[openssl-users] Signing a csr with subjectAltName using x509 command

Gareth Williams gareth at garethwilliams.me.uk
Thu Jan 14 13:08:02 UTC 2016


On Thursday 14 January 2016 10:59:01 Mauro Romano Trajber wrote:
> Could you send me the ca command line? There's any way to run it without
> creating a .cnf - using only <(print notation?

To be honest, I don't know whether you could run it purely from the command 
line without a config file as there are many configuration options needed to 
operate openssl as a CA.  Saying that, defaults values may work for many of 
those.

Instead, I use a simple bash script (which I don't have to hand I'm afraid - 
at work) which uses a heredoc to echo a configuration to a temp file which is 
then used with the openssl ca command, before being deleted afterwards.

If you're interested, I can dig it out later.

> 
> On Thu, Jan 14, 2016 at 6:07 AM, Gareth Williams <
> 
> gareth at garethwilliams.me.uk> wrote:
> > On Wednesday 13 January 2016 16:22:10 Mauro Romano Trajber
> > 
> > wrote:
> > > In which section?
> > > 
> > > On section [CA_default] I have 'copy_extensions = copy'
> > 
> > Is that the issue?  You have copy_extensions in the CA_default
> > section, which is no doubt referenced to by the default_ca = ... stanza
> > earlier in the config file.
> > 
> > My understanding is that this is only read when you use the openssl
> > ca command.  As you stated you're using the openssl x509 command
> > to sign your request, then this isn't being read.
> > 
> > Any reason you're not signing with the openssl ca command?  I've just
> > checked and it works as you expected when using this command.
> > 
> > Kind regards,
> > 
> > Gareth
> > 
> > > Can I do this using only command line options?
> > > 
> > > On Wed, Jan 13, 2016 at 3:42 PM, Salz, Rich <rsalz at akamai.com>
> > 
> > wrote:
> > > > >But when I try to sign it using my own CA using the x509
> > 
> > command this
> > 
> > > > data is removed
> > > > 
> > > > You need to make sure that subjectAltName is marked as copy in
> > 
> > your config
> > 
> > > > file.
> > > > _______________________________________________
> > > > openssl-users mailing list
> > > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> > 
> > _______________________________________________
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



More information about the openssl-users mailing list