Dean Willis wrote:
> OpenSSL can generate SAN. None of my certs have it .
>
> Oddly enough, the SAN settings appear to go into the
master config
> file and affect every CSR generated. So you have to
reconfigure the
> software for each CSR generated. Yuck.
Could you not use the -extfile parameter to the
"openssl x509 -req"
command? In other words:
$ openssl x509 -req -in <...>.pem -extfile foo.cfg
-extensions v3 ...
and in foo.cfg
[ v3 ]
subjectKeyIdentifier = hash
basicConstraints = CA:false
subjectAltName = DNS:foo.example.com,
URI:sip:foo.com
This works for me, of course, at least for the limited use
that
I put openssl x509 command to. I cannot speak for the CAs
that
do this for a living on how they put SANs in the CSR they
get.
- vijay
--
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA)
Email: vkg {alcatel-lucent.com,bell-labs.com,acm.org}
WWW: http://www.al
catel-lucent.com/bell-labs
_______________________________________________
Sip mailing list https://www
.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementorscs.columbia.edu for questions on current
sip
Use sippingietf.org for new developments on the application of
sip
|