brent timothy saner via plug on 5 Feb 2020 09:42:27 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] openssl and specifying subjectAltName


On 2/5/20 12:04, Michael Leone wrote:
> 
> Because the certs are generated on Linux, using openssl. So I need
> advice on how to use openssl on Linux, to accomplish what I need
> accomplished.
> 
> Life is multi-platform these days. LOL

Unless you're having the signing/CA add the SANs (which I'd generally
recommend avoiding), the SANs are typically added to the CSR and
approved/verified by the signer/CA.

> 
> I don't want a "different" SAN, I want *a* SAN in my generated CSR. :-),
> ideally with the DNS name of the requesting client. I need the CSR to
> include a SAN, as Chrome and Firefox like to see SANs.

I'm saying for each CSR created (or each cert created, see above), you'd
need a unique set of SANs per CN. It doesn't matter if it's just one SAN
or 100 SANs. Which is why I said "set of SANs" instead of just "SANs".
It's a singular unit comprised of one or more SANs.

> So I'm guessing from your example that you can't add the SAN to a
> certificate extensions file, but instead it must be in the openssl.cnf?
>  

You may not understand what "extensions" are in X.509 terminology. They
refer explicitly to certain capabilities/roles[0] of a certificate (or
CRL). SANs themselves are extensions in the V3 spec. I'm unclear what
you mean by "extensions file", other than a .include in a openssl.cnf.

But long story short, yes, those SANs need to be present in the
openssl.cnf if you're using openssl in some form or another, either via
an .include or what have you - as I originally stated.

But the SANs should really be present in the CSR itself and approved by
the CA, not added by the CA.



[0] https://tools.ietf.org/html/rfc5280#section-4.2

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug