[openssl-users] Solved - Re: Cant get the subjectALtName inot the root cert

Robert Moskowitz rgm at htt-consult.com
Fri Aug 18 00:44:48 UTC 2017


Kind of...

Does not put SAN in CA cert:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
       -new -x509 -days 7300 -sha256 -extensions v3_ca -out 
certs/ca.cert.pem

Does put SAN in CA cert:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
       -new -sha256 -extensions v3_ca -out csr/ca.csr.pem

openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 -notext 
-md sha256 \
       -in csr/ca.csr.pem -out certs/ca.cert.pem

Interesting that the single step does not work, but the 2 step doesn.

Do I need -extensions v3_ca in both commands?  Plus sha256 in both? 
Could benefit from some refinement.  Or getting the 1 step working.

Good enough for now!

Bob


On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
> On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>> I guess I am making progress.  I am not getting SAN into the root cert.  my
>> cnf has in it:
>>
>> [ req ]
>> # Options for the `req` tool (`man req`).
>> default_bits        = 2048
>> prompt              = no
>> distinguished_name  = req_distinguished_name
>> string_mask         = utf8only
>> req_extensions      = req_ext
>>
>> [ req_ext ]
>> #subjectAltName = email:$ENV::adminemail
>> #subjectAltName = email:admin at htt-consult.com
>> subjectAltName = IP:192.168.24.1
>>
>> I tried all three above alternatives for SAN.  No SAN in the root cert
>> created with:
>>
>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>        -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
>>
>> Thanks for any insight.
>>
>> This type of cnf worked for creating a CSR and with the copy option the SAN
>> made it into the cert.
> It looks a bit unusual for a Root CA.
>
> As far as signing the CSR, you need
>
>      copy_extensions = copy
>
> Jeff



More information about the openssl-users mailing list