[openssl-users] Personal CA: are cert serial numbers critical?

Robert Moskowitz rgm at htt-consult.com
Wed Aug 16 17:54:55 UTC 2017

On 08/16/2017 01:12 PM, Viktor Dukhovni wrote:
>> On Aug 16, 2017, at 12:52 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>> Which is also a problem in openssl.  You have to put the SAN into the cnf file.  There are a number of hacks to do this from the command line.
> Yep.  For an approach that uses "bash" in-line files see:
>     https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh#L95
I prefer something like this:

openssl req -new -sha256 -key domain.key -subj "/C=US/ST=CA/O=Acme, 
  -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf 
  -out domain.csr


More information about the openssl-users mailing list