Can any one tell me how I an add a number of Subject Alternate Names to an existing CSR?
I'm not talking about generating a CSR with SANs or adding SANs at signing time – I know how to do both of these things.
Background:
The problem we have is that HP blade chassis, allow you to generate CSRs, but they only allow a single SAN.
We can't use a CSR generated elsewhere as we could not use the resultant cert as there is no way (that I can find) to upload the key to the blade chassis.
Our CA's standard process does not allow for adding SANs are signing time.
They are willing to experiment, however I am trying to find a solution at our end as this will mean we won't have to rely on them having a non standard process for us – in my experience if they need to use a non standard process life will eventually get difficult. E.g. when a staff member who knows the non standard process is not present due to leave etc.
Current method is to connect to the bladechassis onboard admin via the web gui and generate the CSR with a single CN.
The web gui only allows for a single SAN in the CSR.
Then we self sign it with the following stanza in the openssl config:
[ v3_ca ]
subjectAltName = "DNS:bladesystem8,DNS:bladesystem8.services.adelaide.edu.au,DNS:bladesystem8-backup,DNS:bladesystem8-backup.services.adelaide.edu.au"
The resultant cert has the extra SANs.
Best Answer
If your chassis doesn't support adding SANs, you'll need to get the key off the chassis and generate the CSR with openssl.
Make sure
req_extensions = v3_reqis uncommented in the[ req ]section.Add the
subjectAltNameto the[ v3_req ]section.Generate a new CSR.
You cannot edit an existing CSR.