This ensures the SANs are copied into the certificate.
Find this line under the CA_default section: # Extension copying option: use with caution.Īnd change it to: # Extension copying option: use with caution. In the end, the IETF ( RFC 5280), browsers and CAs run fast and loose, so it probably does not matter what key usage you provide. It's a useless bit thought up by computer science guys/gals who wanted to be lawyers. Search for the exact string : subjectAltName = might change keyUsage to the following under : keyUsage = digitalSignature, keyEnciphermentĭigitalSignature and keyEncipherment are standard fare for a server certificate. Next, add the following to the existing section. There are no existing alternate_names sections, so it does not matter where you add it. Add an alternate_names section to openssl.cnf with the names you want to use. You can determine which openssl.cnf is being used by adding a spurious XXX to the file and see if openssl chokes.įirst, modify the req parameters.
On recent Debian systems it is located at /etc/ssl/openssl.cnf On my Debian system, /usr/lib/ssl/openssl.cnf is used by the built-in openssl program. It is likely located in /usr/lib/ssl/openssl.cnf: $ find /usr/lib -name openssl.cnf You might be able to do it with only command line options, but I don't do it that way.įind your openssl.cnf file. It's a three-step process, and it involves modifying the openssl.cnf file. Can someone help me with the exact syntax?
0 kommentar(er)
