[openssl-users] FINAL simpler solution - Re: Solved - Re: Cant get the subjectALtName inot the root cert

Robert Moskowitz rgm at htt-consult.com
Fri Aug 18 02:54:29 UTC 2017 

I just had to ask Dr. Google the right question:

openssl subjectaltname in a selfsigned certificate

Afterall, a root cert is a selfsigned cert.

And I learned to put SAN in the [ v3_ca ] section, rather than the [ req 
] section then all it takes is what I already had:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
       -new -x509 -days 7300 -sha256 -extensions v3_ca -out 
certs/ca.cert.pem


On 08/17/2017 09:52 PM, Robert Moskowitz wrote:
> It IS working with -selfsign.  So this step is done.
>
> openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 
> -notext -md sha256 \
>       -selfsign -in csr/ca.csr.pem -out certs/ca.cert.pem
>
> openssl x509 -in certs/ca.cert.pem -text -noout
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             87:b5:1d:03:12:a9:f3:fa
>     Signature Algorithm: ecdsa-with-SHA256
>         Issuer: C=US, ST=MI, O=HTT Consulting, CN=Root CA
>         Validity
>             Not Before: Aug 18 01:50:19 2017 GMT
>             Not After : Aug 13 01:50:19 2037 GMT
>         Subject: C=US, ST=MI, O=HTT Consulting, CN=Root CA
>         Subject Public Key Info:
>             Public Key Algorithm: id-ecPublicKey
>                 Public-Key: (256 bit)
>                 pub:
>                     04:03:ee:4a:51:17:df:50:2b:bc:69:63:b5:03:90:
>                     b5:ed:cf:d5:67:16:94:46:9c:ca:5b:1c:87:d0:81:
>                     18:04:bf:5a:c0:00:4e:90:4b:fb:2e:17:1c:aa:42:
>                     1e:9e:bd:be:ba:d7:f8:6c:55:24:b2:91:da:61:9c:
>                     66:b4:03:a5:93
>                 ASN1 OID: prime256v1
>                 NIST CURVE: P-256
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
> D5:09:1A:48:F2:D8:F8:30:46:26:38:78:C8:C2:C5:CD:01:A7:1D:57
>             X509v3 Authority Key Identifier:
> keyid:D5:09:1A:48:F2:D8:F8:30:46:26:38:78:C8:C2:C5:CD:01:A7:1D:57
>
>             X509v3 Basic Constraints: critical
>                 CA:TRUE
>             X509v3 Key Usage: critical
>                 Certificate Sign, CRL Sign
>             X509v3 Subject Alternative Name:
>                 email:postmaster at htt-consult.com
>     Signature Algorithm: ecdsa-with-SHA256
>          30:46:02:21:00:ed:b6:ea:93:b5:df:b2:30:fe:17:fc:a6:fa:
>          0e:c1:08:82:9a:84:59:a9:a6:5c:50:23:66:72:c0:da:7a:18:
>          5b:02:21:00:8b:f1:52:ea:dd:44:88:a6:ee:43:cd:29:52:e4:
>          27:57:ee:52:a2:47:86:6f:9e:11:9d:7d:72:a5:08:82:8f:14
>
>
>
> On 08/17/2017 09:23 PM, Robert Moskowitz wrote:
>> NO does not work.  It worked because I had the old root CA cert 
>> there.  Without it it fails.
>>
>> I tried adding -selfsign and that did something, but did not create a 
>> trusted cert...
>>
>>
>> On 08/17/2017 08:44 PM, Robert Moskowitz wrote:
>>> Kind of...
>>>
>>> Does not put SAN in CA cert:
>>>
>>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>>       -new -x509 -days 7300 -sha256 -extensions v3_ca -out 
>>> certs/ca.cert.pem
>>>
>>> Does put SAN in CA cert:
>>>
>>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>>       -new -sha256 -extensions v3_ca -out csr/ca.csr.pem
>>>
>>> openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 
>>> -notext -md sha256 \
>>>       -in csr/ca.csr.pem -out certs/ca.cert.pem
>>>
>>> Interesting that the single step does not work, but the 2 step doesn.
>>>
>>> Do I need -extensions v3_ca in both commands?  Plus sha256 in both? 
>>> Could benefit from some refinement.  Or getting the 1 step working.
>>>
>>> Good enough for now!
>>>
>>> Bob
>>>
>>>
>>> On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
>>>> On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz 
>>>> <rgm at htt-consult.com> wrote:
>>>>> I guess I am making progress.  I am not getting SAN into the root 
>>>>> cert.  my
>>>>> cnf has in it:
>>>>>
>>>>> [ req ]
>>>>> # Options for the `req` tool (`man req`).
>>>>> default_bits        = 2048
>>>>> prompt              = no
>>>>> distinguished_name  = req_distinguished_name
>>>>> string_mask         = utf8only
>>>>> req_extensions      = req_ext
>>>>>
>>>>> [ req_ext ]
>>>>> #subjectAltName = email:$ENV::adminemail
>>>>> #subjectAltName = email:admin at htt-consult.com
>>>>> subjectAltName = IP:192.168.24.1
>>>>>
>>>>> I tried all three above alternatives for SAN.  No SAN in the root 
>>>>> cert
>>>>> created with:
>>>>>
>>>>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>>>>        -new -x509 -days 7300 -sha256 -extensions v3_ca -out 
>>>>> certs/ca.cert.pem
>>>>>
>>>>> Thanks for any insight.
>>>>>
>>>>> This type of cnf worked for creating a CSR and with the copy 
>>>>> option the SAN
>>>>> made it into the cert.
>>>> It looks a bit unusual for a Root CA.
>>>>
>>>> As far as signing the CSR, you need
>>>>
>>>>      copy_extensions = copy
>>>>
>>>> Jeff
>>>
>>
>

More information about the openssl-users mailing list