24.09.2016 14:34, Alfredo Amaya пишет:
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey
new.cert.key -days 365
You need to explicitly tell it to use extensions by using "-extensions v3_req". I do not know if it is possible to set defaults in openssl.cnf here.
(I also tried the solution suggested above and the -extensions v3_req param. It doesn't work)
It does. I usually test things before explicitly recommend them.
How do you check it? I execute:
# openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365 -extensions v3_req
and then these commands for checking:
# openssl x509 -in new.cert.cert -text -noout
or
# openssl x509 -in new.cert.cert -subject -noout
and I don't see the extensions. Do you? How do you see them?
bor@bor-Latitude-E5450:/tmp$ openssl x509 -text -noout -in san_domain_com.crt Certificate: Data: Version: 3 (0x2) Serial Number: 17715959473418646696 (0xf5dbbb472455b4a8) Signature Algorithm: sha256WithRSAEncryption Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Validity Not Before: Sep 24 07:01:29 2016 GMT Not After : Sep 22 07:01:29 2026 GMT Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:kb.example.com, DNS:helpdesk.example.org, DNS:systems.example.net, IP Address:192.168.1.1, IP Address:192.168.69.14 Signature Algorithm: sha256WithRSAEncryption ... bor@bor-Latitude-E5450:/tmp$ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org