How to add subjectNameAlt extension to X509_REQ?

Question

How to add subjectNameAlt extension to X509_REQ?

I am creating a CSR that will be processed by my server. It must set subjectNameAlt so that the server can handle it. I searched around the world and found how to do this with regular X509 certificates, not with X509_REQ. How can I do this (with C and OpenSSL.Ie. I need the equivalent of X509_get_ext_d2i , but for X509_REQ )?

+7

c openssl x509

chacham15 Apr 12 '13 at 6:36

source share

1 answer

Mvg · Accepted Answer · 2013-04-12T08:15:20+0000

Program

Check out the demos/x509/mkreq.c that comes with OpenSSL. It creates a request and adds an email address as an alternate name. Having removed it, he does the following:

 exts = sk_X509_EXTENSION_new_null(); add_ext(exts, NID_subject_alt_name, "email: steve@openssl.org "); X509_REQ_add_extensions(x, exts); sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);

add_ext is executed as follows:

 int add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, char *value) { X509_EXTENSION *ex; ex = X509V3_EXT_conf_nid(NULL, NULL, nid, value); if (!ex) return 0; sk_X509_EXTENSION_push(sk, ex); return 1; }

From the command line

I leave this section for others, although the OP requested the API.

https://wiki.cacert.org/FAQ/subjectAltName advises you to copy the openssl.cnf file to the temporary openssl-san.cnf and then change it as follows:

 [req] req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = host1.yourdomain.tld DNS.2 = host2.yourdomain.tld

How to add subjectNameAlt extension to X509_REQ?

Program

From the command line

More articles: