Geek Answers Handbook

Subject Alternate name not in certificate

I created a CSR that includes the subject object names:

openssl req -out mycsr.pem -new -key mykey.pem -days 365

When I check this, it looks as expected with a new field:

 X509v3 Subject Alternative Name: DNS: my.alt.dns

However, when I use this to sign a certificate, this field is omitted for some reason.

I generate it with the following command:

 openssl ca -out mycert.pem -infiles mycsr.pem

Could it be that my CA certificate must include the same Alt name to enable it?

+7
ssl openssl ssl-certificate
source share
2 answers

You can use:

 copy_extensions = copy

under the CA_default section in openssl.cnf .

but only when you are sure that you can trust the extensions in CSR, as indicated in this thread: http://openssl.6102.n7.nabble.com/subjectAltName-removed-from-CSR-when-signing-td26928.html

See also: How to create a self-signed certificate using SubjectAltName using OpenSSL?

+9
source share

For anyone who does not want to edit the system-wide openssl.conf , there is a built-in CLI opensl option for adding SAN to .crt from .csr . All you need to use is the openssl's -extfile and -extensions CLI command line -extensions .

Here is an example:

 openssl x509 -req -days 3650 -in alice.csr -signkey aliceprivate.key -out alice.crt -extfile alice-csr.conf -extensions v3_req

This requires the alice-csr.conf file, which looks like this (fill in your relevant data) and which was used to create .csr using the openssl req -new -key aliceprivate.key -out alice.csr -config alice-csr.conf command openssl req -new -key aliceprivate.key -out alice.csr -config alice-csr.conf :

 [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = DE ST = Thuringia L = Erfurt O = Alice Corp OU = Team Foo CN = server-alice [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = server-alice DNS.2 = localhost

Keep in mind that the -extensions v3_req parameter corresponds to the [v3_req] section in the alice-csr.conf , where you define your alternative subject names, as well as the domains to which you want to send your certificate.

As I always appreciate fully understandable examples where you can reproduce every step, I created a sample project with Spring Boot microservices: https://github.com/jonashackt/spring-boot-rest-clientcertificates-docker-compose

0
source share

More articles:


All Articles