I just had to ask Dr. Google the right question:
openssl subjectaltname in a selfsigned certificate
Afterall, a root cert is a selfsigned cert.
And I learned to put SAN in the [ v3_ca ] section, rather than the [ req
] section then all it takes is what I already had:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem
On 08/17/2017 09:52 PM, Robert Moskowitz wrote:
It IS working with -selfsign. So this step is done.
openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300
-notext -md sha256 \
-selfsign -in csr/ca.csr.pem -out certs/ca.cert.pem
openssl x509 -in certs/ca.cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
87:b5:1d:03:12:a9:f3:fa
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=MI, O=HTT Consulting, CN=Root CA
Validity
Not Before: Aug 18 01:50:19 2017 GMT
Not After : Aug 13 01:50:19 2037 GMT
Subject: C=US, ST=MI, O=HTT Consulting, CN=Root CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:03:ee:4a:51:17:df:50:2b:bc:69:63:b5:03:90:
b5:ed:cf:d5:67:16:94:46:9c:ca:5b:1c:87:d0:81:
18:04:bf:5a:c0:00:4e:90:4b:fb:2e:17:1c:aa:42:
1e:9e:bd:be:ba:d7:f8:6c:55:24:b2:91:da:61:9c:
66:b4:03:a5:93
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
D5:09:1A:48:F2:D8:F8:30:46:26:38:78:C8:C2:C5:CD:01:A7:1D:57
X509v3 Authority Key Identifier:
keyid:D5:09:1A:48:F2:D8:F8:30:46:26:38:78:C8:C2:C5:CD:01:A7:1D:57
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Alternative Name:
email:postmaster@xxxxxxxxxxxxxxx
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:ed:b6:ea:93:b5:df:b2:30:fe:17:fc:a6:fa:
0e:c1:08:82:9a:84:59:a9:a6:5c:50:23:66:72:c0:da:7a:18:
5b:02:21:00:8b:f1:52:ea:dd:44:88:a6:ee:43:cd:29:52:e4:
27:57:ee:52:a2:47:86:6f:9e:11:9d:7d:72:a5:08:82:8f:14
On 08/17/2017 09:23 PM, Robert Moskowitz wrote:
NO does not work. It worked because I had the old root CA cert
there. Without it it fails.
I tried adding -selfsign and that did something, but did not create a
trusted cert...
On 08/17/2017 08:44 PM, Robert Moskowitz wrote:
Kind of...
Does not put SAN in CA cert:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem
Does put SAN in CA cert:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -sha256 -extensions v3_ca -out csr/ca.csr.pem
openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300
-notext -md sha256 \
-in csr/ca.csr.pem -out certs/ca.cert.pem
Interesting that the single step does not work, but the 2 step doesn.
Do I need -extensions v3_ca in both commands? Plus sha256 in both?
Could benefit from some refinement. Or getting the 1 step working.
Good enough for now!
Bob
On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz
<rgm@xxxxxxxxxxxxxxx> wrote:
I guess I am making progress. I am not getting SAN into the root
cert. my
cnf has in it:
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
prompt = no
distinguished_name = req_distinguished_name
string_mask = utf8only
req_extensions = req_ext
[ req_ext ]
#subjectAltName = email:$ENV::adminemail
#subjectAltName = email:admin@xxxxxxxxxxxxxxx
subjectAltName = IP:192.168.24.1
I tried all three above alternatives for SAN. No SAN in the root
cert
created with:
openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem
Thanks for any insight.
This type of cnf worked for creating a CSR and with the copy
option the SAN
made it into the cert.
It looks a bit unusual for a Root CA.
As far as signing the CSR, you need
copy_extensions = copy
Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
