[openssl-users] 802.1AR certificate generation and the config file

Robert Moskowitz rgm at htt-consult.com
Mon Aug 14 04:02:49 UTC 2017

I am getting a SAN in the csr e.g.:

         Requested Extensions:
             X509v3 Subject Alternative Name:
                 IP Address:

this is with the following in the config:

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
req_extensions = req_ext


[ req_ext ]
subjectAltName = IP:

But I am not getting SAN in the cert.  Perhaps I need something for SAN 
in the -extensions section?  Right now I only have:

[ 8021ar_idevid ]
# Extensions for IEEE 802.1AR iDevID certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment


On 08/12/2017 10:28 AM, Michael Ströder wrote:
> Robert Moskowitz wrote:
>> On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote:
>>> On Fri, Aug 11, 2017, Robert Moskowitz wrote:
>>>> I would want the 'openssl req' command to prompt for hwType and
>>>> hsSerialNum.  At least for now.
>>> Note that you can't get the 'openssl req' command prompt for this but you can
>>> generate the extension in an appropriate syntax: see my other message for
>>> details.
>>> You could prompt externally and pass the values as environment variables to
>>> openssl req of constuct the whole config file on the fly.
>> Sigh.
>> Making some headway.  Figured out you cannot have an alternative [ req ] section in the
>> config; no way to specify it.  Thus a completely separate config_8021AR to specify a
>> different distinguishedname set of fields.  Got that, now to get started on SAN.  Will
>> read your previous message.
> Maybe you should look at the following CLI options for "openssl req":
>   -subj arg      set or modify request subject
> [..]
>   -extensions .. specify certificate extension section (override value in config file)
>   -reqexts ..    specify request extension section (override value in config file)
> Ciao, Michael.

More information about the openssl-users mailing list