Révision 3cb773da
Ajouté par yarick123 il y a plus de 9 ans
etc/ssl/openssl.cnf | ||
---|---|---|
9 | 9 |
HOME = . |
10 | 10 |
RANDFILE = $ENV::HOME/.rnd |
11 | 11 |
|
12 |
# default SAN value if $ENV::SAN is not defined |
|
13 |
# |
|
14 |
SAN = |
|
15 |
|
|
12 | 16 |
# Extra OBJECT IDENTIFIER info: |
13 | 17 |
#oid_file = $ENV::HOME/.oid |
14 | 18 |
oid_section = new_oids |
... | ... | |
212 | 216 |
#nsCaPolicyUrl |
213 | 217 |
#nsSslServerName |
214 | 218 |
|
219 |
[ usr_cert_san ] |
|
220 |
|
|
221 |
# copy of [ usr_cert ] plus nonempty Subject Alternative Names |
|
222 |
basicConstraints=CA:FALSE |
|
223 |
nsComment = "OpenSSL Generated User Certificate" |
|
224 |
subjectKeyIdentifier=hash |
|
225 |
authorityKeyIdentifier=keyid,issuer:always |
|
226 |
subjectAltName=$ENV::SAN |
|
227 |
|
|
215 | 228 |
[ server ] |
216 | 229 |
|
217 | 230 |
# Make a cert with nsCertType=server |
... | ... | |
223 | 236 |
extendedKeyUsage=serverAuth |
224 | 237 |
keyUsage = digitalSignature, keyEncipherment |
225 | 238 |
|
239 |
[ server_san ] |
|
240 |
|
|
241 |
# copy of [ server ] plus nonempty Subject Alternative Names |
|
242 |
basicConstraints=CA:FALSE |
|
243 |
nsCertType = server |
|
244 |
nsComment = "OpenSSL Generated Server Certificate" |
|
245 |
subjectKeyIdentifier=hash |
|
246 |
authorityKeyIdentifier=keyid,issuer:always |
|
247 |
extendedKeyUsage=serverAuth |
|
248 |
keyUsage = digitalSignature, keyEncipherment |
|
249 |
subjectAltName=$ENV::SAN |
|
250 |
|
|
226 | 251 |
[ v3_req ] |
227 | 252 |
|
228 | 253 |
# Extensions to add to a certificate request |
... | ... | |
267 | 292 |
# You can even override a supported extension: |
268 | 293 |
# basicConstraints= critical, DER:30:03:01:01:FF |
269 | 294 |
|
295 |
[ v3_ca_san ] |
|
296 |
|
|
297 |
# copy of [ v3_ca ] plus nonempty Subject Alternative Names |
|
298 |
subjectKeyIdentifier=hash |
|
299 |
authorityKeyIdentifier=keyid:always,issuer:always |
|
300 |
basicConstraints = CA:true |
|
301 |
subjectAltName=$ENV::SAN |
|
302 |
|
|
270 | 303 |
[ crl_ext ] |
271 | 304 |
|
272 | 305 |
# CRL extensions. |
Formats disponibles : Unified diff
cherry pic from 'hotfix/3347-Certificate_Authority_SAN_names_not_working':
bugfix #3347: Certificate Authority SAN names not working in 2.1
subjectAltName can be set only via configuration file - created three extra sections in openssl.cnf to use in case of existing subjectAltName.
Unfortunately it is not possible to assign empty value to subjectAltName in openssl.cnf