Posts

Showing posts with the label openssl

openssl is grim

I've just spent a whole day trying to generate a certificate with openssl that firefox / chromium will accept. The issue is something like: the convention changed from sticking a domain name in the CN (common name) field, to using subjectAltName.  Browsers stopped accepting the old one.  But the openssl tooling was not updated with a usable tool, instead requiring arcane, undocumented, opaque, grim, and nasty options / config files.  It's no wonder everyone just uses the cloud.  The poor folk trying to get a working certificate compare notes on places like stackexchange (see for example " Provide subjectAltName to openssl directly on the command line " [0], which contained the final solution for me.  Please note: the "final solution" is not a phenocide of anyone involved in OpenSSL "development"). [0] < https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line > The one that worked was t...
Post a Comment
Read more

"What you are about to enter is what is called a Distinguished Name or a DN"

What you are about to read is what is called a blog post. What the quality of OpenSSL in general is, is what the quality of the above English is.
Post a Comment
Read more