When signing a certificate request, subjectAltName cannot be copied to certificate when using templates

[meyergru]

After I create a CSR and create subjectAltNames like DNS:xyz, IP:1.2.3.4, I can choose to "copy extensions from the request" when I try to sign it.

However, If I also want to apply a template, like for "key usage" or other parameters, I can only choose between applying extensions or subject or both (all). So, if I want to use anything useful from the template, the specific request parameters are overwritten.

I cannot have the best of both worlds - or at least I cannot make it work:

• define a type of certificate via a template plus
• overwrite specific parameters (especially subjectAltName) in the CSR

The only way to have both is to repeat every specific setting like subjectAltName during signing, which is problematic especially when certificates are short-lived and shall be re-issued later on.

[dtklein]

This sounds very useful. Ideally, I’d like extensions in a template to each have a setting for how overwritey you want the template to be:

• Only use the value for this extension from template, overwriting what’s in the CSR
• Use value for this extension from CSR if present, use value from template if extension is empty or not present
• Use value for this extension from CSR if present, or empty if this extension is empty in the CSR, use value from template if extension is not present
• Use what’s in the CSR for the value of this extension, if present in the CSR; skip this extension if the CSR does not contain it