Martin Dellwo on 26 Jun 2019 08:18:27 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Chrome and Certificates (WAS:Fwd: Confused - certificate is valid in IE/Edge but not in Chrome?)

I use this shell command; you don't have to hard-code anything in the standard openssl.conf in this case, it adds a SAN section on the fly.  The whole command will generate a new key and CSR at the same time, as written (you can also use an existing key).  There are likely many ways to do the same thing, including that rather than use the printf you could put the SAN snippet in a separate file, and just cat the two files together.  The crucial part here is the "-config <()" construct.  And of course the -reqexts flag.

Depending on what's in you standard openssl.conf file, this will still prompt you with questions, just not about SAN.

openssl req -newkey rsa:2048 -nodes -out certreq.csr -keyout example.key \
  -reqexts san -config <(cat /etc/pki/tls/openssl.cnf; printf "[san]\nsubjectAltName=DNS:host1.example.com,DNS:somealias.example.com")

Martin Dellwo

On Wed, Jun 26, 2019 at 10:50 AM Michael Leone <turgon@mike-leone.com> wrote:
On Wed, Jun 26, 2019 at 10:28 AM brent timothy saner
<brent.saner@gmail.com> wrote:
>
> Yep. Not even "can"; "is".
> FWIW, I believe you can tell openssl to include any SANs in the CSR
> automatically (but you'd still need to define those in the config used
> to generate the CSR).

Hrumph. :-)

> You put it in the config file. Usually DNS.1 is the CN. (If memory
> serves, you can use a variable for the CN.) For bare domain certs (e.g.
> domain.tld), I'd recommend also adding a www.domain.tld SAN.
>

Well, in this particular case, it's only for a test. The actual CA who
will be issuing certs for this internal domain will be a Windows
subordinate CA, and it has certificate templates you can customize, to
add the SANs.

I just want to see it work, for Google Chrome, from my root cA, before
I make the issuing CA in AD.

I will hardcode it for now, I guess.

Thanks
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


--
Martin Dellwo
cell: (484) 437-3662
martin.dellwo@gmail.com
http://www.linkedin.com/in/martindellwo
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug