I have a pair of Root CA keys. How to issue a new SSL certificate with SAN (Subject Alternative Name) extension? I tried this
openssl genrsa -out ssl.key 2048
openssl req -new -config ssl.conf -key ssl.key -out ssl.csr
openssl x509 -req -sha256 -days 3650 -CAcreateserial -CAkey root.key -CA root.crt -in ssl.csr -out ssl.crt
ssl.conf:
[req]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
[req_distinguished_name]
CN = 127.0.0.1
[v3_ca]
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
IP.2 = ::1
DNS.1 = localhost
but generated certificate didn't contain SAN.
However, self-signed certificate produced by the command below contains SAN:
openssl req -new -x509 -sha256 -days 3650 -config ssl.conf -key ssl.key -out ssl.crt
Best Answer
req_extensions
instead ofx509_extensions
.x509
command:So I solved my problem with
ca
command:ca/newcerts
folder and emptyca/index.txt
file.Edited
ssl.conf
:Ran commands: