[openssl-users] Cant get the subjectALtName inot the root cert
Robert Moskowitz
rgm at htt-consult.com
Thu Aug 17 23:50:08 UTC 2017
On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
> On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>> I guess I am making progress. I am not getting SAN into the root cert. my
>> cnf has in it:
>>
>> [ req ]
>> # Options for the `req` tool (`man req`).
>> default_bits = 2048
>> prompt = no
>> distinguished_name = req_distinguished_name
>> string_mask = utf8only
>> req_extensions = req_ext
>>
>> [ req_ext ]
>> #subjectAltName = email:$ENV::adminemail
>> #subjectAltName = email:admin at htt-consult.com
>> subjectAltName = IP:192.168.24.1
>>
>> I tried all three above alternatives for SAN. No SAN in the root cert
>> created with:
>>
>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>> -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
>>
>> Thanks for any insight.
>>
>> This type of cnf worked for creating a CSR and with the copy option the SAN
>> made it into the cert.
> It looks a bit unusual for a Root CA.
>
> As far as signing the CSR, you need
>
> copy_extensions = copy
I have that in the [ ca ] section and it did put SAN into the
intermediate CA cert.
But I can't seem to get it into the root CA cert.
Bob
More information about the openssl-users
mailing list