Investigate how to enable "copy extensions" for CSR with Subject Alternative Names

[ppatierno]

When creating a CSR for getting a signed certificate, the subject alternative names are not transferred automatically from the CSR to the final certificate. The "copy_extensions" option is involved but it seems it's a risk to enable it (and it needs a configuration file for it) That's true for the "openssl req" command we are using for the CSR creation.
It seems that "openssl ca" command provides an option on the command line "copy_extensions" but it's a different tool and it needs investigation as well.

[scholzj]

So ...

• if we are missing the alt subjects, what does it mean for Strimzi? Does it mean that the TLS stuff doesn't have trust and doesn't work properly?
• What do you mean with The "copy_extensions" option is involved but it seems it's a risk to enable it?
• what do you mean with openssl ca is a different tool?

[ppatierno]

it seems that a workaround could be this one ... https://mta.openssl.org/pipermail/openssl-users/2016-January/002764.html
It means providing the SAN information even when executing the signature process starting from the CSR.
I'm going to try it.