[openssl-users] openssl.cnf asking Subject Alternative Names certificates.

Jorge Novo jnovonj at gmail.com
Fri Oct 13 11:30:20 UTC 2017


On 13 October 2017 at 12:03, lists <lists at rustichelli.net> wrote:

> On 10/10/2017 05:40 PM, Jorge Novo wrote:
>   As most of us know, the Google Chrome Navigator ask about Subject
> Alternative Name instead the Common Name.
> I want to distribute a little *openssl.cnf* file for creation the CSR
> files with my specific values and establish the Subject Alternative Name =
> Common Name. I want yo ask about the CN and assign this value to SAN.
> This is my beta *openssl.cnf* file:
> *Sorry for the comments in Spanish
> I do not how to set a variable (CN Variable) to assign to SAN value.
> In my limited knowledge, you can't copy the CN name into the SAN in the
> configuration.
> Obvious yet clumsy workaround is to have a shell script ask for the FQDN,
> set a shell variable with the CN value and then recall the ENV variable
> from inside openssl.cnf, or you can have the script dynamically write/edit
> opessl.cnf with the user-entered value.

This is correct, it does not exist any configuration to copy the CN to SNA
vice versa, although it is weird because, in fact it exists, a
configuration to
copy the SMA email address from the distinguished name. This can be
done with these settings subjectAltName=email:copy or
subjectAltName=email:move. With move I can not confirm it.


_Subject Alternative Name_

The email option include a special 'copy' value. This will automatically
include any email addresses contained in the certificate subject name in
the extension.

My solution for this was:

# export Cert_Name=www.micasa.local
# openssl req -new -keyout $Cert_Name.key -out $Cert_Name.csr -config
# unset $Cert_Name



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171013/124363b9/attachment.html>

More information about the openssl-users mailing list