I'm generating a self-signed SSL cert:
$ openssl req -x509 -newkey rsa:2048 -subj 'CN=example.com'
I'd like to specify a subjectAltName also at creation time, but I cannot find info in the openssl manpage on how to do this.
Asked
Active
Viewed 3.1k times
16
Andrew Schulman
- 8,811
- 21
- 32
- 47
Travis J Webb
- 278
- 1
- 2
- 7
-
2There is no command line switch. You have to write it into a config file and then use this config file. – Steffen Ullrich Aug 25 '14 at 19:19
4 Answers
9
Try to write the subjectAltName to a temporary file (I'll name it hostextfile) like
basicConstraints=CA:FALSE
extendedKeyUsage=serverAuth
subjectAltName=email:my@other.address,RID:1.2.3.4
and link to it in openssl command via "-extfile" option, for example:
openssl ca -days 730 -in hostreq.pem -out -hostcert.pem -extfile hostextfile
Viktor
- 301
- 2
- 4
-
1I believe that is correct. X509v3 Subject Alternative Name: DNS:kb.example.com, DNS:helpdesk.example.com – quadruplebucky Nov 18 '14 at 12:28
-
I used [this](https://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_) description. – Viktor Nov 18 '14 at 12:38
-
What is `-extfile`? It's not known to my openssl (v1.1) and it's not listed on the [manpage](https://www.openssl.org/docs/manmaster/man1/openssl.html)... – Marc Sep 22 '21 at 18:41
-
@Marc openssl v1.1.1 man surely [knows](https://www.openssl.org/docs/man1.1.1/man1/ca.html) what _option_ (and not a _command_) extfile is.It defines extfile as "additional configuration file to read certificate extensions from (using the default section unless the -extensions option is also used)". – Viktor Sep 23 '21 at 09:24
3
The openssl command doesn’t provide a way to include extensions like the subjectAltName without writing a config file first. I have written a simple utility that does it all automatically. It's available on github: https://github.com/rtts/certify
Example use:
./certify example.com www.example.com mail.example.com
This will create a file named example.com.crt that contains a certificate with the Subject Alternative Names of example.com, www.example.com, and mail.example.com.
Jaap Joris Vens
- 601
- 3
- 8
- 20
2
Create self-signed certificate with SubjectAltName
cd /etc/ssl
cat > my.conf <<- "EOF"
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=UA
ST=Dnepropetrovskaya
L=Kamyanske
O=DMK
OU=OASUP
emailAddress=webmaster@localhost
CN = www.dmkd.dp.ua
[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = www.dmkd.dp.ua
DNS.1 = dmkd.dp.ua
EOF
# Create key
openssl genrsa -des3 -out server.key.secure 2048
# Disable secret phrase for key
openssl rsa -in server.key.secure -out server.insecure.key
# Create request certificate file with params from file my.conf
openssl req -new -key server.insecure.key -out server.csr -config my.conf
# Create certificate with params from file my.conf
openssl x509 -req -days 365 -in server.csr -signkey server.insecure.key -out server.crt -extensions req_ext -extfile my.conf
# Check request file and certificate for SubjectAltName precense
openssl req -text -noout -in server.csr
openssl x509 -in server.crt -text -noout
venoel
- 193
- 1
- 7
0
I used info here, but thinned it out to just the info needed to satisfy the browswer..
x509 v3 extensions option file:
echo "subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com" > v3.ext
External Keyfile:
openssl genrsa -out www.example.com.key 2048
CA Signing Request:(Assumes you have the CA key and cert)
openssl req -new -key www.example.com.key -subj "/CN=www.example.com" -out www.example.com.csr
Sign the request to create the cert, and include the x509 Extension data:
openssl x509 -req -in www.example.com.csr -CA ca.example.com.crt -CAkey ca.example.com.key -CAcreateserial -out www.example.com.crt -days 500 -sha256 -extfile v3.ext
barrypicker
- 101
- 2