I tested with below, all looks good. After running I am converting to .der files and generating a keystore with ImportKey.java - could this be removing what is needed?
----- Original Message ----- From: owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org> To: openssl-users@openssl.org <openssl-users@openssl.org> Sent: Wed Aug 31 23:39:21 2011 Subject: Re: Becoming a CA for group of internal servers? Before using the cert, test it with the command: openssl x509 -in yourcert.cer -noout -text If the parameters were in the right place, you should see all the extra names as "SubjectAlternativeName" attributes in the cert. On 8/31/2011 11:52 PM, Hopkins, Nathan wrote: > Many thanks, however afraid no joy yet. After editing and adding > @alt_names for a custopenssl.cnf and running openssl req -new -key > server.key -out server.csr -config custopenssl.cnf when trying to access > through a browser (firefox) I get the error code: > ssl_error_bad_cert_domain. > > We are using Tomcat and the server.xml has the following attributes > populated with correct values; > > keystorePass="<my password>" > keystoreFile="<my file location>" > keyAlias="tomcat" > > I have also observed when viewing the certificates I am unable to see > any references to the alt_names added, I have double checked the CA > certificate created with below steps has been successfully added to > Authorities and for the CN it works as expected. > > Anything I'm missing? > > > > > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm > Sent: 31 August 2011 17:23 > To: openssl-users@openssl.org > Subject: Re: Becoming a CA for group of internal servers? > > On 8/31/2011 5:57 PM, Hopkins, Nathan wrote: >> Thanks this is very helpful! >> >> Now I have the challenge of using multiple hostnames - any advice on > how >> I could do this would be much appreciated? >> >> I'd like to have one cert that allows me to use below for example; >> >> https://sitename >> https://site.dom.co.uk >> > Set the CN= (common name) part of the subject name to the most used > name, e.g. "site.dom.co.uk" > > In openssl.conf in the same section that contains your > "basicConstraints" add this line > > subjectAltName = @alt_names > > And add this section: > > [alt_names] > DNS.1=site.com.co.uk > DNS.2=sitename > DNS.3=sitename.yourinternaldomain.example > IP.1=10.11.12.13 > ; etc. > > >> -----Original Message----- >> From: owner-openssl-us...@openssl.org >> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson >> Sent: 19 August 2011 02:40 >> To: openssl-users@openssl.org >> Subject: RE: Becoming a CA for group of internal servers? >> >>> From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, >> Nathan >>> Sent: Thursday, 18 August, 2011 06:45 >>> Please can you advise if this the correct process for becoming a >> CA >>> for internally for group of servers? >> With slight fixes it is ONE correct way. There are others. >> >>> openssl genrsa -des3 -out ca.key 2048 >>> openssl req -new -x509 -key ca.key -out ca.crt >> This will give your CA cert a lifetime of only 30 days, >> and when it expires the cert(s) you signed under it >> will be rejected by any good relier. You want to make >> the CA cert lifetime AT LEAST as long as any child cert, >> but only as long as you expect to keep its key secure. >> Add -days number as applicable on the 'req -new -x509'. >> >>> openssl genrsa -des3 -out server.key 2048 >>> openssl req -new -key server.key -out server.csr >> >>> openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key >>> -CAcreateserial server.crt -days 365 >> -CAcreateserial is only needed on the first, but due to some, >> er, interesting defaults it does no harm on the others. >> Need -out before server.crt (or whatever.crt). >> >>> How do you omit a pass phrase in step 2) ? >> If you don't want a passphrase on the server key, omit -des3 >> from the genrsa step for the server key. Then make sure no one >> but the desired server (and you) ever has access to the file. >> >>> The -days 365 doesn't seem to work - do I need to change >> openssl.cnf? >> >> -days should work for 'x509 -req' (and 'req -x509'). You do change >> the config file (openssl.cnf or perhaps other) IF you use 'ca'. >> >> What makes you think it didn't work? Are you looking at the period >> of the server cert (not the CA cert, see above about that)? >> >>> Where does the public key live ? >> There is one public key for each private key, aka keypair. >> >> It is effectively incorporated in the private key which you generated >> by genrsa and put in *.key; for the CA you used 'req -new -x509' which >> then puts the public key plus other info (directly) in the > certificate. >> Otherwise 'req' puts the public key plus other info in the request >> *.csr; >> 'x509 -req' function copies the public key and (most) other info from >> the request into the certificate. >> >> You can see the contents of a csr with: >> openssl req -in file -text -noout >> and of a cert with: >> openssl x509 -in file -text -noout >> >> You can extract the public key from an RSA private key with >> openssl rsa -in file -pubout [ -out file2 ] >> or (any type) from a certificate with >> openssl x509 -in file -pubkey -noout [ -out file2 ] >> but there's very little you can do with a public key by itself. >> Usually you want the cert containing it. That's why certs exist. >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org