Subject: | Should have get xxAltName() |
When issuing a certificate, the CA's subject_DN is copied to the new certificate's issuer_DN, and the CA's subjectAltName is also copied to the new certificate's issuerAltName. Similarly for CRLs.
Crypt::OpenSSL::CA has no mechanism to extract the CA's subjectAltName. It should. Currently, the CA's certificate has to be run through multiple parsers to get the the need bits. E.g. to get the public key in Crypt::OpenSSL::CA::PublicKey, one has to parse with C::O::CA::parse. To get the extensions, one has to find a working parser & parse it again. This is inefficient, as well as challenging - the parsers aren't well maintained.
So a general mechanism to extract an extension by name that returns it as an argument list for set_extension would be ideal.
I suggest @extn = get_extension( $extname || $oid ), where
@extn contains ($extname, $value, %options, %more_open_ssl_config) as required. (For extensions not built-in to OpenSSL, it may be necessary to have a define_extension that tells how to handle. I consider this secondary.)
Many other useful extensions are often copied from the issuing CA's certificate. Being able to extract them in a format suitable for set_extension() would simplify the process greatly. Especially since the set_extension argument list is unique to C::O::CA::X509...