Re: [openssl-users] Display CSR w/ subjectAltName
got it now… the script I was using was directing it to a different openssl.cnf than the one I was editing. I obviously moved a copy of the entire directory to play with a copy and not the real CA. Thanks all Craig On May 23, 2013, at 10:28 AM, Jakob Bohm wrote: > On 5/23/2013 6:21 PM, Craig White wrote: >> hmmm… I guess it may not be there but it's there in the cert that I signed >> with my CA self which is using the same csr >> >> Is there something wrong with the way I am generating them? >> >> openssl req -new -nodes \ >> -out $CERTPATH/http.csr \ >> -keyout $CERTPATH/http.key \ >> -days 3650 \ >> -config $CONFIG > > Depends what is in your config! > > In the config I use for such I have (other lines omitted for clarity): > > [req] > > # Other stuff > > req_extensions = v3_req > > [ v3_req ] > > # Other stuff > > subjectAltName = @alt_names > > [alt_names] > # Remember to repeat the CN as one of the ALT Names, > # Someone published an RFC that said to ignore the CN if there are > #any ALT names and some idiots implemented this misprint > #literally. > # The lines that start with DNS are for "DNS names", that is web > #servers etc., there are other words to use for other name > #types, and those type indicators become part of the request > #(and the certificate if it copies the alt names) > DNS.0 = www.example.com > DNS.1 = example.com > DNS.2 = web.example.com > > >> >> openssl ca \ >> -config $CONFIG \ >> -policy policy_anything \ >> -out $CERTPATH/http.pem \ >> -infiles $CERTPATH/http.csr > > Does the config file used by your CA say to copy the Alt names > extension from the requests? > > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com > Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org -- Craig White ~ craig.wh...@ttiltd.com 1.800.869.6908 ~~ www.ttiassessments.com Using Assessments to Create Agile Organizations Webinar https://www4.gotomeeting.com/register/480934271 March 21, 2013, 12pm EDT Transform your company into a thriving, agile organization that is able to respond immediately to changing customer demands. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: [openssl-users] Display CSR w/ subjectAltName
> From: owner-openssl-us...@openssl.org On Behalf Of Craig White > Sent: Thursday, 23 May, 2013 15:31 > On May 23, 2013, at 10:28 AM, Jakob Bohm wrote: > I think you have hit the nail on the head. The > subjectAltName(s) aren't getting included in requests but are > being included in certificates which are drawn from the same > config file. I was assuming that it would work but it isn't. > The same file, but 'req' and 'ca' (mostly?) use different sections. > I moved the subjectAltName definition to various sections > included v3_req and changed it to this. > subjectAltName = email:copy, DNS:copy, @alt_names > > but still no go - subjectAltName is not making it into the csr. > > Finally tried > > $ openssl req -new -nodes \ > -out $CERTPATH/http.csr \ > -keyout $CERTPATH/http.key \ > -days 3650 \ > -config $CONFIG \ > -extensions v3_req > > but still not in the csr. > > Obviously I am missing something important in my reading of > the documentation. > req -new -reqexts should put into a CSR. req -new -x509 -extensions should put into a selfsigned cert. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Display CSR w/ subjectAltName
On May 23, 2013, at 10:28 AM, Jakob Bohm wrote: > On 5/23/2013 6:21 PM, Craig White wrote: >> hmmm… I guess it may not be there but it's there in the cert that I signed >> with my CA self which is using the same csr >> >> Is there something wrong with the way I am generating them? >> >> openssl req -new -nodes \ >> -out $CERTPATH/http.csr \ >> -keyout $CERTPATH/http.key \ >> -days 3650 \ >> -config $CONFIG > > Depends what is in your config! > > In the config I use for such I have (other lines omitted for clarity): > > [req] > > # Other stuff > > req_extensions = v3_req > > [ v3_req ] > > # Other stuff > > subjectAltName = @alt_names > > [alt_names] > # Remember to repeat the CN as one of the ALT Names, > # Someone published an RFC that said to ignore the CN if there are > #any ALT names and some idiots implemented this misprint > #literally. > # The lines that start with DNS are for "DNS names", that is web > #servers etc., there are other words to use for other name > #types, and those type indicators become part of the request > #(and the certificate if it copies the alt names) > DNS.0 = www.example.com > DNS.1 = example.com > DNS.2 = web.example.com > > >> >> openssl ca \ >> -config $CONFIG \ >> -policy policy_anything \ >> -out $CERTPATH/http.pem \ >> -infiles $CERTPATH/http.csr > > Does the config file used by your CA say to copy the Alt names > extension from the requests? I think you have hit the nail on the head. The subjectAltName(s) aren't getting included in requests but are being included in certificates which are drawn from the same config file. I was assuming that it would work but it isn't. I moved the subjectAltName definition to various sections included v3_req and changed it to this… subjectAltName = email:copy, DNS:copy, @alt_names but still no go - subjectAltName is not making it into the csr. Finally tried $ openssl req -new -nodes \ -out $CERTPATH/http.csr \ -keyout $CERTPATH/http.key \ -days 3650 \ -config $CONFIG \ -extensions v3_req but still not in the csr. Obviously I am missing something important in my reading of the documentation. Thanks Craig__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Display CSR w/ subjectAltName
On 5/23/2013 6:21 PM, Craig White wrote: hmmm… I guess it may not be there but it's there in the cert that I signed with my CA self which is using the same csr Is there something wrong with the way I am generating them? openssl req -new -nodes \ -out $CERTPATH/http.csr \ -keyout $CERTPATH/http.key \ -days 3650 \ -config $CONFIG Depends what is in your config! In the config I use for such I have (other lines omitted for clarity): [req] # Other stuff req_extensions = v3_req [ v3_req ] # Other stuff subjectAltName = @alt_names [alt_names] # Remember to repeat the CN as one of the ALT Names, # Someone published an RFC that said to ignore the CN if there are #any ALT names and some idiots implemented this misprint #literally. # The lines that start with DNS are for "DNS names", that is web #servers etc., there are other words to use for other name #types, and those type indicators become part of the request #(and the certificate if it copies the alt names) DNS.0 = www.example.com DNS.1 = example.com DNS.2 = web.example.com openssl ca \ -config $CONFIG \ -policy policy_anything \ -out $CERTPATH/http.pem \ -infiles $CERTPATH/http.csr Does the config file used by your CA say to copy the Alt names extension from the requests? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Display CSR w/ subjectAltName
hmmm… I guess it may not be there but it's there in the cert that I signed with my CA self which is using the same csr Is there something wrong with the way I am generating them? openssl req -new -nodes \ -out $CERTPATH/http.csr \ -keyout $CERTPATH/http.key \ -days 3650 \ -config $CONFIG openssl ca \ -config $CONFIG \ -policy policy_anything \ -out $CERTPATH/http.pem \ -infiles $CERTPATH/http.csr Craig On May 23, 2013, at 9:12 AM, Erwann Abalea wrote: > Are you sure there's a SAN extension in the displayed CSR? > Dump the entire content with asn1parse. > > -- > Erwann ABALEA > > Le 23/05/2013 17:41, Craig White a écrit : >> I want to be able to view CSR's with subjectAltName's but I can't figure out >> any way to make it happen. I have poured over the man pages and googled it >> to death already. >> >> Ubuntu OpenSSL 0.9.8k-7ubuntu8.14 if that matters >> >> openssl req -noout -text -in SOME_FILE.csr >> >> gives me the contents of the CSR but not the subjectAltNames embedded in the >> CSR. >> >> Added -nameopt multiline which is cool but still no ultimate joy >> >> Can someone throw me a bone here? >> > -- Craig White ~ craig.wh...@ttiltd.com 1.800.869.6908 ~~ www.ttiassessments.com Using Assessments to Create Agile Organizations Webinar https://www4.gotomeeting.com/register/480934271 March 21, 2013, 12pm EDT Transform your company into a thriving, agile organization that is able to respond immediately to changing customer demands. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Display CSR w/ subjectAltName
On 23.05.2013, at 17:41, Craig White wrote: > openssl req -noout -text -in SOME_FILE.csr > > gives me the contents of the CSR but not the subjectAltNames embedded in the > CSR. The SAN extension should appear in the Requested Extensions: section of the output. -- Stefan H. Holek ste...@epy.co.at http://pki-tutorial.readthedocs.org | http://pgpdump.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Display CSR w/ subjectAltName
On Thu, May 23, 2013 at 06:12:39PM +0200, Erwann Abalea wrote: > Le 23/05/2013 17:41, Craig White a ?crit : > >I want to be able to view CSR's with subjectAltName's but I > >can't figure out any way to make it happen. I have poured over the > >man pages and googled it to death already. > > > >openssl req -noout -text -in SOME_FILE.csr > > > >gives me the contents of the CSR but not the subjectAltNames > >embedded in the CSR. > > Are you sure there's a SAN extension in the displayed CSR? > Dump the entire content with asn1parse. It almost certainly does not: $ openssl req -in req+key.pem -text Certificate Request: Data: Version: 0 (0x0) Subject: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:eb:de:7c:00:c2:58:59:59:1b:29:8a:6a:0b:d1: 72:5b:aa:14:2b:2f:7e:47:a3:77:73:de:9e:55:f0: 00:98:d5:1b:a2:3f:74:cf:4f:9a:6a:5a:1c:95:f2: 55:e8:01:72:cb:ca:37:66:2a:cf:64:0d:3e:ac:1c: 65:47:fe:22:ca ASN1 OID: prime256v1 Attributes: Requested Extensions: X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:example.com Signature Algorithm: ecdsa-with-SHA1 30:45:02:20:04:ff:c2:5b:cf:0a:a0:4f:2e:a8:12:e3:8d:68: eb:b9:1e:ce:b0:a5:a6:e0:69:50:c8:84:f6:51:a6:8d:c9:90: 02:21:00:8e:bd:37:19:9c:ff:7a:69:2d:5a:bf:50:d5:4b:f9: 63:6b:a6:44:c7:40:55:f5:c1:52:0b:b4:4b:90:4f:a7:2b -BEGIN CERTIFICATE REQUEST- MIIBAjCBqgIBADAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6958AMJYWVkb KYpqC9FyW6oUKy9+R6N3c96eVfAAmNUboj90z0+aaloclfJV6AFyy8o3ZirPZA0+ rBxlR/4iyqBIMEYGCSqGSIb3DQEJDjE5MDcwHQYDVR0lBBYwFAYIKwYBBQUHAwEG CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAkGByqGSM49BAEDSAAw RQIgBP/CW88KoE8uqBLjjWjruR7OsKWm4GlQyIT2UaaNyZACIQCOvTcZnP96aS1a v1DVS/lja6ZEx0BV9cFSC7RLkE+nKw== -END CERTIFICATE REQUEST- Generated via: #! /bin/bash umask 077 tmp=$(mktemp .req+key.XX) dst=req+key.pem openssl req -new -sha1 -subj "/" >> $tmp \ -newkey param:<(openssl ecparam -name prime256v1) \ -nodes -keyout /dev/stdout \ -config <(printf "[req]\n%s\n[dn]\n[exts]\n%s\n" \ "$(printf "%s\n%s\n" \ "distinguished_name=dn" \ "req_extensions=exts")" \ "$(printf "%s\n%s\n" \ "extendedKeyUsage=serverAuth,clientAuth" \ "subjectAltName=DNS:example.com" \ )") && mv $tmp "$dst" -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Display CSR w/ subjectAltName
Are you sure there's a SAN extension in the displayed CSR? Dump the entire content with asn1parse. -- Erwann ABALEA Le 23/05/2013 17:41, Craig White a écrit : I want to be able to view CSR's with subjectAltName's but I can't figure out any way to make it happen. I have poured over the man pages and googled it to death already. Ubuntu OpenSSL 0.9.8k-7ubuntu8.14 if that matters openssl req -noout -text -in SOME_FILE.csr gives me the contents of the CSR but not the subjectAltNames embedded in the CSR. Added -nameopt multiline which is cool but still no ultimate joy Can someone throw me a bone here? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Display CSR w/ subjectAltName
I want to be able to view CSR's with subjectAltName's but I can't figure out any way to make it happen. I have poured over the man pages and googled it to death already. Ubuntu OpenSSL 0.9.8k-7ubuntu8.14 if that matters openssl req -noout -text -in SOME_FILE.csr gives me the contents of the CSR but not the subjectAltNames embedded in the CSR. Added -nameopt multiline which is cool but still no ultimate joy Can someone throw me a bone here? -- Craig White ~ craig.wh...@ttiltd.com 1.800.869.6908 ~~ www.ttiassessments.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
