Kind of...
Does not put SAN in CA cert:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem
Does put SAN in CA cert:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -sha256 -extensions v3_ca -out csr/ca.csr.pem
openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 -notext
-md sha256 \
-in csr/ca.csr.pem -out certs/ca.cert.pem
Interesting that the single step does not work, but the 2 step doesn.
Do I need -extensions v3_ca in both commands? Plus sha256 in both?
Could benefit from some refinement. Or getting the 1 step working.
Good enough for now!
Bob
On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
I guess I am making progress. I am not getting SAN into the root cert. my
cnf has in it:
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
prompt = no
distinguished_name = req_distinguished_name
string_mask = utf8only
req_extensions = req_ext
[ req_ext ]
#subjectAltName = email:$ENV::adminemail
#subjectAltName = email:admin@xxxxxxxxxxxxxxx
subjectAltName = IP:192.168.24.1
I tried all three above alternatives for SAN. No SAN in the root cert
created with:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
Thanks for any insight.
This type of cnf worked for creating a CSR and with the copy option the SAN
made it into the cert.
It looks a bit unusual for a Root CA.
As far as signing the CSR, you need
copy_extensions = copy
Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users