[openssl-users] Signing a csr with subjectAltName using x509 command
Mauro Romano Trajber
trajber at gmail.com
Wed Jan 13 19:23:36 UTC 2016
Thanks,
I could not make subjectAltName copy at all. I try several ways without
success - subjectAltName=IP:copy its not a valid option
like subjectAltName=email:copy.
What works for me (but doesn't seems to be the correct solution) is pass
the extfile to x509 command with subjectAltName data again - although the
CSR file already contain this information
Here goes what I did:
# creating the CA
$ openssl genrsa -out ca.key 2048
$ openssl req -new -x509 -nodes -days 3650 -key ca.key -out ca.cert -subj
'/C=xx/ST=xx/L=xx/CN=catest'
# creating the peer certificate
$ openssl genrsa -out server.key 2048
$ openssl req -new -key server.key -out server.csr -subj
'/C=xx/ST=xx/L=xx/CN=server/' -reqexts SAN -config <(cat
/etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:1.1.1.1,DNS:
www.example.com"))
At this point we can see that the CSR file contains the v3ext data:
$ openssl req -noout -text -in server.csr
....
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address:1.1.1.1, DNS:www.example.com
...
But to subjectAltName data be included in the certificate I must pass all
info again to x509 command:
$ openssl x509 -req -in server.csr -CA ca.cert -CAkey ca.key
-CAcreateserial -out server.cert -days 3650 -extfile <(cat
/etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:1.1.1.1,DNS:
www.example.com")) -extensions SAN
$ openssl x509 -noout -text -in server.cert
....
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address:1.1.1.1, DNS:www.example.com
...
On Wed, Jan 13, 2016 at 4:46 PM, Viktor Dukhovni <openssl-users at dukhovni.org
> wrote:
>
> > On Jan 13, 2016, at 1:22 PM, Mauro Romano Trajber <trajber at gmail.com>
> wrote:
> >
> > In which section?
> >
> > On section [CA_default] I have 'copy_extensions = copy'
>
> In case you find it useful, I am attaching a bash script I use to
> generate certificate chains for various automated tests.
>
> This does not use any customized .cnf files, and bypasses the ca(1)
> utility, just signs directly via "openssl x509 -req" and extension
> settings created on the fly via "-extfile <(printf ...)".
>
>
>
>
> The keys created are always EC P-256 keys, but you can change
> that part of the script if you want RSA instead.
>
> $ ./mkcert genroot "Root CA" rootkey rootcert
> $ ./mkcert genca "Issuer CA" cakey cacert rootkey rootcert
> $ ./mkcert genee "$(uname -n)" eekey eecert cakey cacert
> $ openssl x509 -in eecert.pem -text -noout | egrep 'DNS:|Subject|Issuer'
> Issuer: CN = Issuer CA
> Subject: CN = vpro.lan
> Subject Public Key Info:
> X509v3 Subject Key Identifier:
> X509v3 Subject Alternative Name:
> DNS:vpro.lan
>
> --
> Viktor.
>
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160113/5838a154/attachment.html>
More information about the openssl-users
mailing list