[openssl-users] Signing a csr with subjectAltName using x509 command

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jan 13 18:46:17 UTC 2016

> On Jan 13, 2016, at 1:22 PM, Mauro Romano Trajber <trajber at gmail.com> wrote:
> In which section?
> On section [CA_default] I have 'copy_extensions = copy'

In case you find it useful, I am attaching a bash script I use to
generate certificate chains for various automated tests.

This does not use any customized .cnf files, and bypasses the ca(1)
utility, just signs directly via "openssl x509 -req" and extension
settings created on the fly via "-extfile <(printf ...)".

-------------- next part --------------
A non-text attachment was scrubbed...
Name: mkcert
Type: application/octet-stream
Size: 2872 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160113/ce03cd51/attachment.obj>
-------------- next part --------------

The keys created are always EC P-256 keys, but you can change
that part of the script if you want RSA instead.

$ ./mkcert genroot "Root CA" rootkey rootcert
$ ./mkcert genca "Issuer CA" cakey cacert rootkey rootcert
$ ./mkcert genee "$(uname -n)" eekey eecert cakey cacert
$ openssl x509 -in eecert.pem -text -noout | egrep 'DNS:|Subject|Issuer'
        Issuer: CN = Issuer CA
        Subject: CN = vpro.lan
        Subject Public Key Info:
            X509v3 Subject Key Identifier: 
            X509v3 Subject Alternative Name: 


More information about the openssl-users mailing list