9 |
9 |
HOME = .
|
10 |
10 |
RANDFILE = $ENV::HOME/.rnd
|
11 |
11 |
|
|
12 |
# default SAN value if $ENV::SAN is not defined
|
|
13 |
#
|
|
14 |
SAN =
|
|
15 |
|
12 |
16 |
# Extra OBJECT IDENTIFIER info:
|
13 |
17 |
#oid_file = $ENV::HOME/.oid
|
14 |
18 |
oid_section = new_oids
|
... | ... | |
212 |
216 |
#nsCaPolicyUrl
|
213 |
217 |
#nsSslServerName
|
214 |
218 |
|
|
219 |
[ usr_cert_san ]
|
|
220 |
|
|
221 |
# copy of [ usr_cert ] plus nonempty Subject Alternative Names
|
|
222 |
basicConstraints=CA:FALSE
|
|
223 |
nsComment = "OpenSSL Generated User Certificate"
|
|
224 |
subjectKeyIdentifier=hash
|
|
225 |
authorityKeyIdentifier=keyid,issuer:always
|
|
226 |
subjectAltName=$ENV::SAN
|
|
227 |
|
215 |
228 |
[ server ]
|
216 |
229 |
|
217 |
230 |
# Make a cert with nsCertType=server
|
... | ... | |
223 |
236 |
extendedKeyUsage=serverAuth
|
224 |
237 |
keyUsage = digitalSignature, keyEncipherment
|
225 |
238 |
|
|
239 |
[ server_san ]
|
|
240 |
|
|
241 |
# copy of [ server ] plus nonempty Subject Alternative Names
|
|
242 |
basicConstraints=CA:FALSE
|
|
243 |
nsCertType = server
|
|
244 |
nsComment = "OpenSSL Generated Server Certificate"
|
|
245 |
subjectKeyIdentifier=hash
|
|
246 |
authorityKeyIdentifier=keyid,issuer:always
|
|
247 |
extendedKeyUsage=serverAuth
|
|
248 |
keyUsage = digitalSignature, keyEncipherment
|
|
249 |
subjectAltName=$ENV::SAN
|
|
250 |
|
226 |
251 |
[ v3_req ]
|
227 |
252 |
|
228 |
253 |
# Extensions to add to a certificate request
|
... | ... | |
267 |
292 |
# You can even override a supported extension:
|
268 |
293 |
# basicConstraints= critical, DER:30:03:01:01:FF
|
269 |
294 |
|
|
295 |
[ v3_ca_san ]
|
|
296 |
|
|
297 |
# copy of [ v3_ca ] plus nonempty Subject Alternative Names
|
|
298 |
subjectKeyIdentifier=hash
|
|
299 |
authorityKeyIdentifier=keyid:always,issuer:always
|
|
300 |
basicConstraints = CA:true
|
|
301 |
subjectAltName=$ENV::SAN
|
|
302 |
|
270 |
303 |
[ crl_ext ]
|
271 |
304 |
|
272 |
305 |
# CRL extensions.
|
cherry pic from 'hotfix/3347-Certificate_Authority_SAN_names_not_working':
bugfix #3347: Certificate Authority SAN names not working in 2.1
subjectAltName can be set only via configuration file - created three extra sections in openssl.cnf to use in case of existing subjectAltName.
Unfortunately it is not possible to assign empty value to subjectAltName in openssl.cnf