On 1/7/2014 12:17 AM, Biondo, Brandon A. wrote:
I am using ‘ca’ not ‘x509’. It too ignores/discards extensions. Turning
on copy_extensions solved the issue though, thanks. I have some
follow-up questions:
1.If including SANs in CSRs is non-standard, what is the accepted way of
passing all the metadata you want to an authority to construct your
certificate?
Many commercial CAs take all the certificate information "out-of-band"
on a web form, the only thing those CAs use from the CSR is that it is
signed with the requested public/private key pair and has the right
subject.
2.Why does the config file say to be careful using copy_extensions? Why
wouldn’t you want all your extensions to be part of your certificate?
Isn’t the whole point of a CSR to package up all the data you want in
your certificate?
Because copy-extensions copies all the extensions in the CSR, so if you
use it, you will need to carefully check every extension in every CSR
you receive from "users". Note that security-wise, you should not
blindly trust a CSR from a less secure computer than the CA computer,
even if you happen to be the person who generated that CSR (when you
take off your "user" hat and put on your "CA administrator" hat, you
need to check if the "User's" computer generated a different CSR than
what you agreed to sign).
When I generate certificates with SANs (which I usually do), I typically
use one of two approaches:
A) For the common case: The CA's openssl.cnf adds the usual SANs as
extensions, taking the actual name parts from environment variables
which my scripts set from my input before signing each cert.
B) For the handful of more complex cases, I construct a custom section
in openssl.cnf which adds those specific SANs, as well as any other
unusual extensions.
*From:*owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Dave Thompson
*Sent:* Monday, January 06, 2014 5:38 PM
*To:* openssl-users@openssl.org
*Subject:* RE: OpenSSL CA and signing certs with SANs
It is debatable whether putting SAN in the request is really ‘proper’;
I don’t know of any ‘real’ (public) CA that accepts it that way.
But for openssl:
If you are using ‘ca’, set copy_extensions in the config file. See the
man page.
If you are using ‘x509 –req’, that ignores/discards extensions from the CSR.
It can **add** extensions from a config file, but since you usually want
SAN
to be different for every subject cert that isn’t very convenient.
Do you really mean ‘x509 –signkey’ to selfsign, or ‘req –x509’?
The latter is IME much more common.
*From:*owner-openssl-us...@openssl.org
<mailto:owner-openssl-us...@openssl.org>
[mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Biondo, Brandon A.
*Sent:* Monday, January 06, 2014 16:16
*To:* openssl-users@openssl.org <mailto:openssl-users@openssl.org>
*Subject:* OpenSSL CA and signing certs with SANs
Hello,
Forgive me if I breach etiquette. This is my first post to this list in
quite a while.
I am having trouble tracking down information regarding how you
reconfigure an OpenSSL CA to handle SANs in requests. There is a wealth
of information on how to configure OpenSSL to form a proper request, but
in my searching I can only ever find people who use the x509 function to
self-sign their certs. When you use an OpenSSL CA to sign this type of
request, the certificate is made without issue but the SANS are stripped
out of the final product. What am I missing here?
Regards,
Brandon Biondo
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
