Re: Creating requests and certificates with Subject Alternative Names

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Creating requests and certificates with Subject Alternative Names

Angus Robertson - Magenta Systems Ltd
> I'm creating X509 certificate requests and certificates in code,
> trying to add X509v3 Subject Alternative Name, with 1.1.0f.  
>
> But if I add a list of four domains, ie:
> The certificate seems to ignore some and repeat others:

To answer my own question, I was using ASN1_STRING_set0 instead of
ASN1_STRING_set and the original ANSI string was a temporary variable,
so got lost as a new string was added since it was not copied.

But there must be an easier way of adding SANs to certificates than
using undocumented GENERAL_NAME APIs.  

Angus

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Creating requests and certificates with Subject Alternative Names

OpenSSL - Dev mailing list
Angus Robertson - Magenta Systems Ltd wrote:

>> I'm creating X509 certificate requests and certificates in code,
>> trying to add X509v3 Subject Alternative Name, with 1.1.0f.
>>
>> But if I add a list of four domains, ie:
>> The certificate seems to ignore some and repeat others:
>
> To answer my own question, I was using ASN1_STRING_set0 instead of
> ASN1_STRING_set and the original ANSI string was a temporary variable,
> so got lost as a new string was added since it was not copied.
>
> But there must be an easier way of adding SANs to certificates than
> using undocumented GENERAL_NAME APIs.

Fyi, here's how we autogenerate certificates in OpenLDAP, with subjectAltNames
populated.

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=servers/slapd/overlays/autoca.c;h=5a8ec1b481376df08d4ca7d60bc8fe6d5ad56864;hb=HEAD

The corresponding manpage is here

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=doc/man/man5/slapo-autoca.5;h=920c1fe189fc6767b3b8425a985488910b83fadb;hb=HEAD

and our test suite script to put it thru its paces is here

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=tests/scripts/test066-autoca;h=05e221b313225f23fe9986003eebcd3ba2be5ce8;hb=HEAD

--
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev