NO does not work. It worked because I had the old root CA cert there. Without it it fails.

I tried adding -selfsign and that did something, but did not create a trusted cert...


On 08/17/2017 08:44 PM, Robert Moskowitz wrote:
Kind of...

Does not put SAN in CA cert:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

Does put SAN in CA cert:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
      -new -sha256 -extensions v3_ca -out csr/ca.csr.pem

openssl ca -config openssl-root.cnf -extensions v3_ca -days 7300 -notext -md sha256 \
      -in csr/ca.csr.pem -out certs/ca.cert.pem

Interesting that the single step does not work, but the 2 step doesn.

Do I need -extensions v3_ca in both commands? Plus sha256 in both? Could benefit from some refinement. Or getting the 1 step working.

Good enough for now!

Bob


On 08/17/2017 06:38 PM, Jeffrey Walton wrote:
On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <r...@htt-consult.com> wrote:
I guess I am making progress. I am not getting SAN into the root cert. my
cnf has in it:

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
prompt              = no
distinguished_name  = req_distinguished_name
string_mask         = utf8only
req_extensions      = req_ext

[ req_ext ]
#subjectAltName = email:$ENV::adminemail
#subjectAltName = email:ad...@htt-consult.com
subjectAltName = IP:192.168.24.1

I tried all three above alternatives for SAN.  No SAN in the root cert
created with:

openssl req -config openssl-root.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

Thanks for any insight.

This type of cnf worked for creating a CSR and with the copy option the SAN
made it into the cert.
It looks a bit unusual for a Root CA.

As far as signing the CSR, you need

     copy_extensions = copy

Jeff


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to