@zilchms @rtib This condition seems to prevent ``altnames`` from being used. The condition used to be ``!empty($altnames + $extkeyusage)`` so either would trigger ``req_ext`` to be set and therefore the openssl command to be given the necessary option for the certificate to have the extension (this is done in ``lib/puppet/provider/x509_cert/openssl.rb`` line ``103``). This became a ``and`` condition which now requires both lists to be non-empty. I wasnt able to get certs with SANs to generate until I changed this locally to a ``or`` condition. I'll look into making a contribution shortly but I am commenting here just to have you take a look if you agree and maybe do the change if it's easy on your end.
_Originally posted by @fmichea in https://github.com/voxpupuli/puppet-openssl/pull/179#discussion_r1629943314_