Re: Where to cleanup the settings for certificate generation ?

Home Page Forums Network Management Request a new feature Need more control on the Local CA parameters Re: Where to cleanup the settings for certificate generation ?

#53742

PatrickB
Member

Hello.

I tried again but could not find.

In /etc/ssl/openssl.cnf the directives for SAN are all commented:

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

There is no section alt_names…

But the host certificates generated have a SAN with IPs, some of them removed ages ago, and no longer existing in the DNS area:

X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:zzzzz.domain.tld, IP Address:192.168.yyy.2, IP Address:192.168.xxx.1, IP Address:192.168.xxx.2, IP Address:192.168.xxx.4, IP...

Did somebody find where and how it does that ? Of course it works, but this is messy.

Thanks, Best regards.