-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'd like to be able to create a CSR that includes subjectAltName
fields from the command-line, without necessarily having to edit the
config file. This doesn't seem to be possible, using the default
openssl.cnf file provided. I'd like to submit a small patch to fix
this, without breaking any of the existing expected functioning of the
default configuration file.
(I'd note that RedHat and Ubuntu at least seem to use the openssl
openssl.cnf file as their system default; RedHat make some changes to
the CA section only)
We can provide the ability to pass in the subjectAltName simply, by
editing the openssl.cnf file in two places :-
First, in the global section, specify a variable ${subjectAltName}
that has a helpful default value. This addition will not affect any
existing usage of the config file.
(This default value can be something technically valid but unlikely to
cause offence, such as the string "email:[email protected]",
or something that will trigger an error message for the end-user that
might succeed in telling them how to use the feature, like the string
"ERROR - please provide the $subjectAltName environment variable". In
the patch, I've provided both but commented out the error-generating one)
Second, in the v3_req section, set the subjectAltName value from the
environment's variable of the same name ${ENV::subjectAltName}. This
addition will not affect any existing usage of the config file,
because the v3_req section is unused by default.
Now, we can pass in a subjectAltName request from the commandline, by
providing the environment variable $subjectAltName and specifying the
'-reqexts v3_req' option :-
$ subjectAltName="DNS:example.com" openssl req -reqexts v3_req [...]
Attached is a patch that updates the config file to meet this
condition. As it is small, I'll repeat it in the body of this mail :-
> $ diff -Naur openssl-1.0.1c/apps/openssl.cnf ./proposed.openssl.cnf
> --- openssl-1.0.1c/apps/openssl.cnf 2011-12-06 13:00:51.000000000
> +1300 +++ ./proposed.openssl.cnf 2012-08-06 15:16:05.995591634
> +1200 @@ -7,6 +7,8 @@ # defined. HOME = . RANDFILE
> =
> $ENV::HOME/.rnd +#subjectAltName = "ERROR - please provide the
> $subjectAltName environment variable" +subjectAltName =
> email:[email protected]
>
> # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid @@
> -220,6 +222,7 @@
>
> basicConstraints = CA:FALSE keyUsage = nonRepudiation,
> digitalSignature, keyEncipherment +subjectAltName =
> $ENV::subjectAltName
>
> [ v3_ca ]
>
- --
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
? [email protected] ? +64 3 470 4670 ? m +64 21 227 0015
? OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlAfOT8ACgkQk3SCzcmCBgWs9wCgrqCFYN6rkLBzJ37x59Ke2vyl
USsAnjL9LHFIVdL11Bx9/NxhdNy40iUh
=oN/J
-----END PGP SIGNATURE-----
--- openssl-1.0.1c/apps/openssl.cnf 2011-12-06 13:00:51.000000000 +1300
+++ ./proposed.openssl.cnf 2012-08-06 15:16:05.995591634 +1200
@@ -7,6 +7,8 @@
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
+#subjectAltName = "ERROR - please provide the $subjectAltName environment variable"
+subjectAltName = email:[email protected]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
@@ -220,6 +222,7 @@
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = $ENV::subjectAltName
[ v3_ca ]
