FINAL simpler solution - Re: Solved - Re: Cant get the subjectALtName inot the root cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I just had to ask Dr. Google the right question:

openssl subjectaltname in a selfsigned certificate

Afterall, a root cert is a selfsigned cert.

And I learned to put SAN in the [ v3_ca ] section, rather than the [ req ] section then all it takes is what I already had:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem


On 08/17/2017 09:52 PM, Robert Moskowitz wrote:
It IS working with -selfsign.  So this step is done.

openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 -notext -md sha256 \
      -selfsign -in csr/ca.csr.pem -out certs/ca.cert.pem

openssl x509 -in certs/ca.cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            87:b5:1d:03:12:a9:f3:fa
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, ST=MI, O=HTT Consulting, CN=Root CA
        Validity
            Not Before: Aug 18 01:50:19 2017 GMT
            Not After : Aug 13 01:50:19 2037 GMT
        Subject: C=US, ST=MI, O=HTT Consulting, CN=Root CA
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:03:ee:4a:51:17:df:50:2b:bc:69:63:b5:03:90:
                    b5:ed:cf:d5:67:16:94:46:9c:ca:5b:1c:87:d0:81:
                    18:04:bf:5a:c0:00:4e:90:4b:fb:2e:17:1c:aa:42:
                    1e:9e:bd:be:ba:d7:f8:6c:55:24:b2:91:da:61:9c:
                    66:b4:03:a5:93
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Subject Key Identifier:
D5:09:1A:48:F2:D8:F8:30:46:26:38:78:C8:C2:C5:CD:01:A7:1D:57
            X509v3 Authority Key Identifier:
keyid:D5:09:1A:48:F2:D8:F8:30:46:26:38:78:C8:C2:C5:CD:01:A7:1D:57

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Alternative Name:
                email:postmaster@xxxxxxxxxxxxxxx
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:ed:b6:ea:93:b5:df:b2:30:fe:17:fc:a6:fa:
         0e:c1:08:82:9a:84:59:a9:a6:5c:50:23:66:72:c0:da:7a:18:
         5b:02:21:00:8b:f1:52:ea:dd:44:88:a6:ee:43:cd:29:52:e4:
         27:57:ee:52:a2:47:86:6f:9e:11:9d:7d:72:a5:08:82:8f:14



On 08/17/2017 09:23 PM, Robert Moskowitz wrote:
NO does not work. It worked because I had the old root CA cert there. Without it it fails.

I tried adding -selfsign and that did something, but did not create a trusted cert...


On 08/17/2017 08:44 PM, Robert Moskowitz wrote:
Kind of...

Does not put SAN in CA cert:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

Does put SAN in CA cert:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
      -new -sha256 -extensions v3_ca -out csr/ca.csr.pem

openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 -notext -md sha256 \
      -in csr/ca.csr.pem -out certs/ca.cert.pem

Interesting that the single step does not work, but the 2 step doesn.

Do I need -extensions v3_ca in both commands? Plus sha256 in both? Could benefit from some refinement. Or getting the 1 step working.

Good enough for now!

Bob


On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
I guess I am making progress. I am not getting SAN into the root cert. my
cnf has in it:

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
prompt              = no
distinguished_name  = req_distinguished_name
string_mask         = utf8only
req_extensions      = req_ext

[ req_ext ]
#subjectAltName = email:$ENV::adminemail
#subjectAltName = email:admin@xxxxxxxxxxxxxxx
subjectAltName = IP:192.168.24.1

I tried all three above alternatives for SAN. No SAN in the root cert
created with:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

Thanks for any insight.

This type of cnf worked for creating a CSR and with the copy option the SAN
made it into the cert.
It looks a bit unusual for a Root CA.

As far as signing the CSR, you need

     copy_extensions = copy

Jeff




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux