> From: Michael Leone [mailto:tur...@mike-leone.com]
> Sent: Friday, February 07, 2020 13:13
>
> I've got it almost all figured out, except how to get a subjectAltName
> automatically populated by the CN of the requestor. My requests aren't
> asking for a SAN, but Chrome isn't happy without one, so I'd like to
> at least auto-populate 1 SAN by having it be the DNS:<CN> of the
> requesting CSR.


Not automatically, unfortunately. openssl ca recognizes a special "email:copy" 
token in the extension list in the configuration file, but that's only for 
email addresses in the Subject DN.

I generally script this sort of thing.

If you have the CN handy before you create the CSR, just add it there:

   CN=<whatever>
   openssl req ... -addext "subjectAltName=DNS:$CN"

If not, you can do it at the issuing stage by extracting the CN from the CSR 
and then putting it into a SAN appended to the list of extensions for ca. 
Unfortunately ca doesn't have the -addext option (alas), but you can do it with 
a temporary file, perhaps using a bash inline file as Viktor suggested in an 
earlier message in this thread.

Currently for historical reasons the scripts I have for doing this are all for 
Windows, but it's actually easier to do it on Linux or UNIX (or on Windows 
using Cygwin or WSL or whatever). Something like this:

   CnLine=$(openssl req -in $CsrFile -noout -subject -nameopt 
sep_multiline,sname | grep " CN=")
   openssl ca ... -extfile <(cat extensions-file; echo 
subjectAltName=DNS:${CnLine# *CN=})

Though that may be a bit too clever to be easily maintainable, depending on 
who's going to maintain it. It might be more sensible to have the script build 
a temporary file with multiple, more easily understood and debugged steps. (You 
may want to watch for potential TOCTOU vulnerabilities if you use that 
approach, though it sounds like this isn't a concern for your particular use 
case.)

--
Michael Wojcik
Distinguished Engineer, Micro Focus



Reply via email to