[openssl-users] Solved - Re: Cant get the subjectALtName inot the root cert

Robert Moskowitz rgm at htt-consult.com
Fri Aug 18 01:23:52 UTC 2017 

NO does not work.  It worked because I had the old root CA cert there.  
Without it it fails.

I tried adding -selfsign and that did something, but did not create a 
trusted cert...


On 08/17/2017 08:44 PM, Robert Moskowitz wrote:
> Kind of...
>
> Does not put SAN in CA cert:
>
> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>       -new -x509 -days 7300 -sha256 -extensions v3_ca -out 
> certs/ca.cert.pem
>
> Does put SAN in CA cert:
>
> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>       -new -sha256 -extensions v3_ca -out csr/ca.csr.pem
>
> openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 
> -notext -md sha256 \
>       -in csr/ca.csr.pem -out certs/ca.cert.pem
>
> Interesting that the single step does not work, but the 2 step doesn.
>
> Do I need -extensions v3_ca in both commands?  Plus sha256 in both? 
> Could benefit from some refinement.  Or getting the 1 step working.
>
> Good enough for now!
>
> Bob
>
>
> On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
>> On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz 
>> <rgm at htt-consult.com> wrote:
>>> I guess I am making progress.  I am not getting SAN into the root 
>>> cert.  my
>>> cnf has in it:
>>>
>>> [ req ]
>>> # Options for the `req` tool (`man req`).
>>> default_bits        = 2048
>>> prompt              = no
>>> distinguished_name  = req_distinguished_name
>>> string_mask         = utf8only
>>> req_extensions      = req_ext
>>>
>>> [ req_ext ]
>>> #subjectAltName = email:$ENV::adminemail
>>> #subjectAltName = email:admin at htt-consult.com
>>> subjectAltName = IP:192.168.24.1
>>>
>>> I tried all three above alternatives for SAN.  No SAN in the root cert
>>> created with:
>>>
>>> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>>>        -new -x509 -days 7300 -sha256 -extensions v3_ca -out 
>>> certs/ca.cert.pem
>>>
>>> Thanks for any insight.
>>>
>>> This type of cnf worked for creating a CSR and with the copy option 
>>> the SAN
>>> made it into the cert.
>> It looks a bit unusual for a Root CA.
>>
>> As far as signing the CSR, you need
>>
>>      copy_extensions = copy
>>
>> Jeff
>

More information about the openssl-users mailing list