Problems adding specific extensions to signed certificates

[Michael Wojcik]

> From: Michael Leone [mailto:turgon at mike-leone.com]
> Sent: Friday, February 07, 2020 13:13
>
> I've got it almost all figured out, except how to get a subjectAltName
> automatically populated by the CN of the requestor. My requests aren't
> asking for a SAN, but Chrome isn't happy without one, so I'd like to
> at least auto-populate 1 SAN by having it be the DNS:<CN> of the
> requesting CSR.


Not automatically, unfortunately. openssl ca recognizes a special "email:copy" token in the extension list in the configuration file, but that's only for email addresses in the Subject DN.

I generally script this sort of thing.

If you have the CN handy before you create the CSR, just add it there:

   CN=<whatever>
   openssl req ... -addext "subjectAltName=DNS:$CN"

If not, you can do it at the issuing stage by extracting the CN from the CSR and then putting it into a SAN appended to the list of extensions for ca. Unfortunately ca doesn't have the -addext option (alas), but you can do it with a temporary file, perhaps using a bash inline file as Viktor suggested in an earlier message in this thread.

Currently for historical reasons the scripts I have for doing this are all for Windows, but it's actually easier to do it on Linux or UNIX (or on Windows using Cygwin or WSL or whatever). Something like this:

   CnLine=$(openssl req -in $CsrFile -noout -subject -nameopt sep_multiline,sname | grep " CN=")
   openssl ca ... -extfile <(cat extensions-file; echo subjectAltName=DNS:${CnLine# *CN=})

Though that may be a bit too clever to be easily maintainable, depending on who's going to maintain it. It might be more sensible to have the script build a temporary file with multiple, more easily understood and debugged steps. (You may want to watch for potential TOCTOU vulnerabilities if you use that approach, though it sounds like this isn't a concern for your particular use case.)

--
Michael Wojcik
Distinguished Engineer, Micro Focus