Is it possible to create a PKCS#10 certificate request / X.509 certificate with the identifying information only in the subject alternate name attribute/extension? According to X.509 4.1.2.6 Subject, the subject can be empty for a certificate whose subject is not a CA as long as the subjectAltName is critical.
But when I use this config file with an empty distinguished_name section:
# request.config[ req ]distinguished_name = req_distinguished_namereq_extensions = v3_reqprompt = no[ req_distinguished_name ][ v3_req ]keyUsage = nonRepudiation, digitalSignature, keyEnciphermentsubjectAltName=critical,email:certtest@example.comand commands
openssl genrsa 1024 > key.pemopenssl req -new -key key.pem -out req.pem -config request.configOpenSSL complains:
error, no objects specified in config fileproblems making Certificate Request
