| Michel van der List via plug on 5 Feb 2020 11:59:37 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] openssl and specifying subjectAltName |
That works just fine for me. On 2/5/20 1:32 PM, brent timothy saner via plug wrote:
On 2/5/20 12:48, Michael Leone wrote:We *are* the CA. These are internal certs, signed by our internal Linux CA.When I say "the CA", I'm operating under the assumption that you control both the CA and requester(s). But either way, it wouldn't matter; I'm speaking about general X.509 structure here.But long story short, yes, FYI, you could have just started with this. :)I did. "> Is that doable? I haven't seen how ... nope; you haven't seen it because it isn't doable. OpenSSL expects a static environment." "The openssl.cnf syntax has a .include directive[0], but you're still going to be manually editing a config if you want a different set of SANs." If you don't want to manually edit for each request, assuming you still want to add the SANs on the CA side, either you need to use some programmatic method of generating CSRs, or use something that will generate the CSRs for you like Vault. If you include the SANs in the CSR itself instead, each requester just needs its own static configuration of CN/SANs.
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug