On Thu, May 23, 2013 at 06:12:39PM +0200, Erwann Abalea wrote: > Le 23/05/2013 17:41, Craig White a ?crit : > >I want to be able to view CSR's with subjectAltName's but I > >can't figure out any way to make it happen. I have poured over the > >man pages and googled it to death already. > > > >openssl req -noout -text -in SOME_FILE.csr > > > >gives me the contents of the CSR but not the subjectAltNames > >embedded in the CSR. > > Are you sure there's a SAN extension in the displayed CSR? > Dump the entire content with asn1parse.
It almost certainly does not: $ openssl req -in req+key.pem -text Certificate Request: Data: Version: 0 (0x0) Subject: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:eb:de:7c:00:c2:58:59:59:1b:29:8a:6a:0b:d1: 72:5b:aa:14:2b:2f:7e:47:a3:77:73:de:9e:55:f0: 00:98:d5:1b:a2:3f:74:cf:4f:9a:6a:5a:1c:95:f2: 55:e8:01:72:cb:ca:37:66:2a:cf:64:0d:3e:ac:1c: 65:47:fe:22:ca ASN1 OID: prime256v1 Attributes: Requested Extensions: X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:example.com Signature Algorithm: ecdsa-with-SHA1 30:45:02:20:04:ff:c2:5b:cf:0a:a0:4f:2e:a8:12:e3:8d:68: eb:b9:1e:ce:b0:a5:a6:e0:69:50:c8:84:f6:51:a6:8d:c9:90: 02:21:00:8e:bd:37:19:9c:ff:7a:69:2d:5a:bf:50:d5:4b:f9: 63:6b:a6:44:c7:40:55:f5:c1:52:0b:b4:4b:90:4f:a7:2b -----BEGIN CERTIFICATE REQUEST----- MIIBAjCBqgIBADAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6958AMJYWVkb KYpqC9FyW6oUKy9+R6N3c96eVfAAmNUboj90z0+aaloclfJV6AFyy8o3ZirPZA0+ rBxlR/4iyqBIMEYGCSqGSIb3DQEJDjE5MDcwHQYDVR0lBBYwFAYIKwYBBQUHAwEG CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAkGByqGSM49BAEDSAAw RQIgBP/CW88KoE8uqBLjjWjruR7OsKWm4GlQyIT2UaaNyZACIQCOvTcZnP96aS1a v1DVS/lja6ZEx0BV9cFSC7RLkE+nKw== -----END CERTIFICATE REQUEST----- Generated via: #! /bin/bash umask 077 tmp=$(mktemp .req+key.XXXXXX) dst=req+key.pem openssl req -new -sha1 -subj "/" >> $tmp \ -newkey param:<(openssl ecparam -name prime256v1) \ -nodes -keyout /dev/stdout \ -config <(printf "[req]\n%s\n[dn]\n[exts]\n%s\n" \ "$(printf "%s\n%s\n" \ "distinguished_name=dn" \ "req_extensions=exts")" \ "$(printf "%s\n%s\n" \ "extendedKeyUsage=serverAuth,clientAuth" \ "subjectAltName=DNS:example.com" \ )") && mv $tmp "$dst" -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org