brent timothy saner via plug on 5 Feb 2020 08:48:50 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] openssl and specifying subjectAltName 

On 2/5/20 11:32, Michael Leone wrote:
> 
> These are Windows generated CSRs, I don't do the generating.
> 

...Why are you asking on a LUG? Linux and Windows use totally different
SSL/TLS stacks and utilities by default. Unless you've installed the
Windows OpenSSL binaries, but regardless.

Granted, python is cross-platform and you can compile to binaries.

Or you can write a powershell script in this case. Or... whatever.

> Is it possible to put it in a certificate extensions file, at least,
> rather than screwing around with the openssl.cnf each time? I can't seem
> to figure out how to phrase it
The openssl.cnf syntax has a .include directive[0], but you're still
going to be manually editing a config if you want a different set of SANs.

> 
> subjectAltName=<hardcoded FQDN> - fails
> subjectAltName=DNS:<hardcoded FQDN> - fails

The error output would actually help, but DNS is an array:

# (...)
[ v3_req ]
basicConstraints		= CA:FALSE
keyUsage			= nonRepudiation, digitalSignature, keyEncipherment
subjectAltName			= @alt_names

[alt_names]
DNS.1 = sub1.domain.tld
DNS.2 = sub2.domain.tld



[0] https://github.com/openssl/openssl/blob/master/apps/openssl.cnf#L6-L8

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug