[openssl-users] Solved - Re: Cant get the subjectALtName inot the root cert
Robert Moskowitz
rgm at htt-consult.com
Fri Aug 18 01:52:27 UTC 2017
It IS working with -selfsign. So this step is done.
openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 -notext
-md sha256 \
-selfsign -in csr/ca.csr.pem -out certs/ca.cert.pem
openssl x509 -in certs/ca.cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
87:b5:1d:03:12:a9:f3:fa
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=MI, O=HTT Consulting, CN=Root CA
Validity
Not Before: Aug 18 01:50:19 2017 GMT
Not After : Aug 13 01:50:19 2037 GMT
Subject: C=US, ST=MI, O=HTT Consulting, CN=Root CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:03:ee:4a:51:17:df:50:2b:bc:69:63:b5:03:90:
b5:ed:cf:d5:67:16:94:46:9c:ca:5b:1c:87:d0:81:
18:04:bf:5a:c0:00:4e:90:4b:fb:2e:17:1c:aa:42:
1e:9e:bd:be:ba:d7:f8:6c:55:24:b2:91:da:61:9c:
66:b4:03:a5:93
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
D5:09:1A:48:F2:D8:F8:30:46:26:38:78:C8:C2:C5:CD:01:A7:1D:57
X509v3 Authority Key Identifier:
keyid:D5:09:1A:48:F2:D8:F8:30:46:26:38:78:C8:C2:C5:CD:01:A7:1D:57
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Alternative Name:
email:postmaster at htt-consult.com
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:ed:b6:ea:93:b5:df:b2:30:fe:17:fc:a6:fa:
0e:c1:08:82:9a:84:59:a9:a6:5c:50:23:66:72:c0:da:7a:18:
5b:02:21:00:8b:f1:52:ea:dd:44:88:a6:ee:43:cd:29:52:e4:
27:57:ee:52:a2:47:86:6f:9e:11:9d:7d:72:a5:08:82:8f:14
On 08/17/2017 09:23 PM, Robert Moskowitz wrote:
> NO does not work. It worked because I had the old root CA cert
> there. Without it it fails.
>
> I tried adding -selfsign and that did something, but did not create a
> trusted cert...
>
>
> On 08/17/2017 08:44 PM, Robert Moskowitz wrote:
>> Kind of...
>>
>> Does not put SAN in CA cert:
>>
>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>> -new -x509 -days 7300 -sha256 -extensions v3_ca -out
>> certs/ca.cert.pem
>>
>> Does put SAN in CA cert:
>>
>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>> -new -sha256 -extensions v3_ca -out csr/ca.csr.pem
>>
>> openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300
>> -notext -md sha256 \
>> -in csr/ca.csr.pem -out certs/ca.cert.pem
>>
>> Interesting that the single step does not work, but the 2 step doesn.
>>
>> Do I need -extensions v3_ca in both commands? Plus sha256 in both?
>> Could benefit from some refinement. Or getting the 1 step working.
>>
>> Good enough for now!
>>
>> Bob
>>
>>
>> On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
>>> On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz
>>> <rgm at htt-consult.com> wrote:
>>>> I guess I am making progress. I am not getting SAN into the root
>>>> cert. my
>>>> cnf has in it:
>>>>
>>>> [ req ]
>>>> # Options for the `req` tool (`man req`).
>>>> default_bits = 2048
>>>> prompt = no
>>>> distinguished_name = req_distinguished_name
>>>> string_mask = utf8only
>>>> req_extensions = req_ext
>>>>
>>>> [ req_ext ]
>>>> #subjectAltName = email:$ENV::adminemail
>>>> #subjectAltName = email:admin at htt-consult.com
>>>> subjectAltName = IP:192.168.24.1
>>>>
>>>> I tried all three above alternatives for SAN. No SAN in the root cert
>>>> created with:
>>>>
>>>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>>> -new -x509 -days 7300 -sha256 -extensions v3_ca -out
>>>> certs/ca.cert.pem
>>>>
>>>> Thanks for any insight.
>>>>
>>>> This type of cnf worked for creating a CSR and with the copy option
>>>> the SAN
>>>> made it into the cert.
>>> It looks a bit unusual for a Root CA.
>>>
>>> As far as signing the CSR, you need
>>>
>>> copy_extensions = copy
>>>
>>> Jeff
>>
>
More information about the openssl-users
mailing list