[Date Prev][Date Next]
Re: Alternate names in certificates
Howard Chu wrote:
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
What will *not* work, apparently, is having the extension in
configuration file; the CA has to be told to insert it, and
this is where
the messiness starts.
This is a known limitation (bug) in OpenSSL 0.9.6. I don't recall if it's
been fixed in 0.9.7 or 0.9.8. (That is, extensions in the cert request are
not propagated into the signed certificate.)
It's rather off-topic here but please note that most CAs won't propagate the
extensions from CSR into the certificate. Therefore I'd not consider this a
bug in OpenSSL. This limitation is a security feature. I'd like to emphasize
that you *should not* automatically propagate the extensions from the CSR to
the EE certificate without filtering! CAs are even free to completely change
the subject name according to their CP and CPS.
Also with X.509 certificates you have to exactly know what you are doing!