2,306
edits
Changes
Jump to navigation
Jump to search
Line 40:
Line 40: − − − − Can someone help me with the exact syntax? − − Its a three step process, and it involves modifying openssl.cnf file. You might be able to do it with only command line options, but I don't do it that way. − − Find your openssl.cnf file. It is likely located in /usr/lib/ssl/openssl.cnf: − − $ find /usr/lib -name openssl.cnf − /usr/lib/openssl.cnf − /usr/lib/openssh/openssl.cnf − /usr/lib/ssl/openssl.cnf − − On my Debian system, /usr/lib/ssl/openssl.cnf is used by the built-in openssl program. On recent Debian systems it is located at /etc/ssl/openssl.cnf − − You can determine which openssl.cnf is being used by adding a spurious XXX to the file and see if openssl chokes. − − First, modify the req parameters. Add an alternate_names section to openssl.cnf with the names you want to use. There are no existing alternate_names sections, so it does not matter where you add it. − − [ alternate_names ] − − DNS.1 = example.com − DNS.2 = www.example.com − DNS.3 = mail.example.com − DNS.4 = ftp.example.com − − Next, add the following to the existing [ v3_ca ] section. Search for the exact string [ v3_ca ]: − − subjectAltName = @alternate_names − − You might change keyUsage to the following under [ v3_ca ]: − − keyUsage = digitalSignature, keyEncipherment
→SubjectAltName
keyUsage = digitalSignature, keyEncipherment
keyUsage = digitalSignature, keyEncipherment
digitalSignature and keyEncipherment are standard faire for a server certificate. Don't worry about nonRepudiation. Its a useless bit thought up by comp sci guys who wanted to be lawyers. It means nothing in the legal world.
digitalSignature and keyEncipherment are standard faire for a server certificate. Don't worry about nonRepudiation. Its a useless bit thought up by comp sci guys who wanted to be lawyers. It means nothing in the legal world.