Michel van der List via plug on 5 Feb 2020 11:59:37 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] openssl and specifying subjectAltName


I just create a new scratch config file with all the SANs and pass it into 'openssl req -config $scratchfile ...'.

That works just fine for me.

On 2/5/20 1:32 PM, brent timothy saner via plug wrote:
On 2/5/20 12:48, Michael Leone wrote:

We *are* the CA. These are internal certs, signed by our internal Linux CA.
When I say "the CA", I'm operating under the assumption that you control
both the CA and requester(s). But either way, it wouldn't matter; I'm
speaking about general X.509 structure here.

     But long story short, yes,


FYI, you could have just started with this. :)
I did.

"> Is that doable? I haven't seen how ...

nope; you haven't seen it because it isn't doable. OpenSSL expects a
static environment."

"The openssl.cnf syntax has a .include directive[0], but you're still
going to be manually editing a config if you want a different set of SANs."

If you don't want to manually edit for each request, assuming you still
want to add the SANs on the CA side, either you need to use some
programmatic method of generating CSRs, or use something that will
generate the CSRs for you like Vault.

If you include the SANs in the CSR itself instead, each requester just
needs its own static configuration of CN/SANs.


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug