[openssl-users] Solved - Re: Cant get the subjectALtName inot the root cert
Robert Moskowitz
rgm at htt-consult.com
Fri Aug 18 00:44:48 UTC 2017
Kind of...
Does not put SAN in CA cert:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem
Does put SAN in CA cert:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -sha256 -extensions v3_ca -out csr/ca.csr.pem
openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 -notext
-md sha256 \
-in csr/ca.csr.pem -out certs/ca.cert.pem
Interesting that the single step does not work, but the 2 step doesn.
Do I need -extensions v3_ca in both commands? Plus sha256 in both?
Could benefit from some refinement. Or getting the 1 step working.
Good enough for now!
Bob
On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
> On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>> I guess I am making progress. I am not getting SAN into the root cert. my
>> cnf has in it:
>>
>> [ req ]
>> # Options for the `req` tool (`man req`).
>> default_bits = 2048
>> prompt = no
>> distinguished_name = req_distinguished_name
>> string_mask = utf8only
>> req_extensions = req_ext
>>
>> [ req_ext ]
>> #subjectAltName = email:$ENV::adminemail
>> #subjectAltName = email:admin at htt-consult.com
>> subjectAltName = IP:192.168.24.1
>>
>> I tried all three above alternatives for SAN. No SAN in the root cert
>> created with:
>>
>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>> -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
>>
>> Thanks for any insight.
>>
>> This type of cnf worked for creating a CSR and with the copy option the SAN
>> made it into the cert.
> It looks a bit unusual for a Root CA.
>
> As far as signing the CSR, you need
>
> copy_extensions = copy
>
> Jeff
More information about the openssl-users
mailing list