How to create a SAN certificate

David von Oheimb dev at ddvo.net
Sat May 21 19:43:10 UTC 2022 

Since OpenSSL 3.0,
one can use the -copy_extensions` option of openssl req to copy over any
SANs contained in the CSR to the cert being created
or use -addext to directly specify extensions without the need to use a
config file,
or simply use the -x509 and -subj options to build a cert from scratch
(without using a CSR) and add extensions on-the-fly, e.g., 
 openssl req -x509 -subj "/CN=test" -key ../prepare2/ca.key -
addext "subjectAltName = IP:1.2.3.4, DNS:test.com" -out ee.crt
or use the -new option of openssl x509 to build a cert from scratch
(without using a CSR) and add extensions on-the-fly, e.g., 
 openssl x509 -new -subj "/CN=test" -key ee.key -extfile <(printf
"subjectAltName = IP:1.2.3.4, DNS:test.com") -out ee.crt

Otherwise, as mentioned in the first answer quoted below, the classical
way involves a config file - for details see the manual file.

Yet even with older OpenSSL versions (such as 1.1.1f) you can do without
using a config file, e.g.,
 openssl x509 -req -signkey ee.key -in ee.req -extfile <(printf
"subjectAltName = IP:1.2.3.4, DNS:test.com") -out ee.crt
or
 openssl req -x509 -new -key ee.key -subj "/CN=test" -addext
"subjectAltName = IP:1.2.3.4, DNS:test.com" -out ee.crt

HTH,
 David

On Sat, 2022-05-21 at 06:45 -0400, Michael Richardson wrote:
> 
> Henning Svane <hsv at energy.dk> wrote:
>     > I am using OpenSSL 1.1.1f Is there a way to make a SAN
> certificate
>     > based on the CSR I have created in Exchange.  I need a self-
> signed
>     > certificate for testing.
> 
> I'm not exactly sure what you think a SAN certificate is.
> I guess one with a SubjectAltName extension.  Mostly, all certificates
> have
> that these days, but whether or not the Subject is entirely filled out
> is a
> different question.
> 
> To form a self-signed certificate from a CSR, use openssl req.
> You may need a configuration file, serial number, expiry and
> algorithm.
> You'll need access to the private key.
> 
> See: 
> https://datatracker.ietf.org/doc/html/draft-moskowitz-ecdsa-pki#section-4.2
> 
> Some of us maintain a document on generated test CAs for ECDSA and
> EDDSA
> key types at: 
> https://github.com/henkbirkholz/draft-moskowitz-ecdsa-pki
> while it is in the form of an IETF ID, it is not intended for
> publication.
> 
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        | network
> architect  [
> ]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220521/585886f8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220521/585886f8/attachment.sig>

More information about the openssl-users mailing list