Re: Creating certification requests with no CN and SAN only

Wed, 13 Feb 2013 21:38:24 -0800 

On Thu, Feb 14, 2013 at 04:11:33AM +0000, Viktor Dukhovni wrote:

> You'll naturally need to add the requisite subjectAltName extensions.

A more complete example:

    $ cat openssl.cnf
    [ req ]
    distinguished_name = dn
    req_extensions = san
    [ dn ]
    [ san ]
    subjectAltName          = DNS:mail.example.com, DNS:smtp.example.com
   
    $ umask 077
    $ openssl req -new -newkey rsa:1024 -keyout key.pem -nodes \
        -config openssl.cnf -sha1 -subj "/" -out csr.pem
    $ umask 022

    $ openssl req -in csr.pem -noout -text
    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject:
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (1024 bit)
                    Modulus:
                        ...
                    Exponent: 65537 (0x10001)
            Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name:
                    DNS:mail.example.com, DNS:smtp.example.com
        Signature Algorithm: sha1WithRSAEncryption
             ...

Don't know whether any public CA will sign such a request, but it should
not be a problem with your own CA. With a CA configured to not require
or match any DN fields I get: 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17062333067833592498 (0xecc995866b9f4ab2)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=New York, L=New York, O=Example Corp, CN=Insecure CA
        Validity
            Not Before: Feb 14 05:34:12 2013 GMT
            Not After : Feb 14 05:34:12 2014 GMT
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier:
                B4:25:8D:EF:99:F4:EA:29:13:1E:C8:CE:DC:83:78:F1:38:F1:81:F7
            X509v3 Authority Key Identifier:
                
keyid:A3:11:A1:89:97:FE:66:BA:4B:93:4D:EA:91:87:F7:F5:07:AC:7B:E5
                DirName:/C=US/ST=New York/L=New York/O=Example Corp/CN=Insecure 
CA
                serial:EC:C9:95:86:6B:9F:4A:AE

    Signature Algorithm: sha1WithRSAEncryption
         ...

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to