How to issue SSL certificate with SAN extension

openssl

I have a pair of Root CA keys. How to issue a new SSL certificate with SAN (Subject Alternative Name) extension? I tried this

openssl genrsa -out ssl.key 2048
openssl req -new -config ssl.conf -key ssl.key -out ssl.csr
openssl x509 -req -sha256 -days 3650 -CAcreateserial -CAkey root.key -CA root.crt -in ssl.csr -out ssl.crt

ssl.conf:

[req]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca

[req_distinguished_name]
CN = 127.0.0.1

[v3_ca]
subjectAltName = @alt_names

[alt_names]
IP.1 = 127.0.0.1
IP.2 = ::1
DNS.1 = localhost

but generated certificate didn't contain SAN.

However, self-signed certificate produced by the command below contains SAN:

openssl req -new -x509 -sha256 -days 3650 -config ssl.conf -key ssl.key -out ssl.crt

Best Answer

My CSR didn't contain SAN. Extensions should be specified in req_extensions instead of x509_extensions.
There is a bug in x509 command:

Extensions in certificates are not transferred to certificate requests and vice versa.

So I solved my problem with ca command:

Created empty ca/newcerts folder and empty ca/index.txt file.

Edited ssl.conf:

[ca]
default_ca = CA_default

[CA_default]
dir = ./ca
database = $dir/index.txt
new_certs_dir = $dir/newcerts
serial = $dir/serial
private_key = ./root.key
certificate = ./root.crt
default_days = 3650
default_md = sha256
policy = policy_anything
copy_extensions = copyall

[policy_anything]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_ca

[req_distinguished_name]
CN = 127.0.0.1

[v3_ca]
subjectAltName = @alt_names

[alt_names]
IP.1 = 127.0.0.1
IP.2 = ::1
DNS.1 = localhost

Ran commands:

openssl genrsa -out ssl.key 2048
openssl req -new -config ssl.conf -key ssl.key -out ssl.csr
openssl ca -config ssl.conf -create_serial -batch -in ssl.csr -out ssl.crt

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Linux – Globe SSL with NGINX SSL certificate issue

cat __domain_com.ca-bundle >> __domain_com.crt In nginx you need use only two files KEY and CRT, and you must merger CRT and CA BUNDLE into one file

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

Linux – Globe SSL with NGINX SSL certificate issue

Related Topic