subject:"RE\: \[openssl\-users\] Display CSR w\/ subjectAltName"

Re: [openssl-users] Display CSR w/ subjectAltName

2013-05-23 Thread Craig White

got it now… the script I was using was directing it to a different openssl.cnf 
than the one I was editing. I obviously moved a copy of the entire directory to 
play with a copy and not the real CA.

Thanks all

Craig

On May 23, 2013, at 10:28 AM, Jakob Bohm wrote:

> On 5/23/2013 6:21 PM, Craig White wrote:
>> hmmm… I guess it may not be there but it's there in the cert that I signed 
>> with my CA self which is using the same csr
>> 
>> Is there something wrong with the way I am generating them?
>> 
>> openssl req -new -nodes \
>> -out $CERTPATH/http.csr \
>> -keyout $CERTPATH/http.key \
>> -days 3650 \
>> -config $CONFIG
> 
> Depends what is in your config!
> 
> In the config I use for such I have (other lines omitted for clarity):
> 
> [req]
> 
> # Other stuff
> 
> req_extensions = v3_req
> 
> [ v3_req ]
> 
> # Other stuff
> 
> subjectAltName = @alt_names
> 
> [alt_names]
> # Remember to repeat the CN as one of the ALT Names,
> # Someone published an RFC that said to ignore the CN if there are
> #any ALT names and some idiots implemented this misprint
> #literally.
> # The lines that start with DNS are for "DNS names", that is web
> #servers etc., there are other words to use for other name
> #types, and those type indicators become part of the request
> #(and the certificate if it copies the alt names)
> DNS.0 = www.example.com
> DNS.1 = example.com
> DNS.2 = web.example.com
> 
> 
>> 
>> openssl ca \
>> -config $CONFIG \
>> -policy policy_anything \
>> -out $CERTPATH/http.pem \
>> -infiles $CERTPATH/http.csr
> 
> Does the config file used by your CA say to copy the Alt names
> extension from the requests?
> 
> 
> 
> 
> Enjoy
> 
> Jakob
> -- 
> Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
> Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org

-- 
Craig White ~ craig.wh...@ttiltd.com
1.800.869.6908 ~~ www.ttiassessments.com 

Using Assessments to Create Agile Organizations Webinar
https://www4.gotomeeting.com/register/480934271

March 21, 2013, 12pm EDT 
Transform your company into a thriving, agile organization that is 
able to respond immediately to changing customer demands.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: [openssl-users] Display CSR w/ subjectAltName

2013-05-23 Thread Dave Thompson

> From: owner-openssl-us...@openssl.org On Behalf Of Craig White
> Sent: Thursday, 23 May, 2013 15:31

> On May 23, 2013, at 10:28 AM, Jakob Bohm wrote:

> I think you have hit the nail on the head. The 
> subjectAltName(s) aren't getting included in requests but are 
> being included in certificates which are drawn from the same 
> config file. I was assuming that it would work but it isn't.
> 
The same file, but 'req' and 'ca' (mostly?) use different sections.

> I moved the subjectAltName definition to various sections 
> included v3_req and changed it to this.
> subjectAltName = email:copy, DNS:copy, @alt_names
> 
> but still no go - subjectAltName is not making it into the csr.
> 
> Finally tried 
> 
> $ openssl req -new -nodes \
> -out $CERTPATH/http.csr \
> -keyout $CERTPATH/http.key \
> -days 3650 \
> -config $CONFIG \
> -extensions v3_req
> 
> but still not in the csr.
> 
> Obviously I am missing something important in my reading of 
> the documentation.
> 
req -new -reqexts 
should put into a CSR.
req -new -x509 -extensions 
should put into a selfsigned cert.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl-users] Display CSR w/ subjectAltName

2013-05-23 Thread Craig White


On May 23, 2013, at 10:28 AM, Jakob Bohm wrote:

> On 5/23/2013 6:21 PM, Craig White wrote:
>> hmmm… I guess it may not be there but it's there in the cert that I signed 
>> with my CA self which is using the same csr
>> 
>> Is there something wrong with the way I am generating them?
>> 
>> openssl req -new -nodes \
>> -out $CERTPATH/http.csr \
>> -keyout $CERTPATH/http.key \
>> -days 3650 \
>> -config $CONFIG
> 
> Depends what is in your config!
> 
> In the config I use for such I have (other lines omitted for clarity):
> 
> [req]
> 
> # Other stuff
> 
> req_extensions = v3_req
> 
> [ v3_req ]
> 
> # Other stuff
> 
> subjectAltName = @alt_names
> 
> [alt_names]
> # Remember to repeat the CN as one of the ALT Names,
> # Someone published an RFC that said to ignore the CN if there are
> #any ALT names and some idiots implemented this misprint
> #literally.
> # The lines that start with DNS are for "DNS names", that is web
> #servers etc., there are other words to use for other name
> #types, and those type indicators become part of the request
> #(and the certificate if it copies the alt names)
> DNS.0 = www.example.com
> DNS.1 = example.com
> DNS.2 = web.example.com
> 
> 
>> 
>> openssl ca \
>> -config $CONFIG \
>> -policy policy_anything \
>> -out $CERTPATH/http.pem \
>> -infiles $CERTPATH/http.csr
> 
> Does the config file used by your CA say to copy the Alt names
> extension from the requests?


I think you have hit the nail on the head. The subjectAltName(s) aren't getting 
included in requests but are being included in certificates which are drawn 
from the same config file. I was assuming that it would work but it isn't.

I moved the subjectAltName definition to various sections included v3_req and 
changed it to this…
subjectAltName = email:copy, DNS:copy, @alt_names

but still no go - subjectAltName is not making it into the csr.

Finally tried 

$ openssl req -new -nodes \
-out $CERTPATH/http.csr \
-keyout $CERTPATH/http.key \
-days 3650 \
-config $CONFIG \
-extensions v3_req

but still not in the csr.

Obviously I am missing something important in my reading of the documentation.

Thanks

Craig__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl-users] Display CSR w/ subjectAltName

2013-05-23 Thread Jakob Bohm


On 5/23/2013 6:21 PM, Craig White wrote:

hmmm… I guess it may not be there but it's there in the cert that I signed with 
my CA self which is using the same csr

Is there something wrong with the way I am generating them?

openssl req -new -nodes \
 -out $CERTPATH/http.csr \
 -keyout $CERTPATH/http.key \
 -days 3650 \
 -config $CONFIG


Depends what is in your config!

In the config I use for such I have (other lines omitted for clarity):

[req]

# Other stuff

req_extensions = v3_req

[ v3_req ]

# Other stuff

subjectAltName = @alt_names

[alt_names]
# Remember to repeat the CN as one of the ALT Names,
# Someone published an RFC that said to ignore the CN if there are
#any ALT names and some idiots implemented this misprint
#literally.
# The lines that start with DNS are for "DNS names", that is web
#servers etc., there are other words to use for other name
#types, and those type indicators become part of the request
#(and the certificate if it copies the alt names)
DNS.0 = www.example.com
DNS.1 = example.com
DNS.2 = web.example.com




openssl ca \
 -config $CONFIG \
 -policy policy_anything \
 -out $CERTPATH/http.pem \
 -infiles $CERTPATH/http.csr


Does the config file used by your CA say to copy the Alt names
extension from the requests?




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl-users] Display CSR w/ subjectAltName

2013-05-23 Thread Craig White

hmmm… I guess it may not be there but it's there in the cert that I signed with 
my CA self which is using the same csr

Is there something wrong with the way I am generating them?

openssl req -new -nodes \
-out $CERTPATH/http.csr \
-keyout $CERTPATH/http.key \
-days 3650 \
-config $CONFIG

openssl ca \
-config $CONFIG \
-policy policy_anything \
-out $CERTPATH/http.pem \
-infiles $CERTPATH/http.csr

Craig

On May 23, 2013, at 9:12 AM, Erwann Abalea wrote:

> Are you sure there's a SAN extension in the displayed CSR?
> Dump the entire content with asn1parse.
> 
> -- 
> Erwann ABALEA
> 
> Le 23/05/2013 17:41, Craig White a écrit :
>> I want to be able to view CSR's with subjectAltName's but I can't figure out 
>> any way to make it happen. I have poured over the man pages and googled it 
>> to death already.
>> 
>> Ubuntu OpenSSL 0.9.8k-7ubuntu8.14 if that matters
>> 
>> openssl req -noout -text -in SOME_FILE.csr
>> 
>> gives me the contents of the CSR but not the subjectAltNames embedded in the 
>> CSR.
>> 
>> Added -nameopt multiline which is cool but still no ultimate joy
>> 
>> Can someone throw me a bone here?
>> 
> 

-- 
Craig White ~ craig.wh...@ttiltd.com
1.800.869.6908 ~~ www.ttiassessments.com 

Using Assessments to Create Agile Organizations Webinar
https://www4.gotomeeting.com/register/480934271

March 21, 2013, 12pm EDT 
Transform your company into a thriving, agile organization that is 
able to respond immediately to changing customer demands.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl-users] Display CSR w/ subjectAltName

2013-05-23 Thread Viktor Dukhovni

On Thu, May 23, 2013 at 06:12:39PM +0200, Erwann Abalea wrote:

> Le 23/05/2013 17:41, Craig White a ?crit :
> >I want to be able to view CSR's with subjectAltName's but I
> >can't figure out any way to make it happen. I have poured over the
> >man pages and googled it to death already.
> >
> >openssl req -noout -text -in SOME_FILE.csr
> >
> >gives me the contents of the CSR but not the subjectAltNames
> >embedded in the CSR.
>
> Are you sure there's a SAN extension in the displayed CSR?
> Dump the entire content with asn1parse.

It almost certainly does not:

$ openssl req -in req+key.pem -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:eb:de:7c:00:c2:58:59:59:1b:29:8a:6a:0b:d1:
72:5b:aa:14:2b:2f:7e:47:a3:77:73:de:9e:55:f0:
00:98:d5:1b:a2:3f:74:cf:4f:9a:6a:5a:1c:95:f2:
55:e8:01:72:cb:ca:37:66:2a:cf:64:0d:3e:ac:1c:
65:47:fe:22:ca
ASN1 OID: prime256v1
Attributes:
Requested Extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:example.com
Signature Algorithm: ecdsa-with-SHA1
 30:45:02:20:04:ff:c2:5b:cf:0a:a0:4f:2e:a8:12:e3:8d:68:
 eb:b9:1e:ce:b0:a5:a6:e0:69:50:c8:84:f6:51:a6:8d:c9:90:
 02:21:00:8e:bd:37:19:9c:ff:7a:69:2d:5a:bf:50:d5:4b:f9:
 63:6b:a6:44:c7:40:55:f5:c1:52:0b:b4:4b:90:4f:a7:2b
-BEGIN CERTIFICATE REQUEST-
MIIBAjCBqgIBADAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6958AMJYWVkb
KYpqC9FyW6oUKy9+R6N3c96eVfAAmNUboj90z0+aaloclfJV6AFyy8o3ZirPZA0+
rBxlR/4iyqBIMEYGCSqGSIb3DQEJDjE5MDcwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAkGByqGSM49BAEDSAAw
RQIgBP/CW88KoE8uqBLjjWjruR7OsKWm4GlQyIT2UaaNyZACIQCOvTcZnP96aS1a
v1DVS/lja6ZEx0BV9cFSC7RLkE+nKw==
-END CERTIFICATE REQUEST-

Generated via:

#! /bin/bash
umask 077
tmp=$(mktemp .req+key.XX)
dst=req+key.pem
openssl req -new -sha1 -subj "/" >> $tmp \
-newkey param:<(openssl ecparam -name prime256v1) \
-nodes -keyout /dev/stdout \
-config <(printf "[req]\n%s\n[dn]\n[exts]\n%s\n" \
"$(printf "%s\n%s\n" \
"distinguished_name=dn" \
"req_extensions=exts")" \
"$(printf "%s\n%s\n" \
"extendedKeyUsage=serverAuth,clientAuth" \
"subjectAltName=DNS:example.com" \
)") &&
mv $tmp "$dst"

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl-users] Display CSR w/ subjectAltName

2013-05-23 Thread Erwann Abalea


Are you sure there's a SAN extension in the displayed CSR?
Dump the entire content with asn1parse.

--
Erwann ABALEA

Le 23/05/2013 17:41, Craig White a écrit :

I want to be able to view CSR's with subjectAltName's but I can't figure out 
any way to make it happen. I have poured over the man pages and googled it to 
death already.

Ubuntu OpenSSL 0.9.8k-7ubuntu8.14 if that matters

openssl req -noout -text -in SOME_FILE.csr

gives me the contents of the CSR but not the subjectAltNames embedded in the 
CSR.

Added -nameopt multiline which is cool but still no ultimate joy

Can someone throw me a bone here?



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl-users] Display CSR w/ subjectAltName

RE: [openssl-users] Display CSR w/ subjectAltName

Re: [openssl-users] Display CSR w/ subjectAltName

Re: [openssl-users] Display CSR w/ subjectAltName

Re: [openssl-users] Display CSR w/ subjectAltName

Re: [openssl-users] Display CSR w/ subjectAltName

Re: [openssl-users] Display CSR w/ subjectAltName

7 matches

Site Navigation

Mail list logo

Footer information