[openssl-users] Signing a csr with subjectAltName using x509 command
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Jan 13 18:46:17 UTC 2016
> On Jan 13, 2016, at 1:22 PM, Mauro Romano Trajber <trajber at gmail.com> wrote:
>
> In which section?
>
> On section [CA_default] I have 'copy_extensions = copy'
In case you find it useful, I am attaching a bash script I use to
generate certificate chains for various automated tests.
This does not use any customized .cnf files, and bypasses the ca(1)
utility, just signs directly via "openssl x509 -req" and extension
settings created on the fly via "-extfile <(printf ...)".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mkcert
Type: application/octet-stream
Size: 2872 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160113/ce03cd51/attachment.obj>
-------------- next part --------------
The keys created are always EC P-256 keys, but you can change
that part of the script if you want RSA instead.
$ ./mkcert genroot "Root CA" rootkey rootcert
$ ./mkcert genca "Issuer CA" cakey cacert rootkey rootcert
$ ./mkcert genee "$(uname -n)" eekey eecert cakey cacert
$ openssl x509 -in eecert.pem -text -noout | egrep 'DNS:|Subject|Issuer'
Issuer: CN = Issuer CA
Subject: CN = vpro.lan
Subject Public Key Info:
X509v3 Subject Key Identifier:
X509v3 Subject Alternative Name:
DNS:vpro.lan
--
Viktor.
More information about the openssl-users
mailing list