How to issue SSL certificate with SAN extension?

Question

I have a pair of Root CA keys. How to issue a new SSL certificate with SAN (Subject Alternative Name) extension? I tried this

openssl genrsa -out ssl.key 2048
openssl req -new -config ssl.conf -key ssl.key -out ssl.csr
openssl x509 -req -sha256 -days 3650 -CAcreateserial -CAkey root.key -CA root.crt -in ssl.csr -out ssl.crt

ssl.conf:

[req]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca

[req_distinguished_name]
CN = 127.0.0.1

[v3_ca]
subjectAltName = @alt_names

[alt_names]
IP.1 = 127.0.0.1
IP.2 = ::1
DNS.1 = localhost

but generated certificate didn't contain SAN.

However, self-signed certificate produced by the command below contains SAN:

openssl req -new -x509 -sha256 -days 3650 -config ssl.conf -key ssl.key -out ssl.crt

Another approach is to use `-extfile` and if sectioned `-extensions` **on `x509 -req`** to add SAN or other extensions to the cert **without** (instead of) putting them in the CSR. Though this may be less convenient if you want to reuse the CSR. — dave_thompson_085, Apr 23 '17 at 06:53
@dave_thompson_085 thank you. That's what I need. Don't be shy to create an answer. I'll accept it. — dizel3d, Apr 23 '17 at 08:04
Can you adjust the title, it is not related to CA keys: How to generate SSL certificate having SAN entries? — eckes, Apr 23 '17 at 15:38
In the end, I found an example of how it's done [here](https://mta.openssl.org/pipermail/openssl-users/2016-January/002764.html). — Lloyd, Jun 16 '17 at 12:05

dizel3d · Answer 1 · 2017-04-23T09:34:28.800

My CSR didn't contain SAN. Extensions should be specified in req_extensions instead of x509_extensions.
There is a bug in x509 command:

Extensions in certificates are not transferred to certificate requests and vice versa.

So I solved my problem with ca command:

Created empty ca/newcerts folder and empty ca/index.txt file.

Edited ssl.conf:

[ca]
default_ca = CA_default

[CA_default]
dir = ./ca
database = $dir/index.txt
new_certs_dir = $dir/newcerts
serial = $dir/serial
private_key = ./root.key
certificate = ./root.crt
default_days = 3650
default_md = sha256
policy = policy_anything
copy_extensions = copyall

[policy_anything]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_ca

[req_distinguished_name]
CN = 127.0.0.1

[v3_ca]
subjectAltName = @alt_names

[alt_names]
IP.1 = 127.0.0.1
IP.2 = ::1
DNS.1 = localhost

Ran commands:

openssl genrsa -out ssl.key 2048
openssl req -new -config ssl.conf -key ssl.key -out ssl.csr
openssl ca -config ssl.conf -create_serial -batch -in ssl.csr -out ssl.crt

Is there an easy way to generate the config from the csr? – Rob Audenaerde Aug 17 '18 at 13:35 — Rob Audenaerde, Aug 17 '18 at 13:35

How to issue SSL certificate with SAN extension?

1 Answers1