Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
https://forum.ivorde.com/

OpenSSL certificate authority (CA) - how to copy x509 extensions from CSR to signed PEM
https://forum.ivorde.com/openssl-certificate-authority-ca-how-to-copy-x509-extensions-from-csr-to-signed-pem-t19421.html
Page 1 of 1

Author:  mandrei99 [ Thu Jan 08, 2015 11:59 am ]
Post subject:  OpenSSL certificate authority (CA) - how to copy x509 extensions from CSR to signed PEM

How to copy x509 extensions from CSR to signed PEM with OpenSSL

Edit openssl.cnf, go to the authority section, my case "[ CA_default ]" and uncomment the following line:
Code:
# Extension copying option: use with caution.
copy_extensions = copy


This is often required for x509 extension Subject Alternative Name. SubjectAltName is a x509 extension that permits various literal values to be included in the signed certificate. It is used for ipsec VPNs, more precisely for IKE Phase 1 authentication.

Ipsec Ike phase1 authentication is performed against EMAIL, DNS, IP or DIRNAME subject alternative names. In many cases, this is set by the certificate authority that signs the certificate, overwriting what is sent in the signing request, but in some cases, it is desired to copy these extensions from the signing request as they were added by the initiator of the request.

Page 1 of 1 All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/