[openssl-users] Signing a csr with subjectAltName using x509 command

Mauro Romano Trajber trajber at gmail.com
Wed Jan 13 19:23:36 UTC 2016


Thanks,

I could not make subjectAltName copy at all. I try several ways without
success - subjectAltName=IP:copy its not a valid option
like subjectAltName=email:copy.

What works for me (but doesn't seems to be the correct solution) is pass
the extfile to x509 command with subjectAltName data again - although the
CSR file  already contain this information

Here goes what I did:

# creating the CA
$ openssl genrsa -out ca.key 2048
$ openssl req -new -x509 -nodes -days 3650 -key ca.key -out ca.cert -subj
'/C=xx/ST=xx/L=xx/CN=catest'

# creating the peer certificate

$ openssl genrsa -out server.key 2048
$ openssl req -new -key server.key -out server.csr -subj
'/C=xx/ST=xx/L=xx/CN=server/' -reqexts SAN -config <(cat
/etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:1.1.1.1,DNS:
www.example.com"))

At this point we can see that the CSR file contains the v3ext data:

$ openssl req -noout -text -in server.csr
....
        Requested Extensions:
            X509v3 Subject Alternative Name:
                IP Address:1.1.1.1, DNS:www.example.com
...

But to subjectAltName data be included in the certificate I must pass all
info again to x509 command:

$ openssl x509 -req -in server.csr -CA ca.cert -CAkey ca.key
-CAcreateserial -out server.cert -days 3650 -extfile <(cat
/etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:1.1.1.1,DNS:
www.example.com")) -extensions SAN

$ openssl x509 -noout -text -in server.cert
....
        Requested Extensions:
            X509v3 Subject Alternative Name:
                IP Address:1.1.1.1, DNS:www.example.com
...




On Wed, Jan 13, 2016 at 4:46 PM, Viktor Dukhovni <openssl-users at dukhovni.org
> wrote:

>
> > On Jan 13, 2016, at 1:22 PM, Mauro Romano Trajber <trajber at gmail.com>
> wrote:
> >
> > In which section?
> >
> > On section [CA_default] I have 'copy_extensions = copy'
>
> In case you find it useful, I am attaching a bash script I use to
> generate certificate chains for various automated tests.
>
> This does not use any customized .cnf files, and bypasses the ca(1)
> utility, just signs directly via "openssl x509 -req" and extension
> settings created on the fly via "-extfile <(printf ...)".
>
>
>
>
> The keys created are always EC P-256 keys, but you can change
> that part of the script if you want RSA instead.
>
> $ ./mkcert genroot "Root CA" rootkey rootcert
> $ ./mkcert genca "Issuer CA" cakey cacert rootkey rootcert
> $ ./mkcert genee "$(uname -n)" eekey eecert cakey cacert
> $ openssl x509 -in eecert.pem -text -noout | egrep 'DNS:|Subject|Issuer'
>         Issuer: CN = Issuer CA
>         Subject: CN = vpro.lan
>         Subject Public Key Info:
>             X509v3 Subject Key Identifier:
>             X509v3 Subject Alternative Name:
>                 DNS:vpro.lan
>
> --
>         Viktor.
>
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160113/5838a154/attachment.html>


More information about the openssl-users mailing list