Bug ID: 6889224 pktool incorrectly generates SAN

Bug ID	6889224
Synopsis	pktool incorrectly generates SAN
State	10-Fix Delivered (Fix available in build)
Category:Subcategory	solaris-crypto:key_mgmt_tools
Keywords
Responsible Engineer	Wyllys Ingersoll
Reported Against
Duplicate Of
Introduced In	solaris_nevada
Commit to Fix	snv_127
Fixed In	snv_127
Release Fixed	solaris_nevada(snv_127)
Related Bugs
Submit Date	7-October-2009
Last Update Date	8-November-2009
Description	# Generate req for client $ pktool gencsr label=client outcsr=client.csr subject="CN=client" altname="KRB= xxxxx@xxxxx.COM" keyusage=digitalSignature,keyEncipherment,keyAgreement eku=KPClientAuth # Sign req for client $ pktool signcsr signkey=ca csr=client.csr serial=0x03 outcert=client.cert issuer="CN=ca" ## Extract the certs/keys into files $ pktool export objtype=cert outformat=pem label=ca outfile=ca.cert $ pktool export objtype=key outformat=pem label=client outfile=client.key The pkinit plugin (which uses openssl to read the certs) complains it can't find any SANs. If I look at client.cert using openssl I see the following: ... X509v3 Subject Alternative Name: 0...0...+.....0..ACME.COM.client ... If I generate the client cert using openssl as follows: $ openssl req -new -newkey rsa:1024 -keyout client.key -out client.req $ CLIENT=client REALM=ACME.COM openssl x509 -CAkey ca.key -CA ca.cert -CAserial ca.srl -CAcreateserial -req -in client.req -out client.cert -extfile extensions_pkinit.txt -extensions client_cert and dump the certificate I see this: ... X509v3 Subject Alternative Name: othername:<unsupported> ... I've attached extensions_pkinit.txt.
Work Around	N/A
Comments	Attached client-pktool.cert and client-openssl.cert which were generated as described in the Description.

OpenSolaris