Re: openssl.cnf asking Subject Alternative Names certificates.

[Jorge Novo <jnovonj@xxxxxxxxx>]

Hi,

On 13 October 2017 at 12:03, lists <lists@xxxxxxxxxxxxxxx> wrote:

On 10/10/2017 05:40 PM, Jorge Novo wrote:

  As most of us know, the Google Chrome Navigator ask about Subject Alternative Name instead the Common Name.

I want to distribute a little openssl.cnf file for creation the CSR files with my specific values and establish the Subject Alternative Name = Common Name. I want yo ask about the CN and assign this value to SAN.

This is my beta openssl.cnf file:

*Sorry for the comments in Spanish

I do not how to set a variable (CN Variable) to assign to SAN value.

In my limited knowledge, you can't copy the CN name into the SAN in the configuration.
Obvious yet clumsy workaround is to have a shell script ask for the FQDN, set a shell variable with the CN value and then recall the ENV variable from inside openssl.cnf, or you can have the script dynamically write/edit opessl.cnf with the user-entered value.

This is correct, it does not exist any configuration to copy the CN to SNA or

vice versa, although it is weird because, in fact it exists, a configuration to

copy the SMA email address from the distinguished name. This can be

done with these settings subjectAltName=email:copy or

subjectAltName=email:move. With move I can not confirm it.

https://www.openssl.org/docs/man1.1.0/apps/x509v3_config.html

_Subject Alternative Name_

[...]
The email option include a special 'copy' value. This will automatically include any email addresses contained in the certificate subject name in the extension.
[...]

My solution for this was:

# export Cert_Name=www.micasa.local
# openssl req -new -keyout $Cert_Name.key -out $Cert_Name.csr -config opensslMiCasa.cnf
# unset $Cert_Name

---

SALUDE3.

http://www.rodeiroag.es/
http://soloeningles.blogspot.com/

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users