Re: [PLUG] openssl and specifying subjectAltName

brent timothy saner via plug on 5 Feb 2020 09:42:27 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] openssl and specifying subjectAltName

From: brent timothy saner via plug <plug@lists.phillylinux.org>
To: Michael Leone <turgon@mike-leone.com>
Subject: Re: [PLUG] openssl and specifying subjectAltName
Date: Wed, 5 Feb 2020 12:42:10 -0500
Autocrypt: addr=brent.saner@gmail.com; prefer-encrypt=mutual; keydata= mQINBFKm0mgBEADSI5oeyqRYZ8YWxPbux4CeqaMNh4etuyJmglDRCQB9t1XlvhMDLZWQNqm+ ORBN3YGISUu+X55p10lK/O1w/85zXkAV7Qe6fkvUzSx0tbPWLu4rn4zH9JgTExElhFRv143H W/EKehejEetkNz6JSwGUXNiF5qh1GbKLOmShbmCSKXLcmw05Qj4ELmhkH9OWXpeM0EHmWIEK VSeoIim/g1MYYxKOb1wY3DEubY9zn3lfz9xfLq/xlFMepDyNAEer/qZDSHQqnymdqXlt6L9e mfd4snHLiDfUgG9JOPeMDWeT6XWJDtKKCcZ3JDSMEGgZsFYpwJxJEwPxnfhHJmH8ENxi/8Cu 0fLFvzgAP+VK/Z1egBI7l241fDDREg3e+NWFhUM5bjwBmqk1z8nkRdru+QSMtPl6Erkd+Tbp 7lGGpQwCbI6esdBPkx/nV8+fIPEcsR2G5jG7O9U4J6q3B1nRFrR863SJHudIWV/l59ZvA8kI knDYNOixPLmnoRrO7LNIWe9jpnkZdg34Aa5AjAjGEKwY5EAzqkKuPEMVGqg/36YUcnqYS98W iVgCpaGg6KJqCMVXBfugxd79rtkyT4Oeju/z/Yp2xxXm3Pqcocb1CxbiEYDLJNT7/hyIJ072 4asMz2DTDMIMciP93hPraEtINknPlerNX2XqK03D+gyBGqAL7QARAQABtCtCcmVudCBUaW1v dGh5IFNhbmVyIDxicmVudC5zYW5lckBnbWFpbC5jb20+iQI8BBMBAgAmAhsDBwsJCAcDAgEG FQgCCQoLBBYCAwECHgECF4AFAlLzvnsCGQEACgkQjABML5NIH2vQHxAArz6yjoQqUPoOFBRF P6hXHcMegvh4vZ0xOcoU+7KyUyD2f5jYivQFSVYcRDr7hyHTs3iRr0HKN8dUUSyLkNCc+rd2 FwqftUF2JLqlqpJ4HDXw+5L2rw0+0voy7JpRNtoGlfkh32SHIbTmNwVIFm1yVg+xNk0RAvl8 /NnPzgi0IKgOJNcxicLpy0f0o/uWHKcm6uS8SBZL3col1Wuhwqt/VY7Nz0cCF7IrRNGyMMPF PMRq3A5144U81WQR94iGlpvWku/qnFAvC9NNTllCwFYpiuI2BkndlPO3YqOwcGbVTOO765la Qz9EQn9b9ipnPjOSp9HLhu53RoJyUWogBtijCzEgODYJuflPWoXG4ubB11wP2CRPZzj3KqFE cShAyNwE2bAtHwtqsksII3J46EEQDrHam/0D6F+jNMZK31E/ET9WcdzZhFRGaBd748dRcaoH BaHpviH+GtRZiWtrR0238Df05MtZPTlZi2t4icBIGVN4j0mcMbgVY/5CudLQGa7BSjnKR/uy hJI7ANOHCsIud6rIB9s5qly60bXjOZ4hG1iFIhUFC+zgrOYGZLbJgCaKd5sdBCWOsQwInD/X eWO+6p4bW0YIp0YXZA5+0Uo8EP4t+NzvfGhe19gy8hrJYZGSW1PJDvqvs+b5XO2j5Be6ec2Y 09Ta99U94SxWp3nXpKS5Ag0EUqbSaAEQAMIB/UpTre+NGzkvTmO6wnfQuzJKEEWnX2p/+eQF ZgDhObvwhvZr7C3I9wP3JnAP3LoJqrnmp78qE2v7snlSG1i66hqcj8Cw2EkBRLFsseva2uI5 B63RLrV0tTXN86nmHhw8qJ2GBu84Ddw7KtYoCRbq902eWsgWxRJVwAK+ip24tVVJxaR23nkO FwU+suYRDhiM9GLVj2waomgJK60dhxLOLZSRwJ0S1A2pu16GEx8USEoz7WNDJgx8PJPSzyH5 U7h9hXhpTEvS8nOV5G7YhksKBR6ECjmleCSehBaotVTAhXTfoh9fyCusMBwizLBoS8GmPUnv nUlvJzyAzu1KxnFzpwEk9ZBgLqWxzC/i4PZKrpqG7n5JqgEl0gg+7fn5Sdwq14Trg+djDGa5 c8n5hXEyszWTka53AhVCn8yq01zYNZoMDG6adYku/g3n5mBxKYuSoMkzuPRgihpsrhN/0RGY nJRDw5cpAjywWhTfFWGaAz6mDNhCV9daoqAoFjmIt9PAFeTrHj0XZXW7C53t4Qor9Nc5goh5 jlw7vv58CpdF0dPF6jLhDL2AYtplqwdPQr8+hj8WyFW8Rbj/OOj/z/JdDa6xCqfvh0udGLVa FDwQXZ1D4sqjwABhqdCppYb9TSq0TzR2LyZDnn/JZied2Q2LypPbsoGa3qd//w5W6NczABEB AAGJAh8EGAECAAkFAlKm0mgCGwwACgkQjABML5NIH2tCDBAAiMHQIKXCnm3XOcBuArJ8l0Yp W7q9KWF1YtmK+Jg+JqF8vTR7qvJ1djpVJVzCbL73bSrw24bLjHhcATuBsQxYPu2sSulcPB8n ri3ki/rWiWpNtjykKi6z56o+vDmbVH8UyA++zHQIaOx7tyKnh4w1F2i46132yMHLHFAdQkAl AJRMIQ6E0AKK9t61r+NJ0KT8g1h9PMcJkPWkGmQjT9eahLlO1H3kua0xCZ264CFUkpYo7t0I Y9BuRafzrqRqrYBJzEeDSd2dNz8u+jTF8RlHyaiePcTE9R1A41mK2vDCgWAbmXW8eruVz+Av zdXSNr6erccamRmeTIyJ5WpGeoA/ZeTDVSLzU2/i/PK2yI/8DTwWnt0iLC+8qvbz+E27/8i5 x5w3PosUjXzHQugBZO0xrBqti9rWV6u73zAE07EKaGfTm4Py3HRfysmFijcT0xpEeuilXM72 TixP75enqXN45ouwrapBcjAM3oxn+eVAagtzMUjXjHJBP5g5PHCRTuzakNzvFu1YNV9Oec8S O+hoQAuW6Wy5NfCN3Bg+KHPu/U6Lw9TcbFtCGOswMx9U2Thuj7FeULli5tj/kLahOOMO0N++ msHrJNNWa2ekU9GJ1NDCOGH0zYF4F5dxrdNxuOGzz6a0+5o1DBaWUEN0wAMceluJNnqv0qni AGmGDY9HHUM=
Cc: PLUG <plug@lists.phillylinux.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:cc:references:from:autocrypt:subject:message-id:date:user-agent :mime-version:in-reply-to; bh=Eo/IqTF5/ZijkXQPA62XCsMOLIiByFo+dScl/bUHJNU=; b=iF93J+DMNic7Ye64cDizc6eN4IJExUDWM1LezRPwuFZVe8vOs4OWRCvDDqUG7NcIXj L25OA5uzAclY1BKIkOoYB+eqj2wo+XObXUNxRRr+ejdbL6+V5FLzPgL7rEC9iYN6EwTQ whqiC7VC8KCB2EWIUteYqOmEb+HqPmdeKAk4AMS4AABqflb1kjYPKnltaTBi7PJLYzOf 9sxzKPRPzD+eF98VWn23m4LlHg7RfiudolayhSZPQyT5juT3hZ5hgKMg908XKyA2vFew 7ptowd2WkByN3BXAt2EfXjKmMC5r9nmjUvZKNUK5ngRo4T8jaXGdSCcO9/tdNI5XCgkf PkSg==
Reply-to: brent timothy saner <brent.saner@gmail.com>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2

On 2/5/20 12:04, Michael Leone wrote:
> 
> Because the certs are generated on Linux, using openssl. So I need
> advice on how to use openssl on Linux, to accomplish what I need
> accomplished.
> 
> Life is multi-platform these days. LOL

Unless you're having the signing/CA add the SANs (which I'd generally
recommend avoiding), the SANs are typically added to the CSR and
approved/verified by the signer/CA.

> 
> I don't want a "different" SAN, I want *a* SAN in my generated CSR. :-),
> ideally with the DNS name of the requesting client. I need the CSR to
> include a SAN, as Chrome and Firefox like to see SANs.

I'm saying for each CSR created (or each cert created, see above), you'd
need a unique set of SANs per CN. It doesn't matter if it's just one SAN
or 100 SANs. Which is why I said "set of SANs" instead of just "SANs".
It's a singular unit comprised of one or more SANs.

> So I'm guessing from your example that you can't add the SAN to a
> certificate extensions file, but instead it must be in the openssl.cnf?
>  

You may not understand what "extensions" are in X.509 terminology. They
refer explicitly to certain capabilities/roles[0] of a certificate (or
CRL). SANs themselves are extensions in the V3 spec. I'm unclear what
you mean by "extensions file", other than a .include in a openssl.cnf.

But long story short, yes, those SANs need to be present in the
openssl.cnf if you're using openssl in some form or another, either via
an .include or what have you - as I originally stated.

But the SANs should really be present in the CSR itself and approved by
the CA, not added by the CA.

[0] https://tools.ietf.org/html/rfc5280#section-4.2

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] openssl and specifying subjectAltName
  - From: Michael Leone via plug <plug@lists.phillylinux.org>
- Re: [PLUG] openssl and specifying subjectAltName
  - From: brent timothy saner via plug <plug@lists.phillylinux.org>
- Re: [PLUG] openssl and specifying subjectAltName
  - From: Michael Leone via plug <plug@lists.phillylinux.org>
- Re: [PLUG] openssl and specifying subjectAltName
  - From: brent timothy saner via plug <plug@lists.phillylinux.org>
- Re: [PLUG] openssl and specifying subjectAltName
  - From: Michael Leone via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] PLUG West
Next by Date: Re: [PLUG] openssl and specifying subjectAltName
Previous by thread: Re: [PLUG] openssl and specifying subjectAltName
Next by thread: Re: [PLUG] openssl and specifying subjectAltName
Index(es):
- Date
- Thread