS of the client) itself.

Is that doable? I haven't seen how ...

Anyone?

TIA




--

Mike. Leone, <mailto:turgon@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug