[openssl-users] Personal CA: are cert serial numbers critical?
Jakob Bohm
jb-openssl at wisemo.com
Wed Aug 16 18:29:42 UTC 2017
On 16/08/2017 19:54, Robert Moskowitz wrote:
>
>
> On 08/16/2017 01:12 PM, Viktor Dukhovni wrote:
>>> On Aug 16, 2017, at 12:52 PM, Robert Moskowitz <rgm at htt-consult.com>
>>> wrote:
>>>
>>> Which is also a problem in openssl. You have to put the SAN into
>>> the cnf file. There are a number of hacks to do this from the
>>> command line.
>> Yep. For an approach that uses "bash" in-line files see:
>>
>> https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh#L95
>>
> I prefer something like this:
>
> openssl req -new -sha256 -key domain.key -subj "/C=US/ST=CA/O=Acme,
> Inc./CN=example.com"\
> -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf
> "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com"))\
> -out domain.csr
Another option is to use a config file that includes environment variables
in the relevant fields.
So it becomes something like
export FOREMAIL=moe at example.com
export FORUSER="Moe Madman"
export CERTFN=moe
openssl req -config /etc/cacfg/ca2017-mail.conf -newkey rsa:3072 -keyout
${CERTFN}.key -out ${CERTFN}.csr
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list