I have generated a CSR that includes the field subject alt names:
openssl req -out mycsr.pem -new -key mykey.pem -days 365
When I inspect this it looks as expected with a new field present:
X509v3 Subject Alternative Name:
DNS: my.alt.dns
However when I use this to sign a certificate that field is omitted for some reason.
I generate it with the following command:
openssl ca -out mycert.pem -infiles mycsr.pem
Can it be that my CA cert have to include the same Alt name for it to be included?
For everybody, who doesn´t like to edit the system-wide openssl.conf
, there´s a native openssl CLI option for adding the SANs to the .crt
from a .csr
. All you have to use is openssl´s -extfile
and -extensions
CLI parameters.
Here´s an example:
openssl x509 -req -days 3650 -in alice.csr -signkey aliceprivate.key -out alice.crt -extfile alice-csr.conf -extensions v3_req
This requires a alice-csr.conf file, which looks like this (fill in your appropriate data) and which was used to generate the .csr
with the command openssl req -new -key aliceprivate.key -out alice.csr -config alice-csr.conf
:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = DE ST = Thuringia L = Erfurt O = Alice Corp OU = Team Foo CN = server-alice [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = server-alice DNS.2 = localhost
Keep in mind, that the -extensions v3_req
option corresponds to the [v3_req]
section in the file alice-csr.conf
, where you define you Subject Alternative Names aka the domains, which you want to issue your certificate to.
As I always appreciate fully comprehensible examples, where one could reproduce every step, I created an example project featuring Spring Boot microservices: https://github.com/jonashackt/spring-boot-rest-clientcertificates-docker-compose
You can use:
copy_extensions = copy
under your CA_default
section in your openssl.cnf
.
but only when you're sure that you can trust the extensions in the CSR as pointed out in this thread: http://openssl.6102.n7.nabble.com/subjectAltName-removed-from-CSR-when-signing-td26928.html
See also: How can I generate a self-signed certificate with SubjectAltName using OpenSSL?
Signing a CSR with alt names is described here well: https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html#creating-certificates-valid-for-multiple-hostnames
In short words, you create a something.ext
file containing just the alt names:
subjectAltName = DNS:*.my.alt.dns, DNS:my.alt.dns
and then refer to this file in openssl x509 -req ...
command: -extfile something.ext
. Note that it happens when signing the CSR, not when preparing it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With