Subject Alternative Name not present in certificate

Question

I have generated a CSR that includes the field subject alt names:

openssl req -out mycsr.pem -new -key mykey.pem -days 365

When I inspect this it looks as expected with a new field present:

X509v3 Subject Alternative Name:
    DNS: my.alt.dns

However when I use this to sign a certificate that field is omitted for some reason.

I generate it with the following command:

openssl ca -out mycert.pem -infiles mycsr.pem

Can it be that my CA cert have to include the same Alt name for it to be included?

Answer 1

For everybody, who doesn´t like to edit the system-wide openssl.conf, there´s a native openssl CLI option for adding the SANs to the .crt from a .csr. All you have to use is openssl´s -extfile and -extensions CLI parameters.

Here´s an example:

openssl x509 -req -days 3650 -in alice.csr -signkey aliceprivate.key -out alice.crt -extfile alice-csr.conf -extensions v3_req 

This requires a alice-csr.conf file, which looks like this (fill in your appropriate data) and which was used to generate the .csr with the command openssl req -new -key aliceprivate.key -out alice.csr -config alice-csr.conf:

[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no  [req_distinguished_name] C = DE ST = Thuringia L = Erfurt O = Alice Corp OU = Team Foo CN = server-alice  [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = server-alice DNS.2 = localhost 

Keep in mind, that the -extensions v3_req option corresponds to the [v3_req] section in the file alice-csr.conf, where you define you Subject Alternative Names aka the domains, which you want to issue your certificate to.

As I always appreciate fully comprehensible examples, where one could reproduce every step, I created an example project featuring Spring Boot microservices: https://github.com/jonashackt/spring-boot-rest-clientcertificates-docker-compose

Answer 2

You can use:

copy_extensions = copy  

under your CA_default section in your openssl.cnf.

but only when you're sure that you can trust the extensions in the CSR as pointed out in this thread: http://openssl.6102.n7.nabble.com/subjectAltName-removed-from-CSR-when-signing-td26928.html

See also: How can I generate a self-signed certificate with SubjectAltName using OpenSSL?

Answer 3

Signing a CSR with alt names is described here well: https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html#creating-certificates-valid-for-multiple-hostnames

In short words, you create a something.ext file containing just the alt names:

subjectAltName = DNS:*.my.alt.dns, DNS:my.alt.dns

and then refer to this file in openssl x509 -req ... command: -extfile something.ext. Note that it happens when signing the CSR, not when preparing it.