Michael Leone via plug on 5 Feb 2020 09:05:03 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] openssl and specifying subjectAltName

On Wed, Feb 5, 2020 at 11:48 AM brent timothy saner <brent.saner@gmail.com> wrote:
On 2/5/20 11:32, Michael Leone wrote:
>
> These are Windows generated CSRs, I don't do the generating.
>

...Why are you asking on a LUG?

Because the certs are generated on Linux, using openssl. So I need advice on how to use openssl on Linux, to accomplish what I need accomplished.

Life is multi-platform these days. LOL
 
The openssl.cnf syntax has a .include directive[0], but you're still
going to be manually editing a config if you want a different set of SANs.

I don't want a "different" SAN, I want *a* SAN in my generated CSR. :-), ideally with the DNS name of the requesting client. I need the CSR to include a SAN, as Chrome and Firefox like to see SANs.
 
> subjectAltName=<hardcoded FQDN> - fails
> subjectAltName=DNS:<hardcoded FQDN> - fails

The error output would actually help, but DNS is an array:

# (...)
[ v3_req ]
basicConstraints                = CA:FALSE
keyUsage                        = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName                  = @alt_names

[alt_names]
DNS.1 = sub1.domain.tld
DNS.2 = sub2.domain.tld

So I'm guessing from your example that you can't add the SAN to a certificate extensions file, but instead it must be in the openssl.cnf?
 
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug