Re: [openssl-users] Display CSR w/ subjectAltName

Thu, 23 May 2013 12:32:02 -0700 

On May 23, 2013, at 10:28 AM, Jakob Bohm wrote:

> On 5/23/2013 6:21 PM, Craig White wrote:
>> hmmm… I guess it may not be there but it's there in the cert that I signed 
>> with my CA self which is using the same csr
>> 
>> Is there something wrong with the way I am generating them?
>> 
>> openssl req -new -nodes \
>>     -out $CERTPATH/http.csr \
>>     -keyout $CERTPATH/http.key \
>>     -days 3650 \
>>     -config $CONFIG
> 
> Depends what is in your config!
> 
> In the config I use for such I have (other lines omitted for clarity):
> 
> [req]
> 
> # Other stuff
> 
> req_extensions = v3_req
> 
> [ v3_req ]
> 
> # Other stuff
> 
> subjectAltName = @alt_names
> 
> [alt_names]
> # Remember to repeat the CN as one of the ALT Names,
> # Someone published an RFC that said to ignore the CN if there are
> #    any ALT names and some idiots implemented this misprint
> #    literally.
> # The lines that start with DNS are for "DNS names", that is web
> #    servers etc., there are other words to use for other name
> #    types, and those type indicators become part of the request
> #    (and the certificate if it copies the alt names)
> DNS.0 = www.example.com
> DNS.1 = example.com
> DNS.2 = web.example.com
> 
> 
>> 
>> openssl ca \
>>     -config $CONFIG \
>>     -policy policy_anything \
>>     -out $CERTPATH/http.pem \
>>     -infiles $CERTPATH/http.csr
> 
> Does the config file used by your CA say to copy the Alt names
> extension from the requests?

----
I think you have hit the nail on the head. The subjectAltName(s) aren't getting 
included in requests but are being included in certificates which are drawn 
from the same config file. I was assuming that it would work but it isn't.

I moved the subjectAltName definition to various sections included v3_req and 
changed it to this…
subjectAltName = email:copy, DNS:copy, @alt_names

but still no go - subjectAltName is not making it into the csr.

Finally tried 

$ openssl req -new -nodes \
    -out $CERTPATH/http.csr \
    -keyout $CERTPATH/http.key \
    -days 3650 \
    -config $CONFIG \
    -extensions v3_req

but still not in the csr.

Obviously I am missing something important in my reading of the documentation.

Thanks

Craig______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to