<div dir="ltr"><div>Thanks,</div><div><br></div><div>I could not make subjectAltName copy at all. I try several ways without success - subjectAltName=IP:copy its not a valid option like subjectAltName=email:copy.</div><div><br></div><div>What works for me (but doesn't seems to be the correct solution) is pass the extfile to x509 command with subjectAltName data again - although the CSR file already contain this information</div><div><br></div><div>Here goes what I did:</div><div><br></div><div># creating the CA</div><div><div>$ openssl genrsa -out ca.key 2048</div><div>$ openssl req -new -x509 -nodes -days 3650 -key ca.key -out ca.cert -subj '/C=xx/ST=xx/L=xx/CN=catest'</div></div><div><br></div><div># creating the peer certificate</div><div><br></div><div><div>$ openssl genrsa -out server.key 2048</div></div><div><div>$ openssl req -new -key server.key -out server.csr -subj '/C=xx/ST=xx/L=xx/CN=server/' -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:1.1.1.1,DNS:<a href="http://www.example.com">www.example.com</a>"))</div></div><div><br></div><div>At this point we can see that the CSR file contains the v3ext data:</div><div><br></div><div><div>$ openssl req -noout -text -in server.csr</div></div><div><div>....</div><div> Requested Extensions:</div><div> X509v3 Subject Alternative Name:</div><div> IP Address:1.1.1.1, DNS:<a href="http://www.example.com">www.example.com</a></div><div>...</div></div><div><br></div><div>But to subjectAltName data be included in the certificate I must pass all info again to x509 command:</div><div><br></div><div><div>$ openssl x509 -req -in server.csr -CA ca.cert -CAkey ca.key -CAcreateserial -out server.cert -days 3650 -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:1.1.1.1,DNS:<a href="http://www.example.com">www.example.com</a>")) -extensions SAN</div></div><div><br></div><div><div>$ openssl x509 -noout -text -in server.cert</div></div><div><div>....</div><div> Requested Extensions:</div><div> X509v3 Subject Alternative Name:</div><div> IP Address:1.1.1.1, DNS:<a href="http://www.example.com">www.example.com</a></div><div>...</div></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 13, 2016 at 4:46 PM, Viktor Dukhovni <span dir="ltr"><<a href="mailto:openssl-users@dukhovni.org" target="_blank">openssl-users@dukhovni.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
> On Jan 13, 2016, at 1:22 PM, Mauro Romano Trajber <<a href="mailto:trajber@gmail.com">trajber@gmail.com</a>> wrote:<br>
><br>
> In which section?<br>
><br>
> On section [CA_default] I have 'copy_extensions = copy'<br>
<br>
</span>In case you find it useful, I am attaching a bash script I use to<br>
generate certificate chains for various automated tests.<br>
<br>
This does not use any customized .cnf files, and bypasses the ca(1)<br>
utility, just signs directly via "openssl x509 -req" and extension<br>
settings created on the fly via "-extfile <(printf ...)".<br>
<br>
<br><br>
<br>
The keys created are always EC P-256 keys, but you can change<br>
that part of the script if you want RSA instead.<br>
<br>
$ ./mkcert genroot "Root CA" rootkey rootcert<br>
$ ./mkcert genca "Issuer CA" cakey cacert rootkey rootcert<br>
$ ./mkcert genee "$(uname -n)" eekey eecert cakey cacert<br>
$ openssl x509 -in eecert.pem -text -noout | egrep 'DNS:|Subject|Issuer'<br>
Issuer: CN = Issuer CA<br>
Subject: CN = vpro.lan<br>
Subject Public Key Info:<br>
X509v3 Subject Key Identifier:<br>
X509v3 Subject Alternative Name:<br>
DNS:vpro.lan<br>
<br>
--<br>
Viktor.<br>
<br>
<br>
<br>
<br>_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br></blockquote></div><br></div>